Tài liệu CSVPN Remote Lab Instructor Guide 1.0 pptx

4 Equipment List ...4 Physical Connections...5 Initial Student PC Configuration ...5 Classroom Router Configuration ...6 REMOTE LAB SETUP .... 8 Establishing and Testing Connectivity t

Trang 1

CSVPN Remote Lab

Instructor Guide 1.0

Table of Contents

REMOTE LAB TOPOLOGY 2

Remote Lab Description 2

Local Classroom Description 2

CLASSROOM SETUP 4

Equipment List 4

Physical Connections 5

Initial Student PC Configuration 5

Classroom Router Configuration 6

REMOTE LAB SETUP 8

Establishing and Testing Connectivity to the Remote Lab 8

Telneting to the Remote Terminal Server 10

VPN Concentrator Initial Configurations 11

Hardware Client Initial Configurations 12

Router Initial Configurations 13

PIX Initial Configurations 14

CSVPN INDIVIDUAL LAB SETTINGS AND CHANGES 16

Peer Pods 16 Chapter 5—Configure Cisco VPN 3000 Concentrator for Remote Access Using

Trang 2

Pre-Remote Lab Topology

The following is the network topology diagram for the CSVPN remote lab

.1 2

CSACS DHCP

.1

pP

10.0.P.0 5

172.30 P.0 2 .1172.30 P.0 1 1

CA

.10 10

CSACS DHCP

Remote Lab Description

The remote lab is accessed via a PIX firewall, RL-PIX-CSVPN, reachable from the Internet The trainer will initiate an IPsec VPN tunnel terminating on RL-PIX- CSVPN RL-PIX-CSVPN forwards all traffic to a Cisco 2621 router, RL-RMT- CSVPN, which routes traffic based on the source IP address to one of two routers, RL-RMT1-CSVPN or RL-RMT2-CSVPN These routers will perform IP address NATing and route the traffic to the necessary student pod

Local Classroom Description

The classroom topology consists of ten (10) student PCs running Windows 2000 Server and all the required applications used in the labs Another PC running Windows 2000 Server will be the CA server All PCs are directly connected to a Cisco FastHub 400 or can be outfitted with Cisco Aironet wireless cards If using

a Cisco FastHub 400, a Cisco 2611 router is connected to the hub If using Cisco Aironet, then the Aironet access point is connected to the Cisco 2611 router In either case, the other interface of the Cisco 2611 router is connected to an Internet accessible network

Trang 3

Note THE CLASSROOM ROUTER WILL BE INITIATING THE IPSEC VPN TUNNEL UDP PORT 500 (ISAKMP) AND IP PROTOCOL 50 (ESP) TRAFFIC MUST BE ALLOWED BY THE FIREWALL AT THE CLASSROOM LOCATION SEE CLASSROOM ROUTER CONFIGURATION LATER ON THIS DOCUMENT

Trang 4

Classroom Setup

This section covers the list of equipment and their physical connections as well as the configuration of student PCs and the classroom router that the Cisco Learning Partner will be required to performed when teaching this course

Equipment List

DESCRIPTION MFR PART NO QTY.

LIST PRICE /EACH Student Laptop/PC and CA Server (varies) 11 (varies)

• Internet Information Services 5.0 Microsoft 11 (varies)

• Pentium III 800 MHz (or better) Intel 11 (varies)

• 8 GB Hard Drive (or better) NTFS partitioned

• Aironet Adapter or 10/100 Ethernet NIC (varies) 11 (varies)

350 Series PC Card w/Integrated Diversity Antenna,128-bitWEP

340 Series 11Mbps DSSS AP w/128-bit WEP and 2 Int Ant

• S26C-12205 Cisco 2600 Series IOS IP* Cisco S26C-12205T 1 0

• 32- to 48-MB DRAM Factory Upgrade for the Cisco 2600 Series

Trang 5

Physical Connections

Connections with Aironet

ETHERNET 0/0 ETHERNET 0/1

Cisco 2611

CONSOLE

Internet

Trang 6

Classroom Router Configuration

You will need the following parameters from Cisco’s ILSG lab administrator before configuring the classroom router:

