Tài liệu CSVPN Remote Lab Instructor Guide 1.0 pptx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (378.85 KB, 26 trang )
CSVPN Remote Lab
Instructor Guide 1.0
Table of Contents
REMOTE LAB TOPOLOGY 2
Remote Lab Description 2
Local Classroom Description 2
CLASSROOM SETUP 4
Equipment List 4
Physical Connections 5
Initial Student PC Configuration 5
Classroom Router Configuration 6
REMOTE LAB SETUP 8
Establishing and Testing Connectivity to the Remote Lab 8
Telneting to the Remote Terminal Server 10
VPN Concentrator Initial Configurations 11
Hardware Client Initial Configurations 12
Router Initial Configurations 13
PIX Initial Configurations 14
CSVPN INDIVIDUAL LAB SETTINGS AND CHANGES 16
Peer Pods 16
Chapter 5—Configure Cisco VPN 3000 Concentrator for Remote Access Using Pre-
Shared Keys 16
Chapter 6—Configure the Cisco VPN 3000 Concentrator for Remote Access Using
Digital Certificates 17
Chapter 7—Cisco VPN 3000 Concentrator Monitoring & Administration 18
Chapter 8—Configuring Cisco VPN 3002 Hardware Client Remote Access 19
Chapter 9—Configure Cisco VPN 3000 Concentrators for LAN-to-LAN Using Pre-
Shared Keys 21
Chapter 10—Configure Cisco VPN 3000 Concentrators for LAN-to-LAN Using Digital
Certificates 22
Chapter 11—Configure Cisco IOS IPSec for Pre-Shared Keys 23
Chapter 12—Configure Cisco IOS CA Support (RSA Signatures) 24
Chapter 13—Configure PIX IPSec Pre-shared Keys 25
Chapter 14—Configure PIX Firewall CA Support 26
2 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Remote Lab Topology
The following is the network topology diagram for the CSVPN remote lab.
© 2001, Cisco Systems, Inc.
www.cisco.com
10.91.91.0
.2
10.90.90.0
CSVPN Remote Lab
CSVPN Remote Lab
.1
1 3 5 7 92 4 6 8 10
RL-PIX-CSVPN
RL-LCL
CLASSROOM
REMOTE LAB
.1
RL-RBB-CSVPN
RL-RMT-CSVPN
HUB
10.92.92.0
.2
.1
.2
CSACS
DHCP
172.26.26.0
RL-RMT1-CSVPN RL-RMT2-CSVPN
172.26.26.100
.100 .100
.2
.2
.5
192.168.P.0
.1
pP
10.0.P.0
.5
.2
vP
.2
192.168.P.0
.1
pP
10.0.P.0
.2
vP
.2
.99
rP
rP
172.30. P.0
.2
.1
.1
.2
172.30. P.0
.1
.1
CA
.10
.10
CSACS
DHCP
.50
WEB/FTP
PODS 1-5 PODS 6-10
172.26.26.120
.100 .100
192.168.1PP.0
192.168.1PP.0
.1
.1
cP
cP
.1PP
.1PP
Remote Lab Description
The remote lab is accessed via a PIX firewall, RL-PIX-CSVPN, reachable from
the Internet. The trainer will initiate an IPsec VPN tunnel terminating on RL-PIX-
CSVPN. RL-PIX-CSVPN forwards all traffic to a Cisco 2621 router, RL-RMT-
CSVPN, which routes traffic based on the source IP address to one of two routers,
RL-RMT1-CSVPN or RL-RMT2-CSVPN. These routers will perform IP address
NATing and route the traffic to the necessary student pod.
Local Classroom Description
The classroom topology consists of ten (10) student PCs running Windows 2000
Server and all the required applications used in the labs. Another PC running
Windows 2000 Server will be the CA server. All PCs are directly connected to a
Cisco FastHub 400 or can be outfitted with Cisco Aironet wireless cards. If using
a Cisco FastHub 400, a Cisco 2611 router is connected to the hub. If using Cisco
Aironet, then the Aironet access point is connected to the Cisco 2611 router. In
either case, the other interface of the Cisco 2611 router is connected to an Internet
accessible network.
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 3
Note THE CLASSROOM ROUTER WILL BE INITIATING THE IPSEC VPN TUNNEL.
