CSVPN Remote Lab Instructor Guide 1.0 Table of Contents REMOTE LAB TOPOLOGY 2 Remote Lab Description 2 Local Classroom Description 2 CLASSROOM SETUP 4 Equipment List 4 Physical Connections 5 Initial Student PC Configuration 5 Classroom Router Configuration 6 REMOTE LAB SETUP 8 Establishing and Testing Connectivity to the Remote Lab 8 Telneting to the Remote Terminal Server 10 VPN Concentrator Initial Configurations 11 Hardware Client Initial Configurations 12 Router Initial Configurations 13 PIX Initial Configurations 14 CSVPN INDIVIDUAL LAB SETTINGS AND CHANGES 16 Peer Pods 16 Chapter 5—Configure Cisco VPN 3000 Concentrator for Remote Access Using Pre- Shared Keys 16 Chapter 6—Configure the Cisco VPN 3000 Concentrator for Remote Access Using Digital Certificates 17 Chapter 7—Cisco VPN 3000 Concentrator Monitoring & Administration 18 Chapter 8—Configuring Cisco VPN 3002 Hardware Client Remote Access 19 Chapter 9—Configure Cisco VPN 3000 Concentrators for LAN-to-LAN Using Pre- Shared Keys 21 Chapter 10—Configure Cisco VPN 3000 Concentrators for LAN-to-LAN Using Digital Certificates 22 Chapter 11—Configure Cisco IOS IPSec for Pre-Shared Keys 23 Chapter 12—Configure Cisco IOS CA Support (RSA Signatures) 24 Chapter 13—Configure PIX IPSec Pre-shared Keys 25 Chapter 14—Configure PIX Firewall CA Support 26 2 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc. Remote Lab Topology The following is the network topology diagram for the CSVPN remote lab. © 2001, Cisco Systems, Inc. www.cisco.com 10.91.91.0 .2 10.90.90.0 CSVPN Remote Lab CSVPN Remote Lab .1 1 3 5 7 92 4 6 8 10 RL-PIX-CSVPN RL-LCL CLASSROOM REMOTE LAB .1 RL-RBB-CSVPN RL-RMT-CSVPN HUB 10.92.92.0 .2 .1 .2 CSACS DHCP 172.26.26.0 RL-RMT1-CSVPN RL-RMT2-CSVPN 172.26.26.100 .100 .100 .2 .2 .5 192.168.P.0 .1 pP 10.0.P.0 .5 .2 vP .2 192.168.P.0 .1 pP 10.0.P.0 .2 vP .2 .99 rP rP 172.30. P.0 .2 .1 .1 .2 172.30. P.0 .1 .1 CA .10 .10 CSACS DHCP .50 WEB/FTP PODS 1-5 PODS 6-10 172.26.26.120 .100 .100 192.168.1PP.0 192.168.1PP.0 .1 .1 cP cP .1PP .1PP Remote Lab Description The remote lab is accessed via a PIX firewall, RL-PIX-CSVPN, reachable from the Internet. The trainer will initiate an IPsec VPN tunnel terminating on RL-PIX- CSVPN. RL-PIX-CSVPN forwards all traffic to a Cisco 2621 router, RL-RMT- CSVPN, which routes traffic based on the source IP address to one of two routers, RL-RMT1-CSVPN or RL-RMT2-CSVPN. These routers will perform IP address NATing and route the traffic to the necessary student pod. Local Classroom Description The classroom topology consists of ten (10) student PCs running Windows 2000 Server and all the required applications used in the labs. Another PC running Windows 2000 Server will be the CA server. All PCs are directly connected to a Cisco FastHub 400 or can be outfitted with Cisco Aironet wireless cards. If using a Cisco FastHub 400, a Cisco 2611 router is connected to the hub. If using Cisco Aironet, then the Aironet access point is connected to the Cisco 2611 router. In either case, the other interface of the Cisco 2611 router is connected to an Internet accessible network. Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 3 Note THE CLASSROOM ROUTER WILL BE INITIATING THE IPSEC VPN TUNNEL. UDP PORT 500 (ISAKMP) AND IP PROTOCOL 50 (ESP) TRAFFIC MUST BE ALLOWED BY THE FIREWALL AT THE CLASSROOM LOCATION. SEE CLASSROOM ROUTER CONFIGURATION LATER ON THIS DOCUMENT. 