12. On the PC, enter the network setting of the internal network card for an IP address that is on the 10.10.0.0 network with a subnet mask of 255.255.255.0 and a default gateway set to 10.10.0.1. Save the network settings. 13. Using the Ethernet crossover cable, or the hub and Ethernet patch cables, connect the PC to the Private LAN of the Nortel VPN Router. 14. Ping the Management IP Address of 8.8.8.8. If ping replies are received, continue with the lab. If not, verify the settings of the previous steps and continue with the lab. 15. On the PC, launch a browser window and HTTP to 8.8.8.8. 16. At the Management screen, select PROFILES → USERS to configure a user with management rights on the Nortel VPN Router with a stati- cally assigned IP address of 10.10.0.20. If you are unfamiliar with how to accomplish this, the following lab covers configuring a user tunnel for managing the Nortel VPN Router. 17. After the user has been created, log off the Nortel VPN Router and dis- connect your PC from the Nortel VPN Router. 18. Using the same cabling arrangement that was used to connect to the Private LAN, connect to the Public LAN of the Nortel VPN Router. 19. On the PC, set the network settings on the internal network card to have an IP address of 100.100.100.200 with a subnet mask of 255.255.255.0 and a default gateway of 100.100.100.100. Save the network settings. 20. From the PC, ping the Public LAN interface at 100.100.100.100. If ping replies are received, continue with the lab. If no ping replies are received verify the settings on the PC and, if they appear correct, verify the Nortel VPN Router Public LAN settings with the use of the console cable and the HyperTerminal program. 21. On the PC, launch the Nortel VPN Client application. Configure a Connection name, add the User Name and Password for the user with administrator rights that was previously configured, and enter the Destination address of 100.100.100.100. 22. On the Nortel VPN Client dialog window, click the Connect button. A dialog to save the configuration will appear. Click the Yes button to proceed with the client connection to the Nortel VPN Router. 23. The client should successfully connect to the Nortel VPN Router with a Nortel VPN Client icon appearing in the system tray of Windows. 24. Open a Command/DOS window and type the command ipconfig. Within the DOS window, the settings for the virtual NIC used for the Nortel User connection should have the IP address of 10.10.0.20, which was statically assigned to that user. 504 Chapter 11 14_781274 ch11.qxp 6/22/06 12:23 AM Page 504 25. Launch a browser window and HTTP to 8.8.8.8. Verify that the Nortel VPN Router Management screen appears. Log in with the user that was created with the management rights. For the purposes of this lab, it will be the same user that was used to connect with the Nortel VPN Client. However, any user with administrator rights may be used, including the primary administrator user ID and password. Verify that the user is able to navigate the different configuration screens without a denial. 26. If the user is capable of navigating the configuration screens without being denied, then this will conclude this lab. If the user has an issue, then log in with an administrator user ID and password, which will be used to verify this user’s profile to ensure that administrator privileges have been granted to that user. Lab Summary This lab showed how a CLIP address may be assigned to the Management Interface. Although the unit is not bound to any physical interface, the admin- istrators of the Nortel VPN Router are still able to manage the unit. Although it was not mentioned within the context of this lab, there are obvious routing and networking considerations that would come into play in order for the administrators remote from the unit to manage the unit. Using the example of this lab, you can see that if an administrator on a remote network needed to manage this particular Nortel VPN Router, then the management session would need to be capable of being routed to the manage- ment address of 8.8.8.8. However, an administrator would be capable of using the Nortel VPN Client to manage the unit from anywhere, as long the admin- istrator is able to establish a successful user tunnel to the Nortel VPN Router. Configuring Administrator User Tunnels Administrators of the Nortel VPN Router require the ability to manage the unit in a number of ways. This lab covers the use of the Nortel VPN Client to allow remote user administrators to configure, control, and manage the unit. Administrators may be given only certain privileges, depending upon their level of responsibility for the unit. Where applicable throughout this lab, dis- cussion of privilege options will be noted. Lab Requirements ■■ Nortel VPN Router with version 6.00 VPN Router code loaded ■■ Serial console cable for the Nortel VPN Router being used for this lab ■■ Crossover Ethernet cable, or hub and patch Ethernet cables VPN Router Administration Lab Exercises 505 14_781274 ch11.qxp 6/22/06 12:23 AM Page 505 ■■ Windows-based PC with HyperTerminal and the Nortel VPN Client loaded ■■ Pencil and paper for notes Lab Setup For the purposes of this lab, assume that the Nortel VPN Router has been pre- viously configured with the following settings: ■■ Private LAN IP address of 10.10.0.10 with a 255.255.255.0 subnet mask and Speed/Duplex set to AutoNegotiate ■■ Public LAN IP address of 100.100.100.100 with a 255.255.255.0 subnet mask and Speed/Duplex set to AutoNegotiate ■■ Management Interface IP address set to 8.8.8.8 1. If the Nortel VPN Router has not been previously set to these addresses, then with the use of the console cable and the administra- tor’s user ID and password, set the interfaces with these values. 