UDP PORT 500 (ISAKMP) AND IP PROTOCOL 50 (ESP) TRAFFIC MUST BE
ALLOWED BY THE FIREWALL AT THE CLASSROOM LOCATION. SEE
CLASSROOM ROUTER CONFIGURATION LATER ON THIS DOCUMENT.
4 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Classroom Setup
This section covers the list of equipment and their physical connections as well as
the configuration of student PCs and the classroom router that the Cisco Learning
Partner will be required to performed when teaching this course.
Equipment List
DESCRIPTION MFR PART NO. QTY.
LIST
PRICE
/EACH
Student Laptop/PC and CA Server
(varies) 11 (varies)
• Windows 2000 Server Microsoft 11 (varies)
• Internet Explorer 5.5 Microsoft 11 (varies)
• Internet Information Services 5.0 Microsoft 11 (varies)
• Pentium III 800 MHz (or better) Intel 11 (varies)
• 256 MB RAM (or better) (varies) 11 (varies)
• 8 GB Hard Drive (or better)
NTFS partitioned
(varies) 11 (varies)
• CD-ROM/Floppy Drive (varies) 11 (varies)
• Aironet Adapter or 10/100 Ethernet NIC (varies) 11 (varies)
350 Series PC Card w/Integrated
Diversity Antenna,128-bitWEP
Cisco AIR-PCM352 11 199
340 Series 11Mbps DSSS AP w/128-bit
WEP and 2 Int. Ant.
Cisco AIR-AP342E2C 1 799
FastHub 400: 12-port autosensing
10/100 manageable, stackable repeater
Cisco WS-C412 1 895
Cisco 2611: Dual Ethernet Modular
Router w/ Cisco IOS IP Software
Cisco CISCO2611 1 2495
• IP SW 2600 SF26C - IP SOFTWARE Cisco IP SW 2600 SF26C 1 0
• S26C-12205 Cisco 2600 Series IOS IP* Cisco S26C-12205T 1 0
• 32- to 48-MB DRAM Factory Upgrade for
the Cisco 2600 Series
Cisco MEM2600-32U48D 1 1000
• 8 to 16 MB Flash Factory Upgrade for
the Cisco 2600 Series
Cisco MEM2600-8U16FS 1 700
Note * The Cisco 2611 router may be purchased with any zero added cost image and be
later upgraded to the 12.2.6 IOS IP/FW/IDS PLUS IPSEC 3DES image, which can
be downloaded free of charge by Cisco Learning Partners through CCO.
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 5
Physical Connections
© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Aironet
Connections with Aironet
1 3 4 5 6 7 8 9 10 CA
ETHERNET 0/0ETHERNET 0/1
Cisco 2611
CONSOLE
Internet
2
© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Hub
Connections with Hub
1 2 3 4 5 6 7 8 9 10
1X
2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X
FastHub 400
ETHERNET 0/0ETHERNET 0/1
Cisco 2611
CONSOLE
Internet
CA
Initial Student PC Configuration
IP ADDRESS 172.27.27.P
MASK 255.255.255.0
GATEWAY 172.27.27.100
6 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Classroom Router Configuration
You will need the following parameters from Cisco’s ILSG lab administrator
before configuring the classroom router:
RL-PIX-CSVPN IP ADDRESS (IPsec peer IP address)
AUTHENTICATION KEY
Note The classroom router is configured to get a DHCP address, including a default
route, on the outside interface (Ethernet 0/1). If DHCP is not supported at your
location then a manually entered IP address and default route must be configured.
RL-LCL-2611 Configuration
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RL-LCL-2611
!
enable secret 5 <ENABLE PASSWORD>
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 11
hash md5
authentication pre-share
group 2
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSVPN IP ADDRESS>
!
crypto ipsec transform-set RL-TRANS esp-3des esp-md5-hmac
!
