Thông tin tài liệu
CSPFA Remote Lab
Instructor Guide 2.0
Table of Contents
NETWORK TOPOLOGY 2
Remote Lab Description 2
Local Classroom Description 2
CLASSROOM SETUP 4
Equipment List 4
Physical Connections 5
Initial student PC Configuration 5
Classroom Router Configuration 6
REMOTE LAB SETUP 8
Establishing and Testing Connectivity to the Remote Lab 8
Telneting to the Remote Terminal Server 9
PIX Initial Configurations 10
Router Initial Configurations 10
Turning Secondary PIXen On and Off 12
CSPFA LAB SETTINGS AND CHANGES 17
Peer Pods 17
Chapter 5—Configure the PIX Firewall and Execute General Maintenance Commands
17
Chapter 6—Configuring Access Through the PIX Firewall 18
Chapter 7—Configure Inside Multiple Interfaces 18
Chapter 8—Configure the PIX Firewall’s DHCP Server and Client Features 19
Chapter 9—Configuring Syslog 20
Chapter 10—Configure ACLs in the PIX Firewall 20
Chapter 11—Configure and Test Advanced Protocol Handling on the Cisco PIX
Firewall 21
Chapter 12—Configure the PIX Firewall to Use IDS Signatures 21
Chapter 13—Configure AAA on the PIX Firewall Using CSACS for Windows NT 22
Chapter 14—Failover 23
Chapter 15—Configure PIX Firewall VPNs 24
Chapter 16—Upgrade the PIX Firewall Image 26
Chapter 17—Configuring the PIX Firewall with PDM 27
Chapter 18—Configure CBAC on a Cisco Router 28
Chapter 19—Configure Authentication Proxy on a Cisco Router 29
2 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Network Topology
The following is the network topology diagram for the CSPFA remote lab.
© 2001, Cisco Systems, Inc.
www.cisco.com
10.1.1.X 10.1.3.X 10.1.5.X 10.1.7.X 10.1.9.X10.1.2.X 10.1.4.X 10.1.6.X 10.1.8.X 10.1.10.X
10.91.91.0
.2
10.90.90.0
CSPFA Remote Lab
CSPFA Remote Lab
.1
1 3 5 7 92 4 6 8 10
172.27.27.1 172.27.27.3 172.27.27.5 172.27.27.7 172.27.27.9172.27.27.2 172.27.27.4 172.27.27.6 172.27.27.8 172.27.27.10
RL-PIX-CSPFA
RL-LCL
CLASSROOM
REMOTE LAB
.1
RL-RBB-CSPFA
RL-RMT-CSPFA
HUB
10.92.92.0
.2
.1
.2
172.26.26.0
RL-RMT1-CSPFA RL-RMT2-CSPFA
.150
.2
.2
192.168.P.0
10.0.P.0
192.168.P.0
10.0.P.0
.100
rP
rP
172.30. P.0
.2
.1
.1
.2
172.30. P.0
.1 .1
.10
CSACS
DHCP
.50
WEB/FTP
172.26.26.0
172.17.P.0
172.16.P.0
.7
.1
.7
.7
.1
pPs
.1
.2
pPp
.7
.2
172.17.P.0
.7
.1
.7
.7
.1
pPs
.1
.2
.7
pPp
.2
172.16.P.0
RL-RTS-CSPFA
CSACS
DHCP
.10
.100
RL-RTS-CSPFA
.100
RL-RTS-CSPFA
.2
.1
1
0
.
9
3
.
9
3
.
0
.102.102
Remote Lab Description
The remote lab is accessed via a PIX firewall, RL-PIX-CSPFA, from the Internet.
The trainer will initiate an IPsec VPN tunnel terminating on RL-PIX-CSPFA. RL-
PIX-CSPFA forwards all traffic to a router, RL-RMT-CSPFA, which routes traffic
based on the source IP address to one of three routers, RL-RMT1-CSPFA, RL-
RMT2-CSPFA, or RL-RTS-CSPFA. These routers will perform IP address
NATing and route the traffic to the necessary student pod.