2. Set the Windows-based PC network settings to have an IP address of 10.10.0.20 with a subnet mask of 255.255.255.0, and with the default gateway set to 10.10.0.10. Save the network settings. 3. Connect the PC to the Private LAN Interface of the Nortel VPN Router using either Ethernet crossover cable, or hub and Ethernet patch cables. 4. From the PC, ping the Management Interface IP address at 8.8.8.8. If ping replies are received, continue with the lab. If no ping replies are received, go back to verify settings on the PC and then the Nortel VPN Router. 5. From the Windows-based PC, launch a browser and HTTP to 8.8.8.8. 6. On the Nortel VPN Router Management screen, click the Manage Switch link and use either the default user ID of admin and the pass- word of setup, or another administrator user ID/password combina- tion that has full management privileges on the Nortel VPN Router. 7. From the main menu, select PROFILES → GROUPS to display the Groups configuration screen. Click the Add button to add a new group. At the Add screen for group add a Group Name of Admins and leave the Parent Group at /Base. Click the OK button, which will return you to the Groups configuration screen. 8. Select PROFILES → USERS to display the User Management screen. On Group, click the down arrow to select the group /Base/Admins and click the Add User button to display the Add User configuration screen. 9. To add a new group, perform the following: 506 Chapter 11 14_781274 ch11.qxp 6/22/06 12:23 AM Page 506 a. Add a First and Last Name in the supplied boxes (for example, First Name = NVR Last Name = Admin_user). b. Ensure that the group /Base/Admins is displayed. If not, then it may once again be selected by clicking the down arrow. c. In the Remote User area, add a Static IP Address of 10.10.0.30 and a Static Subnet Mask of 255.255.255.0. NOTE This address may be dynamically assigned if an address pool has been defined or if DHCP has been configured to allocate addresses for user tunnels. For the purposes of this lab, the User Tunnel address is statically assigned. d. In the User Accounts area for an IPSec user, enter the user ID of NVR_Admin and, for the purposes of this lab, a password of 12345678. Re-enter the password in Confirm Password. NOTE The User Accounts area provides for the addition of users with different tunneling clients if needed or desired. For this lab, because the Nortel VPN Client will be used to establish the user tunnel, utilize the IPSec User Account. e. Because the user being created will be utilizing local authentication (Internal LDAP), scroll past the various authentication methods to the Administration Privileges area. In the Administrative Authenti- cation Method, ensure that the radio button for Local Authentication is selected. f. In the Admin area, add the User ID NVR_Admin with a password of 12345678 and re-enter the password in the Confirm Password box. g. In the /admin Rights area for Manage Switch, click the down arrow and select Manage. For Manage Users, click the down arrow and select Manage. NOTE Administrators may be given different levels of responsibility. It is possible to limit the abilities of administrators, from only being able to view different screens of the Nortel VPN Router without the ability to change any parameters to full management rights to change a wide range of configurations with the right to add and delete users. However, there are a few rights that are permitted to be exercised only by the Primary Administrator of the Nortel VPN Router. For the purpose of this lab, the administrator has been given a wide range of management rights on the Nortel VPN Router. h. Click OK to accept the parameters set for this user. The User Man- agement screen will be displayed with a banner at the top that the user has been successfully created. If there is an error in a parameter, VPN Router Administration Lab Exercises 507 14_781274 ch11.qxp 6/22/06 12:23 AM Page 507 the banner lists the reason for the exception. Correct any errors and click on the OK button until the user has been correctly added. 10. With the administrator user created, close down the browser and move the PC connection from the Private LAN Interface to the Public LAN Interface. 