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSVPN IP ADDRESS>
Set security-association lifetime seconds 86400
set transform-set RL-TRANS
set pfs group2
match address TO-RMT
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0 secondary
ip address 10.1.2.1 255.255.255.0 secondary
ip address 10.1.3.1 255.255.255.0 secondary
ip address 10.1.4.1 255.255.255.0 secondary
ip address 10.1.5.1 255.255.255.0 secondary
ip address 10.1.6.1 255.255.255.0 secondary
ip address 10.1.7.1 255.255.255.0 secondary
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 7
ip address 10.1.8.1 255.255.255.0 secondary
ip address 10.1.9.1 255.255.255.0 secondary
ip address 10.1.10.1 255.255.255.0 secondary
ip address 192.168.201.1 255.255.255.0 secondary
ip address 192.168.202.1 255.255.255.0 secondary
ip address 192.168.203.1 255.255.255.0 secondary
ip address 192.168.204.1 255.255.255.0 secondary
ip address 192.168.205.1 255.255.255.0 secondary
ip address 192.168.206.1 255.255.255.0 secondary
ip address 192.168.207.1 255.255.255.0 secondary
ip address 192.168.208.1 255.255.255.0 secondary
ip address 192.168.209.1 255.255.255.0 secondary
ip address 192.168.210.1 255.255.255.0 secondary
ip address 172.27.27.100 255.255.255.0
no cdp enable
!
interface Ethernet0/1
ip address dhcp
no cdp enable
crypto map RL-MAP
!
ip classless
no ip http server
!
ip access-list extended TO-RMT
permit ip 10.1.0.0 0.0.255.255 any
permit ip 172.27.27.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any
no cdp run
!
line con 0
transport input none
line aux 0
line vty 0 4
password 7 120E5619050A0F176B
login
!
end
8 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Remote Lab Setup
This section covers the procedures required to connect to the remote lab and to
setup and test the lab devices before the beginning of class.
Establishing and Testing Connectivity to the Remote Lab
Perform the following procedures to establish and test connectivity to the remote
lab.
From the console of your RL-LCL-2611 router:
Step 1 RL-LCL-2611> ping <YOUR LOCAL DEFAULT GATEWAY>
If unsuccessful
• check physical Internet connectivity.
• check ethernet link from RL-LCL-2611 to your Internet connection.
• check IP address received from DHCP:
RL-LCL-2611# show ip interface brief ethernet0/1
Step 2 RL-LCL-2611> ping <RL-PIX-CSVPN IP ADDRESS>
If unsuccessful
• check default gateway setting on RL-LCL-2611:
RL-LCL-2611# show ip route
From the Pod 1 student PC:
Step 3 C:\> ping 172.27.27.100
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check ethernet link from RL-LCL-2611 to Aironet access point or hub.
• check IP address/netmask settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 9
Step 4 C:\> ping 10.90.90.1
This will initiate the VPN tunnel to the remote PIX. It will take a few ping tries
before the VPN tunnel is established and the ping is successful.
If unsuccessful
• ensure that you’ve given the router/PIX enough time to setup the VPN tunnel.
• check default gateway setting on the student PC.
• check the ISAKMP settings on RL-LCL-2611:
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSVPN IP ADDRESS>
• check the IPSEC settings on RL-LCL-2611:
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSVPN IP ADDRESS>
• clear all security associations (SAs) on the RL-LCL-2611:
RL-LCL-2611# clear crypto sa
From each student PC (1 through 5)
Step 5 C:\> ping 172.26.26.100 (remote terminal server)
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check IP address/netmask/default gateway settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
From each student PC (6 through 10)
Step 6 C:\> ping 172.26.26.120 (remote terminal server)
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check IP address/netmask/default gateway settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
10 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Telneting to the Remote Terminal Server
Note USE “CTRL+SHIFT+6 then X” TO EXIT A CONSOLE SESSION.
Lab Chapters 5 through 7
For labs in chapters 5 through 8, student pods 1 through 5, telnet to RL-RMT1-
CSVPN at IP address 172.26.26.100. Student pods 6 through 10, telnet to RL-
RMT2-CSVPN at IP address 172.26.26.120.
Pods 1 through 5:
C:\> telnet 172.26.26.100
User Access Verification
Password: cisco
RL-RMT1-CSVPN>
Pods 6 through 10:
C:\> telnet 172.26.26.120
User Access Verification
Password: cisco
RL-RMT2-CSVPN>
Lab Chapter 8
For lab chapters 8 ONLY, all students will telnet to 192.168.1PP.100 (where PP =
pod number, i.e., 01, 02, , 10).