Local Classroom Description
The classroom topology consists of ten (10) student PCs running Windows 2000
Server and all the required applications used in the labs. Another PC running
Windows 2000 Server will be the CA server. All PCs are directly connected to a
Cisco FastHub 400 or can be outfitted with Cisco Aironet wireless cards. If using
a Cisco FastHub 400, a Cisco 2611 router is connected to the hub. If using Cisco
Aironet, then the Aironet access point is connected to the Cisco 2611 router. In
either case, the other interface of the Cisco 2611 router is connected to an Internet
accessible network.
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 3
Note THE CLASSROOM ROUTER WILL BE INITIATING THE IPSEC VPN TUNNEL.
UDP PORT 500 (ISAKMP) AND IP PROTOCOL 50 (ESP) TRAFFIC MUST BE
ALLOWED BY THE FIREWALL AT THE CLASSROOM LOCATION. SEE
CLASSROOM ROUTER CONFIGURATION LATER IN THIS DOCUMENT.
4 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Classroom Setup
This section covers the list of equipment and their physical connections as well as
the configuration of student PCs and the classroom router that the Cisco Learning
Partner will be required to perform when teaching this course.
Equipment List
DESCRIPTION MFR PART NO. QTY.
LIST
PRICE
/EACH
Student Laptop/PC and CA Server
(varies) 11 (varies)
• Windows 2000 Server Microsoft 11 (varies)
• Internet Explorer 5.5 Microsoft 11 (varies)
• Internet Information Services 5.0 Microsoft 11 (varies)
• Pentium III 800 MHz (or better) Intel 11 (varies)
• 256 MB RAM (or better) (varies) 11 (varies)
• 8 GB Hard Drive (or better)
NTFS partitioned
(varies) 11 (varies)
• CD-ROM/Floppy Drive (varies) 11 (varies)
• Aironet Adapter or 10/100 Ethernet NIC (varies) 11 (varies)
350 Series PC Card w/Integrated
Diversity Antenna,128-bitWEP
Cisco AIR-PCM352 11 199
340 Series 11Mbps DSSS AP w/128-bit
WEP and 2 Int. Ant.
Cisco AIR-AP342E2C 1 799
FastHub 400: 12-port autosensing
10/100 manageable, stackable repeater
Cisco WS-C412 1 895
Cisco 2611: Dual Ethernet Modular
Router w/ Cisco IOS IP Software
Cisco CISCO2611 1 2495
• IP SW 2600 SF26C - IP SOFTWARE Cisco IP SW 2600 SF26C 1 0
• S26C-12205 Cisco 2600 Series IOS IP* Cisco S26C-12205T 1 0
• 32- to 48-MB DRAM Factory Upgrade for
the Cisco 2600 Series
Cisco MEM2600-32U48D 1 1000
• 8 to 16 MB Flash Factory Upgrade for
the Cisco 2600 Series
Cisco MEM2600-8U16FS 1 700
Note * The Cisco 2611 router may be purchased with any zero added cost image and be
later upgraded to the 12.2.6 IOS IP/FW/IDS PLUS IPSEC 3DES image, which can
be downloaded free of charge by Cisco Learning Partners through CCO.
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 5
Physical Connections
© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Aironet
Connections with Aironet
1 2 3 4 5 6 7 8 9 10
ETHERNET 0/0ETHERNET 0/1
Cisco 2611
CONSOLE
Internet
© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Hub
Connections with Hub
1 2 3 4 5 6 7 8 9 10
1X
2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X
FastHub 400
ETHERNET 0/0ETHERNET 0/1
Cisco 2611
CONSOLE
Internet
Initial student PC Configuration
IP ADDRESS 10.1.P.3
MASK 255.255.255.0
GATEWAY 10.1.P.1
6 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Classroom Router Configuration
You will need the following parameters from Cisco’s ILSG lab administrator
before configuring the classroom router:
RL-PIX-CSPFA IP ADDRESS (IPsec peer IP address)
AUTHENTICATION KEY
Note The classroom router is configured to get a DHCP address, including a default
route, on the outside interface (Ethernet 0/1). If DHCP is not supported at your
location then a manually enter IP address and default route must be configured.