4 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc. Classroom Setup This section covers the list of equipment and their physical connections as well as the configuration of student PCs and the classroom router that the Cisco Learning Partner will be required to performed when teaching this course. Equipment List DESCRIPTION MFR PART NO. QTY. LIST PRICE /EACH Student Laptop/PC and CA Server (varies) 11 (varies) • Windows 2000 Server Microsoft 11 (varies) • Internet Explorer 5.5 Microsoft 11 (varies) • Internet Information Services 5.0 Microsoft 11 (varies) • Pentium III 800 MHz (or better) Intel 11 (varies) • 256 MB RAM (or better) (varies) 11 (varies) • 8 GB Hard Drive (or better) NTFS partitioned (varies) 11 (varies) • CD-ROM/Floppy Drive (varies) 11 (varies) • Aironet Adapter or 10/100 Ethernet NIC (varies) 11 (varies) 350 Series PC Card w/Integrated Diversity Antenna,128-bitWEP Cisco AIR-PCM352 11 199 340 Series 11Mbps DSSS AP w/128-bit WEP and 2 Int. Ant. Cisco AIR-AP342E2C 1 799 FastHub 400: 12-port autosensing 10/100 manageable, stackable repeater Cisco WS-C412 1 895 Cisco 2611: Dual Ethernet Modular Router w/ Cisco IOS IP Software Cisco CISCO2611 1 2495 • IP SW 2600 SF26C - IP SOFTWARE Cisco IP SW 2600 SF26C 1 0 • S26C-12205 Cisco 2600 Series IOS IP* Cisco S26C-12205T 1 0 • 32- to 48-MB DRAM Factory Upgrade for the Cisco 2600 Series Cisco MEM2600-32U48D 1 1000 • 8 to 16 MB Flash Factory Upgrade for the Cisco 2600 Series Cisco MEM2600-8U16FS 1 700 Note * The Cisco 2611 router may be purchased with any zero added cost image and be later upgraded to the 12.2.6 IOS IP/FW/IDS PLUS IPSEC 3DES image, which can be downloaded free of charge by Cisco Learning Partners through CCO. Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 5 Physical Connections © 2001, Cisco Systems, Inc. www.cisco.com Connections with Aironet Connections with Aironet 1 3 4 5 6 7 8 9 10 CA ETHERNET 0/0ETHERNET 0/1 Cisco 2611 CONSOLE Internet 2 © 2001, Cisco Systems, Inc. www.cisco.com Connections with Hub Connections with Hub 1 2 3 4 5 6 7 8 9 10 1X 2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X FastHub 400 ETHERNET 0/0ETHERNET 0/1 Cisco 2611 CONSOLE Internet CA Initial Student PC Configuration IP ADDRESS 172.27.27.P MASK 255.255.255.0 GATEWAY 172.27.27.100 6 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc. Classroom Router Configuration You will need the following parameters from Cisco’s ILSG lab administrator before configuring the classroom router:  RL-PIX-CSVPN IP ADDRESS (IPsec peer IP address)  AUTHENTICATION KEY Note The classroom router is configured to get a DHCP address, including a default route, on the outside interface (Ethernet 0/1). If DHCP is not supported at your location then a manually entered IP address and default route must be configured. RL-LCL-2611 Configuration ! version 12.2 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname RL-LCL-2611 ! enable secret 5 <ENABLE PASSWORD> ! ip subnet-zero ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 11 hash md5 authentication pre-share group 2 crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSVPN IP ADDRESS> ! crypto ipsec transform-set RL-TRANS esp-3des esp-md5-hmac ! crypto map RL-MAP 22 