C:\> telnet 192.168.1PP.100
User Access Verification
Password: cisco
RL-RMT1-CSVPN>
(pods 1 through 5)
RL-RMT2-CSVPN>
(pods 6 through 10)
Lab Chapters 9 through 14
For labs in chapters 9 through 14 student pods 1 through 5, telnet to RL-RMT1-
CSVPN at IP address 10.0.P.100. Student pods 6 through 10, telnet to RL-RMT2-
CSVPN at IP address 10.0.P.100.
C:\> telnet 10.0.P.100
User Access Verification
Password: cisco
RL-RMT1-CSVPN>
(pods 1 through 5)
RL-RMT2-CSVPN>
(pods 6 through 10)
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 11
VPN Concentrator Initial Configurations
The VPN concentrators are resetted by the students as part of their lab activities. If
you want, check that all VPN concentrators are resetted before the class.
Note Pods 1 through 5 access their VPN concentrator console from RL-RMT1-CSVPN
as follows:
RL-RMT-CSVPN1> vP (where P = pod number)
Translating "vP"
Trying vP (10.91.91.1, 2033) Open
Login: admin
Password: admin
Pods 6 through 10 access their VPN concentrator console from RL-RMT2-CSVPN
as follows:
RL-RMT-CSVPN2> vP (where P = pod number)
Translating "vP"
Trying vP (10.92.92.1, 2033) Open
Login: admin
Password: admin
To reset a VPN concentrator:
Note If you get the Quick prompt for the system time or date parameters, the device has
already been resetted to factory defaults.
Main -> 2
Admin -> 3
Admin -> 2
Admin -> 3
Admin -> 2
Note Do not attempt to log into the first login prompt you see as it takes several moments
for the Cisco VPN 3000 Concentrator to complete the reboot function. A login
prompt appears when the reboot is completed.
12 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Hardware Client Initial Configurations
The hardware client are resetted by the students as part of their lab activities. If
you want, check that all hardware clients are resetted before the class.
Note Pods 1 through 5 access their VPN concentrator console from RL-RMT1-CSVPN
as follows:
RL-RMT-CSVPN1> cP (where P = pod number)
Translating "cP"
Trying cP (10.91.91.1, 2033) Open
Login: admin
Password: admin
Pods 6 through 10 access their VPN concentrator console from RL-RMT2-CSVPN
as follows:
RL-RMT-CSVPN2> cP (where P = pod number)
Translating "cP"
Trying cP (10.92.92.1, 2033) Open
Login: admin
Password: admin
To reset a hardware client:
Note If you get the Quick prompt for the system time or date parameters, the device has
already been resetted to factory defaults.
Main -> 2
Admin -> 2
Admin -> 2
Admin -> 3
Admin -> 2
Note Do not attempt to log into the first login prompt you see as it takes several moments
for the Cisco VPN 3002 Hardware Client to complete the reboot function. A login
prompt appears when the reboot is completed.
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 13
Router Initial Configurations
The student routers should already by configured with a default configuration
before each class. Check that all student routers are already configured.
Note Pods 1 through 5 access their router console from RL-RMT1-CSVPN as follows:
RL-RMT-CSVPN1> rP (where P = pod number)
Translating "rP"
Trying rP (10.91.91.1, 2033) Open
rP> enable
Password: cisco
rP#
Pods 6 through 10 access their router console from RL-RMT2-CSVPN as follows:
RL-RMT-CSVPN2> rP (where P = pod number)
Translating "rP"
Trying rP (10.92.92.1, 2033) Open
rP> enable
Password: cisco
rP#
Router Default Configuration
Note Remember to replace the Ps with the actual pod number.
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname rP
!
no logging console
enable password cisco
!
memory-size iomem 15
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
!
interface Ethernet0/0
ip address 10.0.P.2 255.255.255.0
no ip directed-broadcast
!
14 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
interface Ethernet0/1
ip address 172.30.P.2 255.255.255.0
no ip directed-broadcast
!
router eigrp 1
network 10.0.0.0
network 172.30.0.0
no auto-summary
!
ip classless
no ip http server
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password cisco
login
!
no scheduler allocate
end
PIX Initial Configurations
The student PIXen should already by configured with a default configuration
before each class. Check that all student PIXen are already configured.