11. Reconfigure the PC network settings to have an IP address of 100.100.100.200 with a subnet mask of 255.255.255.0 and a default gate- way of 100.100.100.100. 12. On the Windows-based PC, launch the Nortel VPN Client and set the Connection to Lab Setup; enter the username NVR_Admin and a pass- word of 12345678. Enter the destination of the Nortel VPN Router Public LAN Interface IP address of 100.100.100.100. Click the Connect button. A dialog box appears asking if you want to save changes to the current con- nection. Click Yes to establish a user tunnel to the Nortel VPN Router. 13. If the connection attempt is successful and the user tunnel is estab- lished, the Nortel VPN Client icon will appear in the system tray. Con- tinue with the lab with a successful tunnel connection. If the tunnel fails to establish, verify that the settings on the client match the settings that were configured for this user. Repeat the preceding steps until a suc- cessful user tunnel has been established. 14. With the user tunnel established, launch a Command/DOS window and enter the command ipconfig. Notice that the Nortel VPN Client virtual Network Interface Card is displaying the address of 10.10.0.30. 15. Launch a browser and HTTP to 8.8.8.8. The Nortel VPN Router man- agement screen will be displayed. Click the Manage Switch link and enter the user ID NVR_Admin and the password 12345678 to log in to the Nortel VPN Router. 16. Navigate through a few configuration screens to ensure that you are able to navigate the menu system without restriction. NOTE Although this administrative user has been given full rights, restrictions are placed on that user by the fact that a user tunnel is being utilized to manage the Nortel VPN Router. To have full access to all management functions on the Nortel VPN Router, you must add a tunnel filter in this user’s group settings to allow for functions such as Telnet and FTP. 17. From the main menu, select PROFILES → FILTERS to display the Fil- ters configuration screen. In the Current Contivity Tunnel Filters area (see Figure 11-27), add the name NVR_Admin in the box adjacent to the Create button and click the Create button after the name has been entered. 508 Chapter 11 14_781274 ch11.qxp 6/22/06 12:23 AM Page 508 Figure 11-27: The filters configuration screen 18. The Tunnel Filters Edit screen will be displayed for the Tunnel Filter Set: NVR_Admin. From the Available Rules, select “permit all/in” and click the double left arrow button to move the rule to the Rules in Set column. Do this also for the “permit all/out” rule. Notice the Allow Management Traffic area is divided into a “For these Local Services” grouping and a “For these Remote Servers” grouping. Select the follow- ing by checking the appropriate check box: ■■ HTTP: Allow the management of the Nortel VPN Router using the GUI screen. ■■ SNMP: Allow SNMP gets from the Nortel VPN Router, which may be used to monitor the operation of the unit. ■■ FTP: Allow the movement of files to and from the Nortel VPN Router with the use of an FTP client. ■■ Telnet: Allow the ability to Telnet to the Management Interface to perform Command Line Interface (CLI) commands on the unit. ■■ PING: Allow the pinging of the Management Interface to receive ping echo replies. In the “For these Servers” area, check the FTP check box. This permits the fetching of VPN Router code upgrades from the tunneled PC while it is running an FTP server. Although this may be accomplished in this manner, it is more efficient to perform upgrades to the Nortel VPN Router from an FTP server that is located on the local Private LAN. 19. Once the filter is configured as shown in Figure 11-28, click OK at the bottom of the screen to accept these settings and return to the Filters configuration screen. The NVR_Admin filter should now be displayed in the Current Contivity Tunnel Filters selection box. VPN Router Administration Lab Exercises 509 14_781274 ch11.qxp 6/22/06 12:23 AM Page 509 Figure 11-28: Verifying the filter via the Tunnel Filters edit screen 20. From the main menu, select PROFILES → GROUPS to display the Groups configuration screen. Click the Edit button for the group /Base/Admins to display the Groups Edit configuration screen. 21. In the Connectivity area, click the Configure button to open this section for modification. 22. Scroll down to the Filters line and click its Configure button, which will cause the Groups Edit Connectivity screen to refresh. 23. Once again, scroll down to the Filters line and notice that there is a fil- ters selection drop-down menu displayed. Click the down arrow and select the NVR_Admin filter set. 24. Scroll to the bottom of the screen and click OK to display the Groups Edit screen. 25. Scroll to the bottom of the screen and click the Close button to return to the Groups selection screen. This completes the filter configuration and applies it to the appropriate group. However, because this tunnel is established already, the filters have not been applied to this particular tunnel. Close the browser window and disconnect from the Nortel VPN Router by clicking the Nortel VPN Client icon to display the client status window and by clicking the Disconnect button. 