ipsec-isakmp set peer <RL-PIX-CSVPN IP ADDRESS> Set security-association lifetime seconds 86400 set transform-set RL-TRANS set pfs group2 match address TO-RMT ! interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 secondary ip address 10.1.2.1 255.255.255.0 secondary ip address 10.1.3.1 255.255.255.0 secondary ip address 10.1.4.1 255.255.255.0 secondary ip address 10.1.5.1 255.255.255.0 secondary ip address 10.1.6.1 255.255.255.0 secondary ip address 10.1.7.1 255.255.255.0 secondary Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 7 ip address 10.1.8.1 255.255.255.0 secondary ip address 10.1.9.1 255.255.255.0 secondary ip address 10.1.10.1 255.255.255.0 secondary ip address 192.168.201.1 255.255.255.0 secondary ip address 192.168.202.1 255.255.255.0 secondary ip address 192.168.203.1 255.255.255.0 secondary ip address 192.168.204.1 255.255.255.0 secondary ip address 192.168.205.1 255.255.255.0 secondary ip address 192.168.206.1 255.255.255.0 secondary ip address 192.168.207.1 255.255.255.0 secondary ip address 192.168.208.1 255.255.255.0 secondary ip address 192.168.209.1 255.255.255.0 secondary ip address 192.168.210.1 255.255.255.0 secondary ip address 172.27.27.100 255.255.255.0 no cdp enable ! interface Ethernet0/1 ip address dhcp no cdp enable crypto map RL-MAP ! ip classless no ip http server ! ip access-list extended TO-RMT permit ip 10.1.0.0 0.0.255.255 any permit ip 172.27.27.0 0.0.0.255 any permit ip 192.168.0.0 0.0.255.255 any no cdp run ! line con 0 transport input none line aux 0 line vty 0 4 password 7 120E5619050A0F176B login ! end 8 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc. Remote Lab Setup This section covers the procedures required to connect to the remote lab and to setup and test the lab devices before the beginning of class. Establishing and Testing Connectivity to the Remote Lab Perform the following procedures to establish and test connectivity to the remote lab. From the console of your RL-LCL-2611 router: Step 1 RL-LCL-2611> ping <YOUR LOCAL DEFAULT GATEWAY> If unsuccessful • check physical Internet connectivity. • check ethernet link from RL-LCL-2611 to your Internet connection. • check IP address received from DHCP: RL-LCL-2611# show ip interface brief ethernet0/1 Step 2 RL-LCL-2611> ping <RL-PIX-CSVPN IP ADDRESS> If unsuccessful • check default gateway setting on RL-LCL-2611: RL-LCL-2611# show ip route From the Pod 1 student PC: Step 3 C:\> ping 172.27.27.100 If unsuccessful • check Aironet link or ethernet link from the PC to Aironet access point or hub. • check ethernet link from RL-LCL-2611 to Aironet access point or hub. • check IP address/netmask settings on the student PC. • check Aironet configuration and range. • check RL-LCL-2611 configuration. Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 9 Step 4 C:\> ping 10.90.90.1 This will initiate the VPN tunnel to the remote PIX. It will take a few ping tries before the VPN tunnel is established and the ping is successful. If unsuccessful • ensure that you’ve given the router/PIX enough time to setup the VPN tunnel. • check default gateway setting on the student PC. • check the ISAKMP settings on RL-LCL-2611: crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSVPN IP ADDRESS> • check the IPSEC settings on RL-LCL-2611: crypto map RL-MAP 22 ipsec-isakmp