Note Pods 1 through 5 access their PIX console from RL-RMT1-CSVPN as follows:
RL-RMT-CSVPN1> pP (where P = pod number)
Translating "pP"
Trying rP (10.91.91.1, 2033) Open
pixfirewall> enable
Password: <enter>
pixfirewall#
Pods 6 through 10 access their PIX console from RL-RMT2-CSVPN as follows:
RL-RMT-CSVPN2> pP (where P = pod number)
Translating "pP"
Trying rP (10.92.92.1, 2033) Open
pixfirewall> enable
Password: <enter>
pixfirewall#
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 15
To reset a PIX firewall:
pixP# write erase
Erase PIX configuration in flash memory? [confirm] <enter>
pixP# reload
Proceed with reload? [confirm] <enter>
Rebooting
PIX Default Configurations
Note Paste the following after resetting the PIX. Remember to replace the Ps with the
actual pod number.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixP
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.P.2 255.255.255.0
ip address inside 10.0.P.1 255.255.255.0
no failover
arp timeout 14400
global (outside) 1 192.168.P.10-192.168.1.254 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.P.10 10.0.P.3 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 192.168.P.10 eq www any
route outside 0.0.0.0 0.0.0.0 192.168.P.1 1
clear xlate
exit
write memory
16 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
CSVPN Individual Lab Settings and
Changes
Peer Pods
The instructor must assign peer pods for labs that require pods to access each
other. Pods 1 through 5 can only
be peered with a pod between 6 and 10:
POD 1
POD 2
POD 3
POD 4
POD 5
<==>
POD 6
POD 7
POD 8
POD 9
POD 10
Chapter 5—Configure Cisco VPN 3000 Concentrator for
Remote Access Using Pre-Shared Keys
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 5 Lab Visual Objective
Chapter 5 Lab Visual Objective
Perimeter
router
Backbone
router
Internet
VPN 3000
Concentrator
DHCP
server
Laptop PC
with
Cisco VPN
Client
Remote
Access
172.27.27.P
NAT
172.26.26.P
Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Parameter IP Address Subnet Mask
Laptop Primary 172.27.27.P 255.255.255.0
VPN 3000 Public Interface 192.168.P.5 255.255.255.0
VPN 3000 Private Interface 10.0.P.5 255.255.255.0
DHCP Server 10.0.P.10
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 17
Parameter IP Address Subnet Mask
Remote terminal server Pods 1-5:
172.26.26.100
Pods 6-10:
172.26.26.120
Perimeter Router 192.168.P.1
Backbone Router 172.27.27.100
Chapter 6—Configure the Cisco VPN 3000 Concentrator for
Remote Access Using Digital Certificates
© 2001, Cisco Systems, Inc.
www.cisco.com
Perimeter
router
Backbone
router
Internet
VPN 3000
Concentrator
DHCP
server
Laptop PC
with
Cisco VPN
Client
CA server
Chapter 6 Lab Visual Objective
Chapter 6 Lab Visual Objective
Remote
Access
172.27.27.51
172.26.26.51
Remote
Access
172.27.27.P
NAT
172.26.26.P
NAT
Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Parameter IP Address Subnet Mask
VPN 3000 public interface 192.168.P.5 255.255.255.0
VPN 3000 private interface 10.0.P.5 255.255.255.0
DHCP server 10.0.P.10
Remote terminal server Pods 1-5:
172.26.26.100
Pods 6-10:
172.26.26.120
Perimeter router 192.168.P.1
Backbone router 172.26.26.100
Certificate server 172.27.27.51
18 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Chapter 7—Cisco VPN 3000 Concentrator Monitoring &
Administration
© 2001, Cisco Systems, Inc.
www.cisco.com
Perimeter
router
Backbone
router
Internet
VPN 3000
Concentrator
NT and TACACS+
server
Chapter 7 Lab Visual Objective
Chapter 7 Lab Visual Objective
Laptop PC
with
Cisco VPN
Client
Remote
Access
172.27.27.P
NAT
172.26.26.P
Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Parameter IP Address Subnet Mask
Laptop Primary 172.27.27.P
VPN 3000 Public Interface 192.168.P.5
Authentication Server 10.0.P.10
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 19
Chapter 8—Configuring Cisco VPN 3002 Hardware Client
Remote Access
© 2001, Cisco Systems, Inc.
