Tải bản đầy đủ (.pdf) (29 trang)
  1. Trang chủ
    2. >>
  2. Công Nghệ Thông Tin
    3. >>
  3. Kỹ thuật lập trình

Tài liệu CSPFA Remote Lab Instructor Guide 2.0 doc

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (384.27 KB, 29 trang )

CSPFA Remote Lab
Instructor Guide 2.0
Table of Contents
NETWORK TOPOLOGY 2
Remote Lab Description 2
Local Classroom Description 2
CLASSROOM SETUP 4
Equipment List 4
Physical Connections 5
Initial student PC Configuration 5
Classroom Router Configuration 6
REMOTE LAB SETUP 8
Establishing and Testing Connectivity to the Remote Lab 8
Telneting to the Remote Terminal Server 9
PIX Initial Configurations 10
Router Initial Configurations 10
Turning Secondary PIXen On and Off 12
CSPFA LAB SETTINGS AND CHANGES 17
Peer Pods 17
Chapter 5—Configure the PIX Firewall and Execute General Maintenance Commands
17

Chapter 6—Configuring Access Through the PIX Firewall 18
Chapter 7—Configure Inside Multiple Interfaces 18
Chapter 8—Configure the PIX Firewall’s DHCP Server and Client Features 19
Chapter 9—Configuring Syslog 20
Chapter 10—Configure ACLs in the PIX Firewall 20
Chapter 11—Configure and Test Advanced Protocol Handling on the Cisco PIX
Firewall 21

Chapter 12—Configure the PIX Firewall to Use IDS Signatures 21


Chapter 13—Configure AAA on the PIX Firewall Using CSACS for Windows NT 22
Chapter 14—Failover 23
Chapter 15—Configure PIX Firewall VPNs 24
Chapter 16—Upgrade the PIX Firewall Image 26
Chapter 17—Configuring the PIX Firewall with PDM 27
Chapter 18—Configure CBAC on a Cisco Router 28
Chapter 19—Configure Authentication Proxy on a Cisco Router 29

2 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Network Topology
The following is the network topology diagram for the CSPFA remote lab.
© 2001, Cisco Systems, Inc.
www.cisco.com
10.1.1.X 10.1.3.X 10.1.5.X 10.1.7.X 10.1.9.X10.1.2.X 10.1.4.X 10.1.6.X 10.1.8.X 10.1.10.X
10.91.91.0
.2
10.90.90.0
CSPFA Remote Lab
CSPFA Remote Lab
.1
1 3 5 7 92 4 6 8 10
172.27.27.1 172.27.27.3 172.27.27.5 172.27.27.7 172.27.27.9172.27.27.2 172.27.27.4 172.27.27.6 172.27.27.8 172.27.27.10
RL-PIX-CSPFA
RL-LCL
CLASSROOM
REMOTE LAB
.1
RL-RBB-CSPFA
RL-RMT-CSPFA
HUB

10.92.92.0
.2
.1
.2
172.26.26.0
RL-RMT1-CSPFA RL-RMT2-CSPFA
.150
.2
.2
192.168.P.0
10.0.P.0
192.168.P.0
10.0.P.0
.100
rP
rP
172.30. P.0
.2
.1
.1
.2
172.30. P.0
.1 .1
.10
CSACS
DHCP
.50
WEB/FTP
172.26.26.0
172.17.P.0

172.16.P.0
.7
.1
.7
.7
.1
pPs
.1
.2
pPp
.7
.2
172.17.P.0
.7
.1
.7
.7
.1
pPs
.1
.2
.7
pPp
.2
172.16.P.0
RL-RTS-CSPFA
CSACS
DHCP
.10
.100

RL-RTS-CSPFA
.100
RL-RTS-CSPFA
.2
.1
1
0
.
9
3
.
9
3
.
0
.102.102

Remote Lab Description
The remote lab is accessed via a PIX firewall, RL-PIX-CSPFA, from the Internet.
The trainer will initiate an IPsec VPN tunnel terminating on RL-PIX-CSPFA. RL-
PIX-CSPFA forwards all traffic to a router, RL-RMT-CSPFA, which routes traffic
based on the source IP address to one of three routers, RL-RMT1-CSPFA, RL-
RMT2-CSPFA, or RL-RTS-CSPFA. These routers will perform IP address
NATing and route the traffic to the necessary student pod.
Local Classroom Description
The classroom topology consists of ten (10) student PCs running Windows 2000
Server and all the required applications used in the labs. Another PC running
Windows 2000 Server will be the CA server. All PCs are directly connected to a
Cisco FastHub 400 or can be outfitted with Cisco Aironet wireless cards. If using
a Cisco FastHub 400, a Cisco 2611 router is connected to the hub. If using Cisco