set peer <RL-PIX-CSVPN IP ADDRESS> • clear all security associations (SAs) on the RL-LCL-2611: RL-LCL-2611# clear crypto sa From each student PC (1 through 5) Step 5 C:\> ping 172.26.26.100 (remote terminal server) If unsuccessful • check Aironet link or ethernet link from the PC to Aironet access point or hub. • check IP address/netmask/default gateway settings on the student PC. • check Aironet configuration and range. • check RL-LCL-2611 configuration. From each student PC (6 through 10) Step 6 C:\> ping 172.26.26.120 (remote terminal server) If unsuccessful • check Aironet link or ethernet link from the PC to Aironet access point or hub. • check IP address/netmask/default gateway settings on the student PC. • check Aironet configuration and range. • check RL-LCL-2611 configuration. 10 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc. Telneting to the Remote Terminal Server Note USE “CTRL+SHIFT+6 then X” TO EXIT A CONSOLE SESSION. Lab Chapters 5 through 7 For labs in chapters 5 through 8, student pods 1 through 5, telnet to RL-RMT1- CSVPN at IP address 172.26.26.100. Student pods 6 through 10, telnet to RL- RMT2-CSVPN at IP address 172.26.26.120. Pods 1 through 5: C:\> telnet 172.26.26.100 User Access Verification Password: cisco RL-RMT1-CSVPN> Pods 6 through 10: C:\> telnet 172.26.26.120 User Access Verification Password: cisco RL-RMT2-CSVPN> Lab Chapter 8 For lab chapters 8 ONLY, all students will telnet to 192.168.1PP.100 (where PP = pod number, i.e., 01, 02, , 10). C:\> telnet 192.168.1PP.100 User Access Verification Password: cisco RL-RMT1-CSVPN> (pods 1 through 5) RL-RMT2-CSVPN> (pods 6 through 10) Lab Chapters 9 through 14 For labs in chapters 9 through 14 student pods 1 through 5, telnet to RL-RMT1- CSVPN at IP address 10.0.P.100. Student pods 6 through 10, telnet to RL-RMT2- CSVPN at IP address 10.0.P.100. C:\> telnet 10.0.P.100 User Access Verification Password: cisco RL-RMT1-CSVPN> (pods 1 through 5) RL-RMT2-CSVPN> (pods 6 through 10) [...]... 2001, Cisco Systems, Inc CSVPN Remote Lab Instructor Guide 1.0 15 CSVPN Individual Lab Settings and Changes Peer Pods The instructor must assign peer pods for labs that require pods to access each other Pods 1 through 5 can only be peered with a pod between 6 and 10: POD 1 POD 2 POD 3 POD 4 POD 5 POD 6 POD 7 POD 8 POD 9 POD 10 Chapter 5—Configure Cisco VPN 3000 Concentrator for Remote Access Using... rl-rPwofw.confg Reload Default Configuration * Address of Remote Host * This section appears at the end of the lab Reload Default Configuration * Configuration File * This section appears at the end of the lab Copyright © 2001, Cisco Systems, Inc CSVPN Remote Lab Instructor Guide 1.0 23 Chapter 12—Configure Cisco IOS CA Support (RSA Signatures) Chapter 12 Lab Visual Objective Pod 1 Pod 2 Internet R1 perimeter... rl-rPwofw.confg Reload Default Configuration * Address of Remote Host * This section appears at the end of the lab Reload Default Configuration * Configuration File * This section appears at the end of the lab 24 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc Chapter 13—Configure PIX IPSec Pre-shared Keys Chapter 13 Lab Visual Objective Pod 1 Pod 2 Internet R1 Perimeter router... Interface 192.168.P.5 Authentication Server 18 IP Address 10.0.P.10 CSVPN Remote Lab Instructor Guide 