RL-LCL-2611 Configuration
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RL-LCL-2611
!
enable secret 5 <ENABLE PASSWORD>
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 11
hash md5
authentication pre-share
group 2
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSPFA IP ADDRESS>
!
crypto ipsec transform-set RL-TRANS esp-3des esp-md5-hmac
!
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSPFA IP ADDRESS>
set security-association lifetime seconds 86400
set transform-set RL-TRANS
set pfs group2
match address TO-RMT
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0 secondary
ip address 10.1.2.1 255.255.255.0 secondary
ip address 10.1.3.1 255.255.255.0 secondary
ip address 10.1.4.1 255.255.255.0 secondary
ip address 10.1.5.1 255.255.255.0 secondary
ip address 10.1.6.1 255.255.255.0 secondary
ip address 10.1.7.1 255.255.255.0 secondary
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 7
ip address 10.1.8.1 255.255.255.0 secondary
ip address 10.1.9.1 255.255.255.0 secondary
ip address 10.1.10.1 255.255.255.0 secondary
ip address 172.27.27.100 255.255.255.0
no cdp enable
!
interface Ethernet0/1
ip address dhcp
no cdp enable
crypto map RL-MAP
!
ip classless
no ip http server
!
ip access-list extended TO-RMT
permit ip 10.1.0.0 0.0.255.255 any
permit ip 172.27.27.0 0.0.0.255 any
no cdp run
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
no scheduler allocate
end
8 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Remote Lab Setup
This section covers the procedures required to connect to the remote lab and to
setup and test the lab devices before the beginning of class.
Establishing and Testing Connectivity to the Remote Lab
Perform the following procedures to establish and test connectivity to the remote
lab.
From the console of your RL-LCL-2611 router:
Step 1 RL-LCL-2611> ping <YOUR LOCAL DEFAULT GATEWAY>
If unsuccessful
• check physical Internet connectivity.
• check ethernet link from RL-LCL-2611 to your Internet connection.
• check IP address received from DHCP:
RL-LCL-2611# show ip interface brief ethernet0/1
Step 2 RL-LCL-2611> ping <RL-PIX-CSPFA IP ADDRESS>
If unsuccessful
• check default gateway setting on RL-LCL-2611:
RL-LCL-2611# show ip route
From the Pod 1 student PC:
Step 3 C:\> ping 10.1.1.1
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check ethernet link from RL-LCL-2611 to Aironet access point or hub.
• check IP address/netmask settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 9
Step 4 C:\> ping 10.90.90.1
This will initiate the VPN tunnel to the remote PIX. It will take a few ping tries
before the VPN tunnel is established and the ping is successful.
If unsuccessful
• ensure that you’ve given the router/PIX enough time to setup the VPN tunnel.
• check default gateway setting on the student PC.
• check the ISAKMP settings on RL-LCL-2611:
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSPFA IP ADDRESS>
• check the IPSEC settings on RL-LCL-2611:
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSPFA IP ADDRESS>
• clear all security associations (SAs) on the RL-LCL-2611:
RL-LCL-2611# clear crypto sa
From each student PC (1 through 10)
Step 5 C:\> ping 10.0.P.100 (remote terminal server)
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check IP address/netmask/default gateway settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
Telneting to the Remote Terminal Server
Note USE “CTRL+SHIFT+6 then X” TO EXIT A CONSOLE SESSION.
Telnet to RL-RTS-CSPFA:
C:\> telnet 10.0.P.100
User Access Verification
Password: cisco
RL-RTS-CSPFA>
For chapter 15 lab, Configure a Secure VPN Using IPSec Between a PIX Firewall
and a VPN Client, telnet to 172.26.26.150:
C:\> telnet 172.26.26.150
User Access Verification
Password: cisco
RL-RTS-CSPFA>
10 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
PIX Initial Configurations
The PIX firewalls are resetted to default before each class. Check that all pod PIX
firewalls are resetted.