Aironet, then the Aironet access point is connected to the Cisco 2611 router. In
either case, the other interface of the Cisco 2611 router is connected to an Internet
accessible network.
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 3
Note THE CLASSROOM ROUTER WILL BE INITIATING THE IPSEC VPN TUNNEL.
UDP PORT 500 (ISAKMP) AND IP PROTOCOL 50 (ESP) TRAFFIC MUST BE
ALLOWED BY THE FIREWALL AT THE CLASSROOM LOCATION. SEE
CLASSROOM ROUTER CONFIGURATION LATER IN THIS DOCUMENT.
4 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Classroom Setup
This section covers the list of equipment and their physical connections as well as
the configuration of student PCs and the classroom router that the Cisco Learning
Partner will be required to perform when teaching this course.
Equipment List
DESCRIPTION MFR PART NO. QTY.
LIST
PRICE
/EACH
Student Laptop/PC and CA Server
(varies) 11 (varies)
• Windows 2000 Server Microsoft 11 (varies)
• Internet Explorer 5.5 Microsoft 11 (varies)
• Internet Information Services 5.0 Microsoft 11 (varies)
• Pentium III 800 MHz (or better) Intel 11 (varies)
• 256 MB RAM (or better) (varies) 11 (varies)
• 8 GB Hard Drive (or better)
NTFS partitioned
(varies) 11 (varies)
• CD-ROM/Floppy Drive (varies) 11 (varies)
• Aironet Adapter or 10/100 Ethernet NIC (varies) 11 (varies)

350 Series PC Card w/Integrated
Diversity Antenna,128-bitWEP
Cisco AIR-PCM352 11 199
340 Series 11Mbps DSSS AP w/128-bit
WEP and 2 Int. Ant.
Cisco AIR-AP342E2C 1 799
FastHub 400: 12-port autosensing
10/100 manageable, stackable repeater
Cisco WS-C412 1 895
Cisco 2611: Dual Ethernet Modular
Router w/ Cisco IOS IP Software
Cisco CISCO2611 1 2495

• IP SW 2600 SF26C - IP SOFTWARE Cisco IP SW 2600 SF26C 1 0
• S26C-12205 Cisco 2600 Series IOS IP* Cisco S26C-12205T 1 0
• 32- to 48-MB DRAM Factory Upgrade for
the Cisco 2600 Series
Cisco MEM2600-32U48D 1 1000
• 8 to 16 MB Flash Factory Upgrade for
the Cisco 2600 Series
Cisco MEM2600-8U16FS 1 700
Note * The Cisco 2611 router may be purchased with any zero added cost image and be
later upgraded to the 12.2.6 IOS IP/FW/IDS PLUS IPSEC 3DES image, which can
be downloaded free of charge by Cisco Learning Partners through CCO.
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 5
Physical Connections
© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Aironet
Connections with Aironet

1 2 3 4 5 6 7 8 9 10
ETHERNET 0/0ETHERNET 0/1
Cisco 2611
CONSOLE
Internet


© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Hub
Connections with Hub
1 2 3 4 5 6 7 8 9 10
1X
2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X
FastHub 400
ETHERNET 0/0ETHERNET 0/1
Cisco 2611
CONSOLE
Internet

Initial student PC Configuration
IP ADDRESS 10.1.P.3
MASK 255.255.255.0
GATEWAY 10.1.P.1
6 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Classroom Router Configuration
You will need the following parameters from Cisco’s ILSG lab administrator
before configuring the classroom router:
 RL-PIX-CSPFA IP ADDRESS (IPsec peer IP address)
 AUTHENTICATION KEY