RL-PIX-CSVPN IP ADDRESS (IPsec peer IP address)

AUTHENTICATION KEY

Note The classroom router is configured to get a DHCP address, including a default route, on the outside interface (Ethernet 0/1) If DHCP is not supported at your location then a manually entered IP address and default route must be configured

RL-LCL-2611 Configuration

! version 12.2 service timestamps debug uptime service timestamps log uptime service password-encryption

! hostname RL-LCL-2611

authentication pre-share group 2

crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSVPN IP ADDRESS>

! crypto ipsec transform-set RL-TRANS esp-3des esp-md5-hmac

! crypto map RL-MAP 22 ipsec-isakmp

set peer <RL-PIX-CSVPN IP ADDRESS>

Set security-association lifetime seconds 86400 set transform-set RL-TRANS

set pfs group2 match address TO-RMT

! interface Ethernet0/0

Trang 7

ip address dhcp

no cdp enable crypto map RL-MAP

no cdp run

! line con 0 transport input none line aux 0

line vty 0 4 password 7 120E5619050A0F176B login

! end

Trang 8

Remote Lab Setup

This section covers the procedures required to connect to the remote lab and to setup and test the lab devices before the beginning of class

Establishing and Testing Connectivity to the Remote Lab

Perform the following procedures to establish and test connectivity to the remote lab

From the console of your RL-LCL-2611 router:

Step 1 RL-LCL-2611> ping <YOUR LOCAL DEFAULT GATEWAY>

If unsuccessful

• check physical Internet connectivity

• check ethernet link from RL-LCL-2611 to your Internet connection

• check IP address received from DHCP:

RL-LCL-2611# show ip interface brief ethernet0/1

Step 2 RL-LCL-2611> ping <RL-PIX-CSVPN IP ADDRESS>

• check Aironet link or ethernet link from the PC to Aironet access point or hub

• check ethernet link from RL-LCL-2611 to Aironet access point or hub

• check IP address/netmask settings on the student PC

• check Aironet configuration and range

• check RL-LCL-2611 configuration

Trang 9

Step 4 C:\> ping 10.90.90.1

This will initiate the VPN tunnel to the remote PIX It will take a few ping tries before the VPN tunnel is established and the ping is successful

If unsuccessful

• ensure that you’ve given the router/PIX enough time to setup the VPN tunnel

• check default gateway setting on the student PC

• check the ISAKMP settings on RL-LCL-2611:

crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSVPN IP ADDRESS>

• check the IPSEC settings on RL-LCL-2611:

crypto map RL-MAP 22 ipsec-isakmp

set peer <RL-PIX-CSVPN IP ADDRESS>

• clear all security associations (SAs) on the RL-LCL-2611:

RL-LCL-2611# clear crypto sa

From each student PC (1 through 5)

Step 5 C:\> ping 172.26.26.100 (remote terminal server)

If unsuccessful

• check IP address/netmask/default gateway settings on the student PC

From each student PC (6 through 10)

Step 6 C:\> ping 172.26.26.120 (remote terminal server)

If unsuccessful

• check IP address/netmask/default gateway settings on the student PC

Trang 10

Telneting to the Remote Terminal Server

Note USE “CTRL+SHIFT+6 then X” TO EXIT A CONSOLE SESSION

Lab Chapters 5 through 7

For labs in chapters 5 through 8, student pods 1 through 5, telnet to CSVPN at IP address 172.26.26.100 Student pods 6 through 10, telnet to RL- RMT2-CSVPN at IP address 172.26.26.120

For lab chapters 8 ONLY, all students will telnet to 192.168.1PP.100 (where PP =

pod number, i.e., 01, 02, , 10)

Lab Chapters 9 through 14

For labs in chapters 9 through 14 student pods 1 through 5, telnet to CSVPN at IP address 10.0.P.100 Student pods 6 through 10, telnet to RL-RMT2- CSVPN at IP address 10.0.P.100

Trang 11

VPN Concentrator Initial Configurations

The VPN concentrators are resetted by the students as part of their lab activities If you want, check that all VPN concentrators are resetted before the class