26. Once the user tunnel has been totally disconnected, launch the Nortel VPN Client again to establish a new tunnel to the Nortel VPN Router. 510 Chapter 11 14_781274 ch11.qxp 6/22/06 12:23 AM Page 510 27. Once the tunnel is established, launch a browser window and HTTP to the Management Interface IP address of 8.8.8.8. Log in using the NVR_Admin user ID and the password 12345678. 28. Verify that it is possible to navigate the different configuration screens. 29. Open a Command/DOS window and Telnet to 8.8.8.8. A login prompt is presented. Log in using the NVR_Admin user ID and the password 12345678. On successful login, a command-line prompt will be dis- played. Issue a dir command to display the directory structure of the Nortel VPN Router. 30. Open another Command/DOS window and FTP to 8.8.8.8. A login screen is presented. Log in using NVR_Admin with the password 12345678. On successful login an ftp prompt will be displayed. Issue a dir command to display the directory structure of the Nortel VPN Router. NOTE Each service that is called performs a login query. Each service is capable of being run simultaneously with the other services. This capability is essential for the ongoing maintenance and service of the Nortel VPN Router. 31. This concludes this lab. We recommend (and encourage) that you fur- ther explore the capabilities that are granted to an administrator to develop the required profiles for users who will be responsible for the administering of the Nortel VPN Router. Lab Summary In this lab, an administrator user was created and the different capabilities pro- vided to that administrator were discussed. In creating this user, we touched upon the use and configuration of group settings and tunnel filters. Adminis- trative users with the proper privileges are essential in the maintenance and ongoing support of the Nortel VPN Router. Careful consideration of the capability granted to users is required. Within the scope of this lab, however, not all possible combinations of administrative capabilities were explored. We encourage you to examine and carefully plan the levels of administrator involvement upon completion of this lab. VPN Router Administration Lab Exercises 511 14_781274 ch11.qxp 6/22/06 12:23 AM Page 511 Configuring Syslog Server The Nortel VPN Router has local logging on the unit that may be viewed and used to monitor different aspects on the Nortel VPN Router, such as events in the security and configuration of the Nortel VPN Router. However, because these logs utilize local storage, they are limited in their ability to store histori- cal data, which, in certain organizations, is recorded and archived for exten- sive periods of time. You can take advantage of the Nortel VPN Routers’ logging ability and monitor storage of those logs over long periods of times by using an external Syslog server. This lab covers the simple configuration and discusses some points of logging on the Nortel VPN Router at the same time. Lab Requirements ■■ Nortel VPN Router with version 6.00 VPN Router code loaded ■■ Crossover Ethernet cable, or hub and patch Ethernet cables ■■ Windows-based PC with Syslog server program ■■ Windows-based PC with browser software ■■ Network diagram (see Figure 11-29) ■■ Pencil and paper for notes Figure 11-29: The Syslog configuration lab diagram Laptop Computer IBM Compatible Syslog Server 10.10.0.51 Private LAN Interface 10.10.0.10 Management Interface 8.8.8.8 Private LAN Configuration PC 10.10.0.30 512 Chapter 11 14_781274 ch11.qxp 6/22/06 12:23 AM Page 512 Lab Setup For purposes of this lab, it is assumed that the Nortel VPN Router has been previously configured with the following IP addresses: ■■ Private LAN Interface 10.10.0.10 with a subnet mask of 255.255.255.0 ■■ Management IP address of 8.8.8.8 1. The Windows-based PC used for the configuration of the Nortel VPN Router should have its network interface set to an IP address of 10.10.0.30 with a subnet mask of 255.255.255.0, and a default gateway set to 10.10.0.10. The Syslog server does not necessarily have to be another PC. It can be combined within the same PC that is being used to configure the Nortel VPN Router. However, for this lab, it is another standalone PC that has its network interface configured with an IP address of 10.10.0.51 with a subnet mask of 255.255.255.0 and a default gateway set to 10.10.0.10. 2. Ensure that the network is connected as shown on the network diagram illustrated in Figure 11-29. 3. At the PC being used to configure the Nortel VPN Router, launch a browser window and HTTP to 8.8.8.8. 4. Click the Manage Switch link and log in using an administrator’s user ID and password. 5. On the main menu, select SERVICES → SYSLOG to display the Syslog Forwarding configuration screen, as shown in Figure 11-30. 