Note The classroom router is configured to get a DHCP address, including a default
route, on the outside interface (Ethernet 0/1). If DHCP is not supported at your
location then a manually enter IP address and default route must be configured.
RL-LCL-2611 Configuration
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RL-LCL-2611
!
enable secret 5 <ENABLE PASSWORD>
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 11
hash md5
authentication pre-share
group 2
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSPFA IP ADDRESS>
!
crypto ipsec transform-set RL-TRANS esp-3des esp-md5-hmac
!
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSPFA IP ADDRESS>
set security-association lifetime seconds 86400

set transform-set RL-TRANS
set pfs group2
match address TO-RMT
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0 secondary
ip address 10.1.2.1 255.255.255.0 secondary
ip address 10.1.3.1 255.255.255.0 secondary
ip address 10.1.4.1 255.255.255.0 secondary
ip address 10.1.5.1 255.255.255.0 secondary
ip address 10.1.6.1 255.255.255.0 secondary
ip address 10.1.7.1 255.255.255.0 secondary
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 7
ip address 10.1.8.1 255.255.255.0 secondary
ip address 10.1.9.1 255.255.255.0 secondary
ip address 10.1.10.1 255.255.255.0 secondary
ip address 172.27.27.100 255.255.255.0
no cdp enable
!
interface Ethernet0/1
ip address dhcp
no cdp enable
crypto map RL-MAP
!
ip classless
no ip http server
!
ip access-list extended TO-RMT
permit ip 10.1.0.0 0.0.255.255 any
permit ip 172.27.27.0 0.0.0.255 any

no cdp run
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
no scheduler allocate
end
8 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Remote Lab Setup
This section covers the procedures required to connect to the remote lab and to
setup and test the lab devices before the beginning of class.
Establishing and Testing Connectivity to the Remote Lab
Perform the following procedures to establish and test connectivity to the remote
lab.
From the console of your RL-LCL-2611 router:
Step 1 RL-LCL-2611> ping <YOUR LOCAL DEFAULT GATEWAY>
If unsuccessful
• check physical Internet connectivity.
• check ethernet link from RL-LCL-2611 to your Internet connection.
• check IP address received from DHCP:
RL-LCL-2611# show ip interface brief ethernet0/1

Step 2 RL-LCL-2611> ping <RL-PIX-CSPFA IP ADDRESS>
If unsuccessful
• check default gateway setting on RL-LCL-2611:
RL-LCL-2611# show ip route


From the Pod 1 student PC:
Step 3 C:\> ping 10.1.1.1
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check ethernet link from RL-LCL-2611 to Aironet access point or hub.
• check IP address/netmask settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.

Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 9
Step 4 C:\> ping 10.90.90.1
This will initiate the VPN tunnel to the remote PIX. It will take a few ping tries
before the VPN tunnel is established and the ping is successful.
If unsuccessful
• ensure that you’ve given the router/PIX enough time to setup the VPN tunnel.
• check default gateway setting on the student PC.
• check the ISAKMP settings on RL-LCL-2611:
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSPFA IP ADDRESS>
• check the IPSEC settings on RL-LCL-2611:
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSPFA IP ADDRESS>
• clear all security associations (SAs) on the RL-LCL-2611:
RL-LCL-2611# clear crypto sa

From each student PC (1 through 10)
Step 5 C:\> ping 10.0.P.100 (remote terminal server)
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check IP address/netmask/default gateway settings on the student PC.
• check Aironet configuration and range.

• check RL-LCL-2611 configuration.
Telneting to the Remote Terminal Server
Note USE “CTRL+SHIFT+6 then X” TO EXIT A CONSOLE SESSION.
Telnet to RL-RTS-CSPFA:
C:\> telnet 10.0.P.100
User Access Verification
Password: cisco
RL-RTS-CSPFA>
For chapter 15 lab, Configure a Secure VPN Using IPSec Between a PIX Firewall
and a VPN Client, telnet to 172.26.26.150:
C:\> telnet 172.26.26.150
User Access Verification
Password: cisco
RL-RTS-CSPFA>


10 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
PIX Initial Configurations
The PIX firewalls are resetted to default before each class. Check that all pod PIX
firewalls are resetted.
Note Pods 1 through 10 access their PIX from RL-RTS-CSPFA as follows:

RL-RTS-CSPFA> pPp (where P = pod number)
Translating "pPp"
Trying pPp (10.93.93.1, 2033) Open
pixfirewall> enable
Password: <enter>
pixfirewall#
To reset a PIX firewall:
pixP# write erase