Note Pods 1 through 5 access their VPN concentrator console from RL-RMT1-CSVPN

Pods 6 through 10 access their VPN concentrator console from RL-RMT2-CSVPN

To reset a VPN concentrator:

Note If you get the Quick prompt for the system time or date parameters, the device has already been resetted to factory defaults

Main -> 2 Admin -> 3 Admin -> 2 Admin -> 3 Admin -> 2

Note Do not attempt to log into the first login prompt you see as it takes several moments for the Cisco VPN 3000 Concentrator to complete the reboot function A login prompt appears when the reboot is completed

Trang 12

Hardware Client Initial Configurations

The hardware client are resetted by the students as part of their lab activities If you want, check that all hardware clients are resetted before the class

Note Pods 1 through 5 access their VPN concentrator console from RL-RMT1-CSVPN

Pods 6 through 10 access their VPN concentrator console from RL-RMT2-CSVPN

To reset a hardware client:

Note If you get the Quick prompt for the system time or date parameters, the device has already been resetted to factory defaults

Main -> 2 Admin -> 2 Admin -> 2 Admin -> 3 Admin -> 2

Note Do not attempt to log into the first login prompt you see as it takes several moments for the Cisco VPN 3002 Hardware Client to complete the reboot function A login prompt appears when the reboot is completed

Trang 13

Router Initial Configurations

The student routers should already by configured with a default configuration before each class Check that all student routers are already configured

Note Pods 1 through 5 access their router console from RL-RMT1-CSVPN as follows:

RL-RMT-CSVPN1> rP (where P = pod number)

Translating "rP"

Trying rP (10.91.91.1, 2033) Open

rP> enable Password: cisco rP#

Pods 6 through 10 access their router console from RL-RMT2-CSVPN as follows:

RL-RMT-CSVPN2> rP (where P = pod number)

Translating "rP"

Trying rP (10.92.92.1, 2033) Open

rP> enable Password: cisco rP#

Router Default Configuration

Note Remember to replace the Ps with the actual pod number

! version 12.0 service timestamps debug uptime service timestamps log uptime

Trang 14

interface Ethernet0/1

ip address 172.30.P.2 255.255.255.0

no ip directed-broadcast

! router eigrp 1 network 10.0.0.0 network 172.30.0.0

line vty 0 4 password cisco login

!

no scheduler allocate end

PIX Initial Configurations

The student PIXen should already by configured with a default configuration before each class Check that all student PIXen are already configured

Note Pods 1 through 5 access their PIX console from RL-RMT1-CSVPN as follows:

RL-RMT-CSVPN1> pP (where P = pod number)

Translating "pP"

Trying rP (10.91.91.1, 2033) Open

pixfirewall> enable Password: <enter>

pixfirewall#

Pods 6 through 10 access their PIX console from RL-RMT2-CSVPN as follows:

RL-RMT-CSVPN2> pP (where P = pod number)

Translating "pP"

Trying rP (10.92.92.1, 2033) Open

pixfirewall> enable Password: <enter>

pixfirewall#

Trang 15

To reset a PIX firewall:

pixP# write erase Erase PIX configuration in flash memory? [confirm] <enter>

pixP# reload Proceed with reload? [confirm] <enter>

Rebooting

PIX Default Configurations

Note Paste the following after resetting the PIX Remember to replace the Ps with the

actual pod number

nameif ethernet0 outside security0 nameif ethernet1 inside security100

hostname pixP

interface ethernet0 auto interface ethernet1 auto mtu outside 1500

mtu inside 1500 mtu dmz 1500

ip address outside 192.168.P.2 255.255.255.0

ip address inside 10.0.P.1 255.255.255.0

no failover arp timeout 14400

global (outside) 1 192.168.P.10-192.168.1.254 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.P.10 10.0.P.3 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host 192.168.P.10 eq www any route outside 0.0.0.0 0.0.0.0 192.168.P.1 1

clear xlate exit write memory

Trang 16

CSVPN Individual Lab Settings and Changes

Peer Pods

The instructor must assign peer pods for labs that require pods to access each other Pods 1 through 5 can only be peered with a pod between 6 and 10:

POD 1 POD 2 POD 3 POD 4 POD 5

<==>

POD 6 POD 7 POD 8 POD 9 POD 10

Chapter 5—Configure Cisco VPN 3000 Concentrator for Remote Access Using Pre-Shared Keys

Chapter 5 Lab Visual Objective

Perimeter router

Backbone router

Internet

VPN 3000 Concentrator

DHCP server

Laptop PC with Cisco VPN Client

Remote Access

172.27.27.P

NAT

172.26.26.P

Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10

Parameter IP Address Subnet Mask

VPN 3000 Public Interface 192.168.P.5 255.255.255.0 VPN 3000 Private Interface 10.0.P.5 255.255.255.0

Trang 17

Remote terminal server Pods 1-5:

172.26.26.100 Pods 6-10:

172.26.26.120

Perimeter Router 192.168.P.1 Backbone Router 172.27.27.100

Chapter 6—Configure the Cisco VPN 3000 Concentrator for Remote Access Using Digital Certificates

Backbone router

Internet

DHCP server

CA server

Remote Access

172.27.27.51

172.26.26.51

Remote Access

172.27.27.P

NAT

172.26.26.P

NAT

Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10

Trang 18

Chapter 7—Cisco VPN 3000 Concentrator Monitoring & Administration

Backbone router

Internet

NT and TACACS+

server

Remote Access

172.27.27.P

NAT

172.26.26.P

Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10

Laptop Primary 172.27.27.P

VPN 3000 Public Interface 192.168.P.5 Authentication Server 10.0.P.10

Trang 19

Chapter 8—Configuring Cisco VPN 3002 Hardware Client Remote Access

Backbone router

Internet

192.168.2PP.2

NAT

192.168.1PP.2

VPN 3002 Hardware Client

Note P = ONE DIGIT POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10

PP = TWO DIGIT POD NUMBER: 01, 02, 03, 04, 05, 06, 07, 08, 09, 10

Laptop primary (All tasks) 192.168.2PP.2 255.255.255.0 VPN 3000 public interface 192.168.P.5 255.255.255.0 VPN 3000 private interface 10.0.P.5 255.255.255.0 VPN 3002 public interface 172.26.26.1PP 255.255.255.0

VPN 3002 private interface (Client mode)

192.168.1PP.1

VPN 3002 private interface 192.168.1PP.1

Trang 20

SETTING FROM TO Task 1, Step 2 172.26.26.100 192.168.1PP.100

Task 11, Step 6 192.168.10.2 192.168.2PP.2

Task 11, Step 8 192.168.10.1 192.168.2PP.1

Task 12 >>>>>>>>>>>>>>>>>>> SKIP TASK

Task 13, Step 1-2 >>>>>>>>>>>>>>>>>>> Access hardware client

console from the remote terminal server at:

192.168.1PP.100

Task 14 BEFORE DOING THIS TASK, you must set the

hardware client private interface IP address to 192.168.1PP.1 Use Task 19 to help you set the hardware client ip address

Task 14, Step 8, Sub-Step 3 172.26.26.P 172.26.26.1PP

Task 14, Step 8, Sub-Step 5 172.26.26.100 172.26.26.99

Task 17, Step 1 10.0.P.5 192.168.P.5

Task 18 Step 1-2 >>>>>>>>>>>>>>>>>>> Access hardware client

console from the remote terminal server at:

192.168.1PP.100

Task 19, Step 2, Sub-Step 5 192.168.10.P0 192.168.1PP.1

Task 20, Step 2 192.168.10.P0 192.168.1PP.1

Task 20, Step 8, Sub-Step 3 172.26.26.P 172.26.26.1PP

Task 20, Step 8, Sub-Step 5 172.26.26.100 172.26.26.99

Task 21 >>>>>>>>>>>>>>>>>>> SKIP TASK

Task 23, Step 1 10.0.P.5 192.168.P.5

Định dạng
Số trang	26
Dung lượng	378,85 KB