6. Enter the IP address of the Syslog server in the Host Name or IP Address field and click the Enabled check box. 7. Filter Level is by default set to All. Click the down arrow and notice that there are different levels of severity that may be selected. For the purposes of this lab, leave it set to All. Figure 11-30: The Syslog Forwarding configuration screen VPN Router Administration Lab Exercises 513 14_781274 ch11.qxp 6/22/06 12:23 AM Page 513 [...]... Nortel VPN Router configuration, set the internal Network Interface Card to the IP address of 10.10.0.20 with a subnet mask set to 255.255.255.0 and the default gateway set to 10.10.0.10 VPN Router Administration Lab Exercises 2 On the PC being used for the configuration of the Nortel VPN Router, launch a browser and HTTP to 8. 8 .8. 8 Log in to the Nortel VPN Router using an administrator’s user ID and. .. being used for the configuration of the Nortel VPN Router, launch a browser and HTTP to 8. 8 .8. 8 Log in to the Nortel VPN Router using an administrator’s user ID and password 3 At the main menu, select SERVERS → USER IP ADDR to display the Remote User IP Address Pool, which is shown in Figure 11-33 4 Select the Radio button for Address Pool 5 To add an address pool, click the Add button to display the... to 10.10.0.10 2 On the PC being used for the configuration of the Nortel VPN Router, launch a browser and HTTP to 8. 8 .8. 8 Log in to the Nortel VPN Router using an administrator’s user ID and password 3 At the main menu, select SERVERS → USER IP ADDR to display the Remote User IP Address Pool configuration screen 4 Select the Radio button for Address Pool 5 To add an address pool, click the Add button... button is selected and click OK at the bottom of the screen This concludes configuration of the Nortel VPN Router for allocating IP addresses to user tunnels 14 If no users are currently configured on the Nortel VPN Router, configure one to test the ability of the Nortel VPN Router to allocate an address to the connecting user tunnel 15 Connect a Windows-based PC with the Nortel VPN Client installed to. .. and repeat until the connection provides the desired result 31 Once a successful connection is made and the assigned IP address is in the range of the addresses allocated by the address pool, return to the PC that is being used to configure the Nortel VPN Router 32 Launch a browser window and HTTP to 8. 8 .8. 8 33 Click on the Manage Switch link and log in to the Nortel VPN Router using an administrator’s... they connect to the Nortel VPN Router If the Nortel VPN Router has many users that would tunnel to it in a relatively short time, then a number higher than 1 would allow the Nortel VPN Router to make fewer requests to the DHCP for addresses it will allocate out to user tunnels For purposes of this lab, set this value to 1 There is a balance to the value that would be inserted in this field Too high of... software should be able to record and display the logs generated by the Nortel VPN Router VPN Router Administration Lab Exercises Lab Summary In this lab, you configured an external Syslog server for use in recording system logging information from the Nortel VPN Router The external Syslog server will allow for the storage and archiving of all system logs reported to it from the Nortel VPN Router Also, this... configuration of the Nortel VPN Router for creating a named IP address pool to allocate IP addresses to user tunnels 523 524 Chapter 11 14 If no users are currently configured on the Nortel VPN Router, configure one to test the ability of the Nortel VPN Router to allocate an address to the connecting user tunnel 15 After the user is created and assigned to a group, the group must be configured to use the newly... set to 10.10.0.10 with a subnet of 255.255.255.0 ■ ■ Public LAN Interface address is set to 100.100.100.100 with a subnet of 255.255.255.0 ■ ■ The Management Interface IP address is set to 8. 8 .8. 8 1 On the PC setup to perform the Nortel VPN Router configuration, set the internal Network Interface Card to the IP address of 10.10.0.20 with a subnet mask set to 255.255.255.0 and the default gateway set to. .. 8 9 10 11 12 13 14 15 11 8 10 10 12 25 32 26 23 24 25 22 36 23 21 ms ms ms ms ms ms ms ms ms ms ms ms ms ms ms 8 ms 9 ms 11 ms 9 ms 10 ms 25 ms 31 ms 23 ms 25 ms 24 ms 24 ms 25 ms 22 ms 23 ms 20 ms 7 9 9 9 11 26 31 28 24 23 23 21 23 22 29 ms ms ms ms ms ms ms ms ms ms ms ms ms ms ms 110.212.2 08. 11 1 68. 187 .153.193 1 68. 187 .144.161 1 68. 187 .144.157 121.1 18. 188 .15 121.122 .81 .1 18 tbr2-cl16.n54ny.net [121.122.10.221] . to 10.10.0.10. 2. On the PC being used for the configuration of the Nortel VPN Router, launch a browser and HTTP to 8. 8 .8. 8. Log in to the Nortel VPN Router using an administrator’s user ID and. the Nortel VPN Router, launch a browser and HTTP to 8. 8 .8. 8. Log in to the Nortel VPN Router using an administrator’s user ID and password. 3. At the main menu, select SERVERS → USER IP ADDR to. the PC being used to configure the Nortel VPN Router, launch a browser window and HTTP to 8. 8 .8. 8. 4. Click the Manage Switch link and log in using an administrator’s user ID and password. 5.