Erase PIX configuration in flash memory? [confirm] <enter>
pixP# reload
Proceed with reload? [confirm] <enter>
Rebooting
Router Initial Configurations
The student routers should already by configured with a default configuration
before each class. Check that all student routers are already configured.
Note Pods 1 through 10 access their router console from RL-RTS-CSPFA as follows:

RL-RTS-CSPFA> rP (where P = pod number)
Translating "rP"
Trying rP (10.91.91.1, 2033) Open
rP> enable
Password: cisco
rP#
Router Default Configuration
Note Remember to replace the Ps with the actual pod number.
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname RL-RPCSPFA
!
no logging console
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 11
aaa new-model
aaa authentication login LOCAL line enable
enable password cisco

!
memory-size iomem 15
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
!
interface Ethernet0/0
ip address 10.0.P.2 255.255.255.0
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Ethernet0/1
ip address 172.30.P.2 255.255.255.0
!
router eigrp 1
network 10.0.0.0
network 172.30.0.0
no auto-summary
no eigrp log-neighbor-changes
!
ip classless
no ip http server
!
line con 0
password cisco

login authentication LOCAL
transport input none
line aux 0
line vty 0 4
password cisco
!
no scheduler allocate
end
12 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Turning Secondary PIXen On and Off
Note The secondary PIXen used for Chapter 14’s failover lab MUST be OFF at all times,
except when doing the lab. To turn them ON or OFF, you connect to manageable
power strips that control power to the secondary PIXen units.

Note Access the manageable power strip for Pods 1 through 8 from RL-RTS-CSPFA as
follows:

RL-RTS-CSPFA> apc1
Translating "apc1"
Trying sP (10.93.93.1, 2063) Open

User Name : instructor
Password : cisco

Access the manageable power strip for Pods 9 and 10 from RL-RTS-CSPFA as
follows:

RL-RTS-CSPFA> apc2
Translating "apc2"
Trying sP (10.93.93.1, 2064) Open


User Name : instructor
Password : cisco

Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 13
TO TURN SECONDARY PIXEN OFF:
American Power Conversion Web/SNMP Management Card AOS v2.5.4
(c) Copyright 2000 All Rights Reserved MasterSwitch APP v2.1.0

Name : Unknown Date : 11/28/2001
Contact : Unknown Time : 10:08:53
Location : Unknown Up Time : 6 Days 22 Hours 38 Minutes
Status : P+ N+ A+ User : Outlet User

MasterSwitch : Serial Communication Established

Control Console

1- Device Manager
2- Network
3- System
4- Logout

?- Help, <ESC>- Main Menu, <ENTER>- Refresh
>
1

Device Manager

1- P1S ON

2- P2S ON
3- P3S ON
4- P4S ON
5- P5S ON
6- P6S ON
7- P7S ON
8- P8S ON
9- ALL Accessible Outlets

<ESC>- Back, <ENTER>- Refresh
>
9 or 3 (enter 9 or 3 for ALL Accessible Outlets or select a specific PIX)

ALL Accessible Outlets
Outlet Name Pwr On Dly Pwr Off Dly Reboot Dur.

1: ON P1S Immediate Immediate 05 Seconds
2: ON P2S Immediate Immediate 05 Seconds
3: ON P3S Immediate Immediate 05 Seconds
4: ON P4S Immediate Immediate 05 Seconds
5: ON P5S Immediate Immediate 05 Seconds
6: ON P6S Immediate Immediate 05 Seconds
7: ON P7S Immediate Immediate 05 Seconds
8: ON P8S Immediate Immediate 05 Seconds

1- Immediate On
2- Immediate Off
3- Immediate Reboot
4- Delayed On
5- Delayed Off

6- Sequenced Reboot
7- Delayed Reboot
8- Delayed Sequenced Reboot
9- Cancel Pending Commands

?- Help, <ESC>- Back, <ENTER>- Refresh
>
2
14 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.

Immediate Off

Turn all outlets OFF immediately.

Enter 'YES' to continue or <ENTER> to cancel :
YES (enter YES exactly)
Command successfully issued.

Press <ENTER> to continue
<ENTER>

ALL Accessible Outlets
Outlet Name Pwr On Dly Pwr Off Dly Reboot Dur.