www.cisco.com
Perimeter
router
Backbone
router
Internet
VPN 3000
Concentrator
NT and TACACS+
server
Chapter 8 Lab Visual Objective
Chapter 8 Lab Visual Objective
Laptop PC
Remote
Access
192.168.2PP.2
NAT
192.168.1PP.2
VPN 3002
Hardware Client
Note P = ONE DIGIT POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
PP = TWO DIGIT POD NUMBER: 01, 02, 03, 04, 05, 06, 07, 08, 09, 10
Parameter IP Address Subnet Mask
Laptop primary (All tasks) 192.168.2PP.2 255.255.255.0
VPN 3000 public interface 192.168.P.5 255.255.255.0
VPN 3000 private interface 10.0.P.5 255.255.255.0
VPN 3002 public interface 172.26.26.1PP 255.255.255.0
VPN 3002 private interface
(Client mode)
192.168.1PP.1
VPN 3002 private interface
(network extension mode)
192.168.1PP.1
DHCP server 10.0.P.10
Remote terminal server 192.168.1PP.100
Perimeter router 192.168.P.1
Backbone router 172.26.26.99
IMPORTANT: SEE NEXT PAGE
20 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
SETTING FROM TO
Task 1, Step 2 172.26.26.100 192.168.1PP.100
Task 1, Step 5 cP vP
Task 11, Step 6 192.168.10.2 192.168.2PP.2
Task 11, Step 8 192.168.10.1 192.168.2PP.1
Task 12 >>>>>>>>>>>>>>>>>>> SKIP TASK
Task 13, Step 1-2 >>>>>>>>>>>>>>>>>>> Access hardware client
console from the remote
terminal server at:
192.168.1PP.100.
Task 14 BEFORE DOING THIS TASK, you must set the
hardware client private interface IP address to
192.168.1PP.1. Use Task 19 to help you set the
hardware client ip address.
Task 14, Step 8, Sub-Step 3 172.26.26.P 172.26.26.1PP
Task 14, Step 8, Sub-Step 5 172.26.26.100 172.26.26.99
Task 17, Step 1 10.0.P.5 192.168.P.5
Task 18 Step 1-2 >>>>>>>>>>>>>>>>>>> Access hardware client
console from the remote
terminal server at:
192.168.1PP.100
Task 19, Step 2, Sub-Step 5 192.168.10.P0 192.168.1PP.1
Task 20, Step 2 192.168.10.P0 192.168.1PP.1
Task 20, Step 8, Sub-Step 3 172.26.26.P 172.26.26.1PP
Task 20, Step 8, Sub-Step 5 172.26.26.100 172.26.26.99
Task 21 >>>>>>>>>>>>>>>>>>> SKIP TASK
Task 23, Step 1 10.0.P.5 192.168.P.5
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 21
Chapter 9—Configure Cisco VPN 3000 Concentrators for
LAN-to-LAN Using Pre-Shared Keys
© 2001, Cisco Systems, Inc.
www.cisco.com
Perimeter
router
Internet
VPN
Concentrator
Perimeter
router
VPN
Concentrator
NT server
Chapter 9 Lab Visual Objective
Chapter 9 Lab Visual Objective
Remote
Access
10.1.Q.8
NAT
10.0.Q.8
NT server
Remote
Access
10.1.P.8
NAT
10.0.P.8
Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Parameter IP Address Subnet Mask
Laptop primary 10.1.P.8 255.255.255.0
Laptop Default Gateway 10.1.P.1
Laptop secondary 172.27.27.P 255.255.255.0
Remote laptop primary 10.0.Q.8
VPN 3000 public interface 192.168.P.5 255.255.255.0
VPN 3000 private interface 10.0.P.5 255.255.255.0
Peer VPN 3000 public interface 192.168.Q.5
Remote terminal server Pods 1-5:
172.26.26.100
Pods 6-10:
172.26.26.120
Perimeter router 192.168.P.1
22 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Chapter 10—Configure Cisco VPN 3000 Concentrators for
LAN-to-LAN Using Digital Certificates
© 2001, Cisco Systems, Inc.