Note Pods 1 through 10 access their PIX from RL-RTS-CSPFA as follows:
RL-RTS-CSPFA> pPp (where P = pod number)
Translating "pPp"
Trying pPp (10.93.93.1, 2033) Open
pixfirewall> enable
Password: <enter>
pixfirewall#
To reset a PIX firewall:
pixP# write erase
Erase PIX configuration in flash memory? [confirm] <enter>
pixP# reload
Proceed with reload? [confirm] <enter>
Rebooting
Router Initial Configurations
The student routers should already by configured with a default configuration
before each class. Check that all student routers are already configured.
Note Pods 1 through 10 access their router console from RL-RTS-CSPFA as follows:
RL-RTS-CSPFA> rP (where P = pod number)
Translating "rP"
Trying rP (10.91.91.1, 2033) Open
rP> enable
Password: cisco
rP#
Router Default Configuration
Note Remember to replace the Ps with the actual pod number.
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname RL-RPCSPFA
!
no logging console
[...]... Inc CSPFA Remote Lab Instructor Guide 2.0 11 Turning Secondary PIXen On and Off Note The secondary PIXen used for Chapter 14’s failover lab MUST be OFF at all times, except when doing the lab To turn them ON or OFF, you connect to manageable power strips that control power to the secondary PIXen units Note Access the manageable power strip for Pods 1 through 8 from RL-RTS -CSPFA as follows: RL-RTS -CSPFA> ... apc1 Translating "apc1" Trying sP (10.93.93.1, 2063) Open User Name : instructor Password : cisco Access the manageable power strip for Pods 9 and 10 from RL-RTS -CSPFA as follows: RL-RTS -CSPFA> apc2 Translating "apc2" Trying sP (10.93.93.1, 2064) Open User Name : instructor Password : cisco 12 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc TO TURN SECONDARY PIXEN OFF:... System Logout ?- Help, - Main Menu, - Refresh > 4 You are now in passthru mode 16 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc CSPFA Lab Settings and Changes Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10 Peer Pods The instructor must assign peer pods for labs that require pods to access each other Pods 1 through 5 can only be peered with a pod between... Inside 1 10.0.Q.0 /24 Remote Access Remote Access 10.1.P.3 24 CSPFA Remote Lab Instructor Guide 2.0 NAT 10.1.Q.3 NTP NT server: Syslog, IIS, FTP, and web server © 2001, Cisco Systems, Inc 10.0.Q.3 NTQ NT server: Syslog, IIS, FTP, and web server www.cisco.com Copyright © 2001, Cisco Systems, Inc Configure a Secure VPN Using IPSec Between a PIX Firewall and a VPN Client Chapter 15 Lab Visual Objective... FROM TO Task 2 >>>>>>>>>>>>>>>>>> SKIP NOT REQUIRED Copyright © 2001, Cisco Systems, Inc CSPFA Remote Lab Instructor Guide 2.0 19 Chapter 9—Configuring Syslog Chapter 9 Lab Visual Objective Internet Pod perimeter router 1 192.168.P.0/24 e0 outside 2 172.16.P.0/24 PIX Firewall 2 e2 dmz 1 e1 inside 1 10.0.P.3 Remote Access 172.26.26.50 Backbone server, web, FTP, and TFTP server