1: OFF P1S Immediate Immediate 05 Seconds
2: OFF P2S Immediate Immediate 05 Seconds
3: OFF P3S Immediate Immediate 05 Seconds
4: OFF P4S Immediate Immediate 05 Seconds
5: OFF P5S Immediate Immediate 05 Seconds


1- Immediate On
2- Immediate Off
3- Immediate Reboot
4- Delayed On
5- Delayed Off
6- Sequenced Reboot
7- Delayed Reboot
8- Delayed Sequenced Reboot
9- Cancel Pending Commands

?- Help, <ESC>- Back, <ENTER>- Refresh
>
<ESC> (keep hitting <ESC> until you exit back to Control Console)

Control Console

1- Device Manager
2- Network
3- System
4- Logout

?- Help, <ESC>- Main Menu, <ENTER>- Refresh
>
4

You are now in passthru mode.
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 15
TO TURN SECONDARY PIXEN ON:
American Power Conversion Web/SNMP Management Card AOS v2.5.4
(c) Copyright 2000 All Rights Reserved MasterSwitch APP v2.1.0


Name : Unknown Date : 11/28/2001
Contact : Unknown Time : 10:03:33
Location : Unknown Up Time : 6 Days 22 Hours 33 Minutes
Status : P+ N+ A+ User : Outlet User

MasterSwitch : Serial Communication Established

Control Console

1- Device Manager
2- Network
3- System
4- Logout

?- Help, <ESC>- Main Menu, <ENTER>- Refresh
>
1

Device Manager

1- P1S OFF
2- P2S OFF
3- P3S OFF
4- P4S OFF
5- P5S OFF
6- P6S OFF
7- P7S OFF
8- P8S OFF
9- ALL Accessible Outlets


<ESC>- Back, <ENTER>- Refresh
>
9 or 3 (enter 9 or 3 for ALL Accessible Outlets or select a specific PIX)

ALL Accessible Outlets
Outlet Name Pwr On Dly Pwr Off Dly Reboot Dur.

1: OFF P1S Immediate Immediate 05 Seconds
2: OFF P2S Immediate Immediate 05 Seconds
3: OFF P3S Immediate Immediate 05 Seconds
4: OFF P4S Immediate Immediate 05 Seconds
5: OFF P5S Immediate Immediate 05 Seconds
6: ON P6S Immediate Immediate 05 Seconds
7: ON P7S Immediate Immediate 05 Seconds
8: ON P8S Immediate Immediate 05 Seconds

1- Immediate On
2- Immediate Off
3- Immediate Reboot
4- Delayed On
5- Delayed Off
6- Sequenced Reboot
7- Delayed Reboot
8- Delayed Sequenced Reboot
9- Cancel Pending Commands

?- Help, <ESC>- Back, <ENTER>- Refresh
>
1

16 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.


Immediate On

Turn all outlets ON immediately.

Enter 'YES' to continue or <ENTER> to cancel :
YES (enter YES exactly)
Command successfully issued.

Press <ENTER> to continue
<ENTER>

ALL Accessible Outlets
Outlet Name Pwr On Dly Pwr Off Dly Reboot Dur.

1: ON P1S Immediate Immediate 05 Seconds
2: ON P2S Immediate Immediate 05 Seconds
3: ON P3S Immediate Immediate 05 Seconds
4: ON P4S Immediate Immediate 05 Seconds
5: ON P5S Immediate Immediate 05 Seconds
6: ON P6S Immediate Immediate 05 Seconds
7: ON P7S Immediate Immediate 05 Seconds
8: ON P8S Immediate Immediate 05 Seconds

1- Immediate On
2- Immediate Off
3- Immediate Reboot
4- Delayed On

5- Delayed Off
6- Sequenced Reboot
7- Delayed Reboot
8- Delayed Sequenced Reboot
9- Cancel Pending Commands

?- Help, <ESC>- Back, <ENTER>- Refresh
>
<ESC> (keep hitting <ESC> until you exit back to Control Console)

Control Console

1- Device Manager
2- Network
3- System
4- Logout

?- Help, <ESC>- Main Menu, <ENTER>- Refresh
>
4

You are now in passthru mode.
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 17
CSPFA Lab Settings and Changes
Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10
Peer Pods
The instructor must assign peer pods for labs that require pods to access each
other. Pods 1 through 5 can only
be peered with a pod between 6 and 10:
POD 1

