Thông tin tài liệu
CSVPN Remote Lab
Instructor Guide 1.0
Table of Contents
REMOTE LAB TOPOLOGY 2
Remote Lab Description 2
Local Classroom Description 2
CLASSROOM SETUP 4
Equipment List 4
Physical Connections 5
Initial Student PC Configuration 5
Classroom Router Configuration 6
REMOTE LAB SETUP 8
Establishing and Testing Connectivity to the Remote Lab 8
Telneting to the Remote Terminal Server 10
VPN Concentrator Initial Configurations 11
Hardware Client Initial Configurations 12
Router Initial Configurations 13
PIX Initial Configurations 14
CSVPN INDIVIDUAL LAB SETTINGS AND CHANGES 16
Peer Pods 16
Chapter 5—Configure Cisco VPN 3000 Concentrator for Remote Access Using Pre-
Shared Keys 16
Chapter 6—Configure the Cisco VPN 3000 Concentrator for Remote Access Using
Digital Certificates 17
Chapter 7—Cisco VPN 3000 Concentrator Monitoring & Administration 18
Chapter 8—Configuring Cisco VPN 3002 Hardware Client Remote Access 19
Chapter 9—Configure Cisco VPN 3000 Concentrators for LAN-to-LAN Using Pre-
Shared Keys 21
Chapter 10—Configure Cisco VPN 3000 Concentrators for LAN-to-LAN Using Digital
Certificates 22
Chapter 11—Configure Cisco IOS IPSec for Pre-Shared Keys 23
Chapter 12—Configure Cisco IOS CA Support (RSA Signatures) 24
Chapter 13—Configure PIX IPSec Pre-shared Keys 25
Chapter 14—Configure PIX Firewall CA Support 26
2 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Remote Lab Topology
The following is the network topology diagram for the CSVPN remote lab.
© 2001, Cisco Systems, Inc.
www.cisco.com
10.91.91.0
.2
10.90.90.0
CSVPN Remote Lab
CSVPN Remote Lab
.1
1 3 5 7 92 4 6 8 10
RL-PIX-CSVPN
RL-LCL
CLASSROOM
REMOTE LAB
.1
RL-RBB-CSVPN
RL-RMT-CSVPN
HUB
10.92.92.0
.2
.1
.2
CSACS
DHCP
172.26.26.0
RL-RMT1-CSVPN RL-RMT2-CSVPN
172.26.26.100
.100 .100
.2
.2
.5
192.168.P.0
.1
pP
10.0.P.0
.5
.2
vP
.2
192.168.P.0
.1
pP
10.0.P.0
.2
vP
.2
.99
rP
rP
172.30. P.0
.2
.1
.1
.2
172.30. P.0
.1
.1
CA
.10
.10
CSACS
DHCP
.50
WEB/FTP
PODS 1-5 PODS 6-10
172.26.26.120
.100 .100
192.168.1PP.0
192.168.1PP.0
.1
.1
cP
cP
.1PP
.1PP
Remote Lab Description
The remote lab is accessed via a PIX firewall, RL-PIX-CSVPN, reachable from
the Internet. The trainer will initiate an IPsec VPN tunnel terminating on RL-PIX-
CSVPN. RL-PIX-CSVPN forwards all traffic to a Cisco 2621 router, RL-RMT-
CSVPN, which routes traffic based on the source IP address to one of two routers,
RL-RMT1-CSVPN or RL-RMT2-CSVPN. These routers will perform IP address
NATing and route the traffic to the necessary student pod.
Local Classroom Description
The classroom topology consists of ten (10) student PCs running Windows 2000
Server and all the required applications used in the labs. Another PC running
Windows 2000 Server will be the CA server. All PCs are directly connected to a
Cisco FastHub 400 or can be outfitted with Cisco Aironet wireless cards. If using
a Cisco FastHub 400, a Cisco 2611 router is connected to the hub. If using Cisco
Aironet, then the Aironet access point is connected to the Cisco 2611 router. In
either case, the other interface of the Cisco 2611 router is connected to an Internet
accessible network.