1.0 Subnet Mask Copyright © 2001, Cisco Systems, Inc Chapter 8—Configuring Cisco VPN 3002 Hardware Client Remote Access Chapter 8 Lab Visual Objective Perimeter router Backbone router VPN 3002 Hardware Client Internet 192.168.1PP.2 Remote Access NAT VPN 3000 Concentrator 192.168.2PP.2 Laptop PC NT... Certificate Server 22 IP Address 172.27.27.51 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc Chapter 11—Configure Cisco IOS IPSec for Pre-Shared Keys Chapter 11 Lab Visual Objective Pod 1 R1 perimeter router 2 e0/0 Pod 2 e0/1 172.30.P.2 /24 172.30.Q.2 /24 e0/1 NT server: FTP, web 10.0.P.0 /24 10.0.P.9 Remote Access 172.26.26.50 NAT 10.0.Q.0 /24 Remote Access 10.1.Q.9 NT1 NT server:... appears when the reboot is completed CSVPN Remote Lab Instructor Guide 1.0 11 Hardware Client Initial Configurations The hardware client are resetted by the students as part of their lab activities If you want, check that all hardware clients are resetted before the class Note Pods 1 through 5 access their VPN concentrator console from RL-RMT1 -CSVPN as follows: RL-RMT -CSVPN1 > cP (where P = pod number)... Server 16 IP Address 10.0.P.10 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc Parameter IP Address Remote terminal server Subnet Mask Pods 1-5: 172.26.26.100 Pods 6-10: 172.26.26.120 Perimeter Router 192.168.P.1 Backbone Router 172.27.27.100 Chapter 6—Configure the Cisco VPN 3000 Concentrator for Remote Access Using Digital Certificates Chapter 6 Lab Visual Objective Perimeter... secondary 172.27.27.P Remote laptop primary 10.0.Q.8 VPN 3000 public interface 192.168.P.5 255.255.255.0 VPN 3000 private interface 10.0.P.5 255.255.255.0 Peer VPN 3000 public interface 192.168.Q.5 Remote terminal server Pods 1-5: 172.26.26.100 255.255.255.0 Pods 6-10: 172.26.26.120 Perimeter router Copyright © 2001, Cisco Systems, Inc 192.168.P.1 CSVPN Remote Lab Instructor Guide 1.0 21 Chapter 10—Configure... RL-RMT1 -CSVPN as follows: RL-RMT -CSVPN1 > pP (where P = pod number) Translating "pP" Trying rP (10.91.91.1, 2033) Open pixfirewall> enable Password: pixfirewall# Pods 6 through 10 access their PIX console from RL-RMT2 -CSVPN as follows: RL-RMT -CSVPN2 > pP (where P = pod number) Translating "pP" Trying rP (10.92.92.1, 2033) Open pixfirewall> enable Password: pixfirewall# 14 CSVPN Remote Lab Instructor. .. Backbone router 172.26.26.100 Certificate server 172.27.27.51 Copyright © 2001, Cisco Systems, Inc CSVPN Remote Lab Instructor Guide 1.0 17 Chapter 7—Cisco VPN 3000 Concentrator Monitoring & Administration Chapter 7 Lab Visual Objective Perimeter router Backbone router Internet 172.26.26.P NAT VPN 3000 Concentrator Remote Access 172.27.27.P Laptop PC with Cisco VPN Client NT and TACACS+ server © 2001, Cisco . . 10 0 .2 .2 .5 19 2 .16 8.P .0 .1 pP 10 .0. P .0 .5 .2 vP .2 19 2 .16 8.P .0 .1 pP 10 .0. P .0 .2 vP .2 .99 rP rP 17 2. 30. P .0 .2 .1 .1 .2 17 2. 30. P .0 .1 .1 CA . 10 . 10 CSACS DHCP . 50 WEB/FTP PODS 1- 5 PODS 6 - 10 17 2.26.26 .12 0 . 10 0 . 10 0 19 2 .16 8.1PP .0 19 2 .16 8.1PP .0 .1 .1 cP cP .1PP .1PP . LAB .1 RL-RBB -CSVPN RL-RMT -CSVPN HUB 10 .92.92 .0 .2 .1 .2 CSACS DHCP 17 2.26.26 .0 RL-RMT1 -CSVPN RL-RMT2 -CSVPN 17 2.26.26 . 10 0 . 10 0 . 10 0 .2 .2 .5 19 2 .16 8.P .0 .1 pP 10 .0. P .0 .5 .2 vP .2 19 2 .16 8.P .0 .1 pP 10 .0. P .0 .2 vP .2 .99 rP rP 17 2. 30.