POD 2
POD 3
POD 4
POD 5


<==>
POD 6
POD 7
POD 8
POD 9
POD 10
Chapter 5—Configure the PIX Firewall and Execute General
Maintenance Commands
© 2001, Cisco Systems, Inc.
www.cisco.com
Inside host,
web and FTP server
Backbone, web,
FTP, and TFTP server
Pod perimeter router
PIX Firewall
192.168.P.0/24
.1
e1 inside .1
e0 outside .2
e2 dmz .1
Bastion host,
web and FTP server
172.26.26.50

.2
172.16.P.0/24
Internet
Chapter 5 Lab Visual Objective
Chapter 5 Lab Visual Objective
Remote
Access
10.0.P.3
10.1.P.3
NAT


18 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Chapter 6—Configuring Access Through the PIX Firewall
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 6 Lab Visual Objective
Chapter 6 Lab Visual Objective
Inside host
web and FTP server
Backbone server
web, FTP, and TFTP server
Pod perimeter router
PIX Firewall
192.168.P.0/24
.1
e1 inside .1
e0 outside .2
e2 dmz .1
Bastion host

web and ftp server
172.26.26.50
.2
172.16.P.0/24
Internet
Remote
Access
10.0.P.3
10.1.P.3
NAT


Chapter 7—Configure Inside Multiple Interfaces
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 7 Lab Visual Objective
Chapter 7 Lab Visual Objective
Inside host
web and FTP server
Backbone server
web, FTP, and TFTP server
Pod perimeter router
PIX Firewall
192.168.P.0/24
.1
e1 inside .1
e0 outside .2
e2 dmz .1
Bastion host
web and FTP server

172.26.26.50
.2
172.16.P.0/24
Internet
Remote
Access
10.0.P.3
10.1.P.3
NAT


Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 19
Chapter 8—Configure the PIX Firewall’s DHCP Server and
Client Features
Configure the PIX Firewall’s DHCP Server Feature
THIS PORTION OF THE LAB CAN NOT BE PERFORMED
Configure the PIX Firewall’s DHCP Client Feature
© 2001, Cisco Systems, Inc.
www.cisco.com
Remote
Access
Chapter 8 Lab Visual Objective
(DHCP Client Feature)
Chapter 8 Lab Visual Objective
(DHCP Client Feature)
Internet
192.168.P.0/24
10.0.P.0/24
172.26.26.0/24
.75

.1
.2
DHCP client
Backbone server
DHCP, web, FTP, and TFTP server
.2172.16.P.0/24
.50
Bastion host
web and FTP server
DHCP pool
192.168.P.75-192.168.P.99
10.0.P.3
10.1.P.3
NAT


SETTING FROM TO
Task 2 >>>>>>>>>>>>>>>>>> SKIP NOT REQUIRED
20 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Chapter 9—Configuring Syslog
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 9 Lab Visual Objective
Chapter 9 Lab Visual Objective
Inside host
Syslog server
Backbone server,
web, FTP, and TFTP server
Pod perimeter router
PIX Firewall

192.168.P.0/24
.1
e1 inside .1
e0 outside .2
e2 dmz .1
Bastion host,
web, and FTP server
172.26.26.50
.2
172.16.P.0/24
Internet
Remote
Access
10.0.P.3
10.1.P.3
NAT


Chapter 10—Configure ACLs in the PIX Firewall
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 10 Lab Visual
Objective
Chapter 10 Lab Visual
Objective
Inside host,
web and FTP server
Pod perimeter router
PIX Firewall
192.168.P.0/24

.1
e1 inside .1
e0 outside .2
Internet
e2 dmz .1
Bastion host,
web and FTP server
172.26.26.50
Backbone, web,
FTP, and TFTP server
.2
172.16.P.0/24
Remote
Access
10.0.P.3
10.1.P.3
NAT


Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 21
Chapter 11—Configure and Test Advanced Protocol
Handling on the Cisco PIX Firewall
THIS LAB DOES NOT HAVE A VISUAL OBJECTIVE
SETTING FROM TO
Task 3, Step 8 If the FTP client is hung,
press Ctrl+C until you
break back to the C:\
prompt.
The FTP client will hang
up after entering “quit”.