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 3
Note THE CLASSROOM ROUTER WILL BE INITIATING THE IPSEC VPN TUNNEL.
UDP PORT 500 (ISAKMP) AND IP PROTOCOL 50 (ESP) TRAFFIC MUST BE
ALLOWED BY THE FIREWALL AT THE CLASSROOM LOCATION. SEE
CLASSROOM ROUTER CONFIGURATION LATER ON THIS DOCUMENT.
4 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Classroom Setup
This section covers the list of equipment and their physical connections as well as
the configuration of student PCs and the classroom router that the Cisco Learning
Partner will be required to performed when teaching this course.
Equipment List
DESCRIPTION MFR PART NO. QTY.
LIST
PRICE
/EACH
Student Laptop/PC and CA Server
(varies) 11 (varies)
• Windows 2000 Server Microsoft 11 (varies)
• Internet Explorer 5.5 Microsoft 11 (varies)
• Internet Information Services 5.0 Microsoft 11 (varies)
• Pentium III 800 MHz (or better) Intel 11 (varies)
• 256 MB RAM (or better) (varies) 11 (varies)
• 8 GB Hard Drive (or better)
NTFS partitioned
(varies) 11 (varies)
• CD-ROM/Floppy Drive (varies) 11 (varies)
• Aironet Adapter or 10/100 Ethernet NIC (varies) 11 (varies)
350 Series PC Card w/Integrated
Diversity Antenna,128-bitWEP
Cisco AIR-PCM352 11 199
340 Series 11Mbps DSSS AP w/128-bit
WEP and 2 Int. Ant.
Cisco AIR-AP342E2C 1 799
FastHub 400: 12-port autosensing
10/100 manageable, stackable repeater
Cisco WS-C412 1 895
Cisco 2611: Dual Ethernet Modular
Router w/ Cisco IOS IP Software
Cisco CISCO2611 1 2495
• IP SW 2600 SF26C - IP SOFTWARE Cisco IP SW 2600 SF26C 1 0
• S26C-12205 Cisco 2600 Series IOS IP* Cisco S26C-12205T 1 0
• 32- to 48-MB DRAM Factory Upgrade for
the Cisco 2600 Series
Cisco MEM2600-32U48D 1 1000
• 8 to 16 MB Flash Factory Upgrade for
the Cisco 2600 Series
Cisco MEM2600-8U16FS 1 700
Note * The Cisco 2611 router may be purchased with any zero added cost image and be
later upgraded to the 12.2.6 IOS IP/FW/IDS PLUS IPSEC 3DES image, which can
be downloaded free of charge by Cisco Learning Partners through CCO.
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 5
Physical Connections
© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Aironet
Connections with Aironet
1 3 4 5 6 7 8 9 10 CA
ETHERNET 0/0ETHERNET 0/1
Cisco 2611
CONSOLE
Internet
2
© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Hub
Connections with Hub
1 2 3 4 5 6 7 8 9 10
1X
2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X
FastHub 400
ETHERNET 0/0ETHERNET 0/1
Cisco 2611
CONSOLE
Internet
CA
Initial Student PC Configuration
IP ADDRESS 172.27.27.P
MASK 255.255.255.0
GATEWAY 172.27.27.100
6 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Classroom Router Configuration
You will need the following parameters from Cisco’s ILSG lab administrator
before configuring the classroom router:
RL-PIX-CSVPN IP ADDRESS (IPsec peer IP address)
AUTHENTICATION KEY
Note The classroom router is configured to get a DHCP address, including a default
route, on the outside interface (Ethernet 0/1). If DHCP is not supported at your
location then a manually entered IP address and default route must be configured.
RL-LCL-2611 Configuration
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RL-LCL-2611
!
enable secret 5 <ENABLE PASSWORD>
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 11
hash md5
authentication pre-share
group 2
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSVPN IP ADDRESS>
!
crypto ipsec transform-set RL-TRANS esp-3des esp-md5-hmac
!