www.cisco.com
Perimeter
router
Internet
VPN
Concentrator
Perimeter
router
VPN
Concentrator
NT server
Chapter 10 Lab Visual
Objective
Chapter 10 Lab Visual
Objective
Remote
Access
10.1.Q.8
NAT
10.0.Q.8
NT server
Remote
Access
10.1.P.8
NAT
10.0.P.8
Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Parameter IP Address Subnet Mask
VPN 3000 Public Interface 192.168.P.5 255.255.255.0
Certificate Server 172.27.27.51
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 23
Chapter 11—Configure Cisco IOS IPSec for Pre-Shared
Keys
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 11 Lab Visual
Objective
Chapter 11 Lab Visual
Objective
.2 e0/0
NT2 NT server:
Syslog server,
IIS, FTP, and web server
R1 perimeter
router
NT server:
FTP, web
172.26.26.50
172.30.Q.2 /24 e0/1
R2 perimeter
router
10.0.Q.0 /24
.2 e0/0
NT1 NT server:
Syslog server,
IIS, FTP, and web server
10.0.P.0 /24
Pod 1 Pod 2
e0/1 172.30.P.2 /24
Internet
10.0.P.9
10.0.Q.9
10.1.Q.910.1.P.9
Remote
Access
Remote
Access
NATNAT
Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Parameter IP Address Subnet Mask
Laptop IP Address 10.1.P.9 255.255.255.0
Laptop Default Gateway 10.1.P.1
SETTING FROM TO
Reload Default Configuration *
Address of Remote Host
* This section appears at the end
of the lab
172.30.1.50
10.0.P.10
Reload Default Configuration *
Configuration File
* This section appears at the end
of the lab
rPn-confg
rl-rPwofw.confg
24 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Chapter 12—Configure Cisco IOS CA Support (RSA
Signatures)
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 12 Lab Visual
Objective
Chapter 12 Lab Visual
Objective
.2 e0/0
R1 perimeter
router
NT server:
CA, FTP, Web
172.26.26.51
172.30.P.2 /24 E0/1
R2 perimeter
router
10.0.P.0 /24
.2 e0
10.0.P.0 /24
Pod 1 Pod 2
E0/1 172.30.P.2 /24
Internet
NT1 NT server:
Syslog server,
IIS, FTP, and web server
10.0.P.9
10.1.P.9
Remote
Access
NAT
NT2 NT server:
Syslog server,
IIS, FTP, and web server
10.0.Q.9
10.1.Q.9
Remote
Access
NAT
Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Parameter IP Address Subnet Mask
Laptop IP Address 10.1.P.9 255.255.255.0
Laptop Default Gateway 10.1.P.1
SETTING FROM TO
Task 1, Step 4 172.30.1.51 172.26.26.51
Task 1, Step 5 172.30.1.51 172.26.26.51
Task 2, Step 2 172.30.1.51 172.26.26.51
Task 2, Step 4, Sub-Step C >>>>>>>>>>>>>>>>>>> Use Microsoft CA server
format.
Reload Default Configuration *
Address of Remote Host
* This section appears at the end
of the lab
172.30.1.50
10.0.P.10
Reload Default Configuration *
Configuration File
* This section appears at the end
of the lab
rPn-confg
rl-rPwofw.confg
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 25
Chapter 13—Configure PIX IPSec Pre-shared Keys
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 13 Lab Visual
Objective
Chapter 13 Lab Visual
Objective
.1 e0/0
R1 Perimeter
router
NT Server:
CA, FTP, Web
172.26.26.51
172.30.P.2 /24 e0/1
R2 Perimeter
router
10.0.P.0 /24
.1 e0
10.0.P.0 /24
Pod 1 Pod 2
e0/1 172.30.P.2 /24
Internet
PIX
Firewall
192.168.P.0/24
e1 Inside .1
e0 Outside .2
e1 Inside .1
e0 Outside .2
PIX
Firewall
192.168.P.0/24
NT1 NT server:
Syslog server,
IIS, FTP, and web server
10.0.P.3
10.1.P.3
Remote
Access
NAT
NT2 NT server:
Syslog server,
IIS, FTP, and web server
10.0.Q.3
10.1.Q.3
Remote
Access
NAT
Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Parameter IP Address Subnet Mask
Laptop IP Address 10.1.P.3 255.255.255.0
Laptop Default Gateway 10.1.P.1