Close the Command
Prompt window.
Chapter 12—Configure the PIX Firewall to Use IDS
Signatures
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 12 Lab Visual
Objective
Chapter 12 Lab Visual
Objective
Inside host
Syslog server
Backbone,
web, FTP, and TFTP server
Pod perimeter router
PIX Firewall
192.168.P.0/24
.1
e1 inside .1
e0 outside .2
e2 dmz .1
Bastion host,
web and FTP server
172.26.26.50
.2
172.16.P.0/24
Internet
Remote
Access
10.0.P.3

10.1.P.3
NAT


SETTING FROM TO
Task 2, Step 6
packet size

65000

20000
22 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Chapter 13—Configure AAA on the PIX Firewall Using
CSACS for Windows NT
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 13 Lab Visual
Objective
Chapter 13 Lab Visual
Objective
.1
10.0.P.0
172.16.P.0.1
.2
192.168.P.0
.1
.2
Student workstation
Pod DMZ server
web or FTP

AAA server
e1
e2
e1
e0
PIX Firewall
Backbone server
web, FTP, TFTP
172.26.26.0
.50
Perimeter router
P = Your pod number
All netmasks = 255.255.255.0
Internet
Remote
Access
10.0.P.3
10.1.P.3
NAT


SETTING FROM TO
Task 1, Step 8
Windows NT Server IP
Address

10.0.P.3

10.1.P.3
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 23

Chapter 14—Failover
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 14 Lab Visual
Objective
Chapter 14 Lab Visual
Objective
Internet
Secondary
PIX Firewall
Primary
PIX Firewall
10.0.P.0 /24
192.168.P.0/24
Backbone server
web, FTP, and
TFTP server
172.26.26.50/24
e2 .1
e0 .2
e0 .7
e1 .7e1 .1
.2
DMZ
failover cable
172.16.P.0/24
.1
e2 .7
e3 .1 e3 .7
172.17.0.0/24

Remote
Access
10.0.P.3
10.1.P.3
NAT

Note TURN SECONDARY PIX UNITS ON AT THE BEGINING OF THE LAB.
SETTING FROM TO
Task 1, Step 10 >>>>>>>>>>>>>>>>>> SKIP NOT REQUIRED
Task 1, Step 11 >>>>>>>>>>>>>>>>>> SKIP NOT REQUIRED
Task 1, Step 12 >>>>>>>>>>>>>>>>>> SKIP NOT REQUIRED
Note TURN SECONDARY PIX UNITS OFF AT THE END OF THE LAB.
24 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Chapter 15—Configure PIX Firewall VPNs
Configure a Secure VPN Gateway Using IPSec Between Two PIX
Firewalls
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 15 Lab Visual
Objective (LAN-TO-LAN)
Chapter 15 Lab Visual
Objective (LAN-TO-LAN)
PIX Firewall
192.168.Q.0/24
.1 e0
e0 Outside .2
e1 Inside .1
NTQ NT server:
Syslog, IIS,
FTP, and web server

Pod1 perimeter router
Internet NT server:
FTP, web
172.26.26.50/24
172.30.Q.2 /24 s0
Pod2 perimeter router
10.0.Q.0 /24
PIX Firewall
192.168.P.0/24
.1 e0
e1 Inside .1
NTP NT server:
Syslog, IIS,
FTP, and web server
10.0.P.0 /24
Pod 1 Pod 2
172.30.P.2 /24 s0
e0 Outside .2
Internet
Remote
Access
10.0.P.3
10.1.P.3
NAT
Remote
Access
10.0.Q.3
10.1.Q.3
NAT



Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 25
Configure a Secure VPN Using IPSec Between a PIX Firewall and a VPN
Client
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 15 Lab Visual
Objective (Client-to-LAN)
Chapter 15 Lab Visual
Objective (Client-to-LAN)
perimeter router
Internet NT server:
FTP, web
172.26.26.50/24
PIX
Firewall
192.168.P.0/24
e1 .1
10.0.P.0 /24
172.30.P.0 /24
e0 .2
Internet
laptop PC
with
Cisco VPN
Client
backbone router
e0/0
e0/1
.1

172.26.26.P/24
172.26.26.100 /24
.2
172.16.P.0 /24
e2 .1
bastionhost
Inside AAA and Web server
10.0.P.10
.2
Remote
Access
172.26.26.P
172.27.27.P
NAT


SETTING FROM TO
Task 1, Step 6 172.26.26.P 172.27.27.P
Task 1, Step 8 172.26.26.100 172.27.27.100

Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay
×