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSVPN IP ADDRESS>
Set security-association lifetime seconds 86400
set transform-set RL-TRANS
set pfs group2
match address TO-RMT
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0 secondary
ip address 10.1.2.1 255.255.255.0 secondary
ip address 10.1.3.1 255.255.255.0 secondary
ip address 10.1.4.1 255.255.255.0 secondary
ip address 10.1.5.1 255.255.255.0 secondary
ip address 10.1.6.1 255.255.255.0 secondary
ip address 10.1.7.1 255.255.255.0 secondary
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 7
ip address 10.1.8.1 255.255.255.0 secondary
ip address 10.1.9.1 255.255.255.0 secondary
ip address 10.1.10.1 255.255.255.0 secondary
ip address 192.168.201.1 255.255.255.0 secondary
ip address 192.168.202.1 255.255.255.0 secondary
ip address 192.168.203.1 255.255.255.0 secondary
ip address 192.168.204.1 255.255.255.0 secondary
ip address 192.168.205.1 255.255.255.0 secondary
ip address 192.168.206.1 255.255.255.0 secondary
ip address 192.168.207.1 255.255.255.0 secondary
ip address 192.168.208.1 255.255.255.0 secondary
ip address 192.168.209.1 255.255.255.0 secondary
ip address 192.168.210.1 255.255.255.0 secondary
ip address 172.27.27.100 255.255.255.0
no cdp enable
!
interface Ethernet0/1
ip address dhcp
no cdp enable
crypto map RL-MAP
!
ip classless
no ip http server
!
ip access-list extended TO-RMT
permit ip 10.1.0.0 0.0.255.255 any
permit ip 172.27.27.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any
no cdp run
!
line con 0
transport input none
line aux 0
line vty 0 4
password 7 120E5619050A0F176B
login
!
end
8 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Remote Lab Setup
This section covers the procedures required to connect to the remote lab and to
setup and test the lab devices before the beginning of class.
Establishing and Testing Connectivity to the Remote Lab
Perform the following procedures to establish and test connectivity to the remote
lab.
From the console of your RL-LCL-2611 router:
Step 1 RL-LCL-2611> ping <YOUR LOCAL DEFAULT GATEWAY>
If unsuccessful
• check physical Internet connectivity.
• check ethernet link from RL-LCL-2611 to your Internet connection.
• check IP address received from DHCP:
RL-LCL-2611# show ip interface brief ethernet0/1
Step 2 RL-LCL-2611> ping <RL-PIX-CSVPN IP ADDRESS>
If unsuccessful
• check default gateway setting on RL-LCL-2611:
RL-LCL-2611# show ip route
From the Pod 1 student PC:
Step 3 C:\> ping 172.27.27.100
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check ethernet link from RL-LCL-2611 to Aironet access point or hub.
• check IP address/netmask settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 9
Step 4 C:\> ping 10.90.90.1
This will initiate the VPN tunnel to the remote PIX. It will take a few ping tries
before the VPN tunnel is established and the ping is successful.
If unsuccessful
• ensure that you’ve given the router/PIX enough time to setup the VPN tunnel.
• check default gateway setting on the student PC.
• check the ISAKMP settings on RL-LCL-2611:
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSVPN IP ADDRESS>
• check the IPSEC settings on RL-LCL-2611:
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSVPN IP ADDRESS>
• clear all security associations (SAs) on the RL-LCL-2611:
RL-LCL-2611# clear crypto sa
From each student PC (1 through 5)
Step 5 C:\> ping 172.26.26.100 (remote terminal server)
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check IP address/netmask/default gateway settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
From each student PC (6 through 10)
Step 6 C:\> ping 172.26.26.120 (remote terminal server)
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check IP address/netmask/default gateway settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
10 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Telneting to the Remote Terminal Server
Note USE “CTRL+SHIFT+6 then X” TO EXIT A CONSOLE SESSION.