Bastion host, web, and... Systems, Inc Chapter 10—Configure ACLs in the PIX Firewall Chapter 10 Lab Visual Objective Internet Pod perimeter router 1 192.168.P.0/24 e0 outside 2 172.16.P.0/24 PIX Firewall 2 e2 dmz 1 e1 inside 1 10.0.P.3 Remote Access 172.26.26.50 Backbone, web, FTP, and TFTP server © 2001, Cisco Systems, Inc 20 CSPFA Remote Lab Instructor Guide 2.0 Bastion host, web and FTP server NAT 10.1.P.3 Inside host, web... and FTP server 10.0.P.3 Remote Access NAT 172.26.26.50 Backbone, web, FTP, and TFTP server © 2001, Cisco Systems, Inc SETTING 10.1.P.3 Inside host Syslog server www.cisco.com FROM TO 65000 20000 Task 2, Step 6 packet size Copyright © 2001, Cisco Systems, Inc CSPFA Remote Lab Instructor Guide 2.0 21 Chapter 13—Configure AAA on the PIX Firewall Using CSACS for Windows NT Chapter 13 Lab Visual Objective... Firewall 172.16.P.0 e2 1 10.0.P.0 10.0.P.3 Remote Access AAA server 2 e1 Pod DMZ server web or FTP NAT 10.1.P.3 Student workstation © 2001, Cisco Systems, Inc SETTING www.cisco.com FROM TO 10.0.P.3 10.1.P.3 Task 1, Step 8 Windows NT Server IP Address 22 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc Chapter 14—Failover Chapter 14 Lab Visual Objective 172.26.26.50/24 Internet... Chapter 5 Lab Visual Objective Internet Pod perimeter router 1 192.168.P.0/24 e0 outside 2 172.16.P.0/24 PIX Firewall 2 e2 dmz 1 e1 inside 1 10.0.P.3 Remote Access 172.26.26.50 Backbone, web, FTP, and TFTP server © 2001, Cisco Systems, Inc Copyright © 2001, Cisco Systems, Inc Bastion host, web and FTP server NAT 10.1.P.3 Inside host, web and FTP server www.cisco.com CSPFA Remote Lab Instructor Guide 2.0. .. AAA and Web server 10.0.P.10 © 2001, Cisco Systems, Inc Remote Access NAT 172.16.P.0 /24 172.26.26.P/24 www.cisco.com SETTING FROM TO Task 1, Step 6 172.26.26.P 172.27.27.P Task 1, Step 8 172.26.26.100 172.27.27.100 Copyright © 2001, Cisco Systems, Inc CSPFA Remote Lab Instructor Guide 2.0 25 Chapter 16—Upgrade the PIX Firewall Image Chapter 16 Lab Visual Objective Internet Pod Perimeter Router 1 192.168.P.0/24 . 10. 1. 10. X
10. 91.91 .0
.2
10. 90. 90. 0
CSPFA Remote Lab
CSPFA Remote Lab
.1
1 3 5 7 92 4 6 8 10
1 72. 27 .27 .1 1 72. 27 .27 .3 1 72. 27 .27 .5 1 72. 27 .27 .7 1 72. 27 .27 .91 72. 27 .27 .2. LAB
.1
RL-RBB -CSPFA
RL-RMT -CSPFA
HUB
10. 92. 92. 0
.2
.1
.2
1 72. 26 .26 .0
RL-RMT1 -CSPFA RL-RMT2 -CSPFA
.1 50
.2
.2
1 92. 168.P .0
10. 0.P .0
1 92. 168.P .0
10. 0.P .0
. 100
rP
rP
1 72. 30. P .0
.2
.1
.1
.2
1 72. 30. P .0
.1 .1
. 10
CSACS
DHCP
. 50
WEB/FTP
1 72. 26 .26 .0
1 72. 17.P .0
1 72. 16.P .0
.7
.1
.7
.7
.1
pPs
.1
.2
pPp
.7
.2
1 72. 17.P .0
.7
.1
.7
.7
.1
pPs
.1
.2
.7
pPp
.2
1 72. 16.P .0
RL-RTS -CSPFA
CSACS
DHCP
. 10
. 100
RL-RTS -CSPFA
. 100
RL-RTS -CSPFA
.2
.1
1
0
.
9
3
.
9
3
.
0
.1 02 . 1 02
Ngày đăng: 18/01/2014, 05:20
Xem thêm: Tài liệu CSPFA Remote Lab Instructor Guide 2.0 doc, Tài liệu CSPFA Remote Lab Instructor Guide 2.0 doc