Lab Chapters 5 through 7
For labs in chapters 5 through 8, student pods 1 through 5, telnet to RL-RMT1-
CSVPN at IP address 172.26.26.100. Student pods 6 through 10, telnet to RL-
RMT2-CSVPN at IP address 172.26.26.120.
Pods 1 through 5:
C:\> telnet 172.26.26.100
User Access Verification
Password: cisco
RL-RMT1-CSVPN>
Pods 6 through 10:
C:\> telnet 172.26.26.120
User Access Verification
Password: cisco
RL-RMT2-CSVPN>
Lab Chapter 8
For lab chapters 8 ONLY, all students will telnet to 192.168.1PP.100 (where PP =
pod number, i.e., 01, 02, , 10).
C:\> telnet 192.168.1PP.100
User Access Verification
Password: cisco
RL-RMT1-CSVPN>
(pods 1 through 5)
RL-RMT2-CSVPN>
(pods 6 through 10)
Lab Chapters 9 through 14
For labs in chapters 9 through 14 student pods 1 through 5, telnet to RL-RMT1-
CSVPN at IP address 10.0.P.100. Student pods 6 through 10, telnet to RL-RMT2-
CSVPN at IP address 10.0.P.100.
C:\> telnet 10.0.P.100
User Access Verification
Password: cisco
RL-RMT1-CSVPN>
(pods 1 through 5)
RL-RMT2-CSVPN>
(pods 6 through 10)
[...]... 2001, Cisco Systems, Inc CSVPN Remote Lab Instructor Guide 1.0 15 CSVPN Individual Lab Settings and Changes Peer Pods The instructor must assign peer pods for labs that require pods to access each other Pods 1 through 5 can only be peered with a pod between 6 and 10: POD 1 POD 2 POD 3 POD 4 POD 5 POD 6 POD 7 POD 8 POD 9 POD 10 Chapter 5—Configure Cisco VPN 3000 Concentrator for Remote Access Using... rl-rPwofw.confg Reload Default Configuration * Address of Remote Host * This section appears at the end of the lab Reload Default Configuration * Configuration File * This section appears at the end of the lab Copyright © 2001, Cisco Systems, Inc CSVPN Remote Lab Instructor Guide 1.0 23 Chapter 12—Configure Cisco IOS CA Support (RSA Signatures) Chapter 12 Lab Visual Objective Pod 1 Pod 2 Internet R1 perimeter... rl-rPwofw.confg Reload Default Configuration * Address of Remote Host * This section appears at the end of the lab Reload Default Configuration * Configuration File * This section appears at the end of the lab 24 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc Chapter 13—Configure PIX IPSec Pre-shared Keys Chapter 13 Lab Visual Objective Pod 1 Pod 2 Internet R1 Perimeter router... Interface 192.168.P.5 Authentication Server 18 IP Address 10.0.P.10 CSVPN Remote Lab Instructor Guide 1.0 Subnet Mask Copyright © 2001, Cisco Systems, Inc Chapter 8—Configuring Cisco VPN 3002 Hardware Client Remote Access Chapter 8 Lab Visual Objective Perimeter router Backbone router VPN 3002 Hardware Client Internet 192.168.1PP.2 Remote Access NAT VPN 3000 Concentrator 192.168.2PP.2 Laptop PC NT... Certificate Server 22 IP Address 172.27.27.51 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc Chapter 11—Configure Cisco IOS IPSec for Pre-Shared Keys Chapter 11 Lab Visual Objective Pod 1 R1 perimeter router 2 e0/0 Pod 2 e0/1 172.30.P.2 /24 172.30.Q.2 /24 e0/1 NT server: FTP, web 10.0.P.0 /24 10.0.P.9 Remote Access 172.26.26.50 NAT 10.0.Q.0 /24 Remote Access 10.1.Q.9 NT1 NT server:... appears when the reboot is completed CSVPN Remote Lab Instructor Guide 1.0 11 Hardware Client Initial Configurations The hardware client are resetted by the students as part of their lab activities If you want, check that all hardware clients are resetted before the class Note Pods 1 through 5 access their VPN concentrator console from RL-RMT1 -CSVPN as follows: RL-RMT -CSVPN1 > cP (where P = pod number)... Server 16 IP Address 10.0.P.10 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc Parameter IP Address Remote terminal server Subnet Mask Pods 1-5: 172.26.26.100 Pods 6-10: 172.26.26.120 Perimeter Router 192.168.P.1 Backbone Router 172.27.27.100 Chapter 6—Configure the Cisco VPN 3000 Concentrator for Remote Access Using Digital Certificates Chapter 6 Lab Visual Objective Perimeter... secondary 172.27.27.P Remote laptop primary 10.0.Q.8 VPN 3000 public interface 192.168.P.5 255.255.255.0 VPN 3000 private interface 10.0.P.5 255.255.255.0 Peer VPN 3000 public interface 192.168.Q.5 Remote terminal server Pods 1-5: 172.26.26.100 255.255.255.0 Pods 6-10: 172.26.26.120 Perimeter router Copyright © 2001, Cisco Systems, Inc 192.168.P.1 CSVPN Remote Lab Instructor Guide 1.0 21 Chapter 10—Configure... RL-RMT1 -CSVPN as follows: RL-RMT -CSVPN1 > pP (where P = pod number) Translating "pP" Trying rP (10.91.91.1, 2033) Open pixfirewall> enable Password: pixfirewall# Pods 6 through 10 access their PIX console from RL-RMT2 -CSVPN as follows: RL-RMT -CSVPN2 > pP (where P = pod number) Translating "pP" Trying rP (10.92.92.1, 2033) Open pixfirewall> enable Password: pixfirewall# 14 CSVPN Remote Lab Instructor. .. Backbone router 172.26.26.100 Certificate server 172.27.27.51 Copyright © 2001, Cisco Systems, Inc CSVPN Remote Lab Instructor Guide 1.0 17 Chapter 7—Cisco VPN 3000 Concentrator Monitoring & Administration Chapter 7 Lab Visual Objective Perimeter router Backbone router Internet 172.26.26.P NAT VPN 3000 Concentrator Remote Access 172.27.27.P Laptop PC with Cisco VPN Client NT and TACACS+ server © 2001, Cisco . . 10 0
.2
.2
.5
19 2 .16 8.P .0
.1
pP
10 .0. P .0
.5
.2
vP
.2
19 2 .16 8.P .0
.1
pP
10 .0. P .0
.2
vP
.2
.99
rP
rP
17 2. 30. P .0
.2
.1
.1
.2
17 2. 30. P .0
.1
.1
CA
. 10
. 10
CSACS
DHCP
. 50
WEB/FTP
PODS 1- 5 PODS 6 - 10
17 2.26.26 .12 0
. 10 0 . 10 0
19 2 .16 8.1PP .0
19 2 .16 8.1PP .0
.1
.1
cP
cP
.1PP
.1PP
. LAB
.1
RL-RBB -CSVPN
RL-RMT -CSVPN
HUB
10 .92.92 .0
.2
.1
.2
CSACS
DHCP
17 2.26.26 .0
RL-RMT1 -CSVPN RL-RMT2 -CSVPN
17 2.26.26 . 10 0
. 10 0 . 10 0
.2
.2
.5
19 2 .16 8.P .0
.1
pP
10 .0. P .0
.5
.2
vP
.2
19 2 .16 8.P .0
.1
pP
10 .0. P .0
.2
vP
.2
.99
rP
rP
17 2. 30.
Ngày đăng: 18/01/2014, 05:20
Xem thêm: Tài liệu CSVPN Remote Lab Instructor Guide 1.0 pptx, Tài liệu CSVPN Remote Lab Instructor Guide 1.0 pptx