CSPFA Remote Lab Instructor Guide 2.0 Table of Contents NETWORK TOPOLOGY 2 Remote Lab Description 2 Local Classroom Description 2 CLASSROOM SETUP 4 Equipment List 4 Physical Connections 5 Initial student PC Configuration 5 Classroom Router Configuration 6 REMOTE LAB SETUP 8 Establishing and Testing Connectivity to the Remote Lab 8 Telneting to the Remote Terminal Server 9 PIX Initial Configurations 10 Router Initial Configurations 10 Turning Secondary PIXen On and Off 12 CSPFA LAB SETTINGS AND CHANGES 17 Peer Pods 17 Chapter 5—Configure the PIX Firewall and Execute General Maintenance Commands 17 Chapter 6—Configuring Access Through the PIX Firewall 18 Chapter 7—Configure Inside Multiple Interfaces 18 Chapter 8—Configure the PIX Firewall’s DHCP Server and Client Features 19 Chapter 9—Configuring Syslog 20 Chapter 10—Configure ACLs in the PIX Firewall 20 Chapter 11—Configure and Test Advanced Protocol Handling on the Cisco PIX Firewall 21 Chapter 12—Configure the PIX Firewall to Use IDS Signatures 21 Chapter 13—Configure AAA on the PIX Firewall Using CSACS for Windows NT 22 Chapter 14—Failover 23 Chapter 15—Configure PIX Firewall VPNs 24 Chapter 16—Upgrade the PIX Firewall Image 26 Chapter 17—Configuring the PIX Firewall with PDM 27 Chapter 18—Configure CBAC on a Cisco Router 28 Chapter 19—Configure Authentication Proxy on a Cisco Router 29 2 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc. Network Topology The following is the network topology diagram for the CSPFA remote lab. © 2001, Cisco Systems, Inc. www.cisco.com 10.1.1.X 10.1.3.X 10.1.5.X 10.1.7.X 10.1.9.X10.1.2.X 10.1.4.X 10.1.6.X 10.1.8.X 10.1.10.X 10.91.91.0 .2 10.90.90.0 CSPFA Remote Lab CSPFA Remote Lab .1 1 3 5 7 92 4 6 8 10 172.27.27.1 172.27.27.3 172.27.27.5 172.27.27.7 172.27.27.9172.27.27.2 172.27.27.4 172.27.27.6 172.27.27.8 172.27.27.10 RL-PIX-CSPFA RL-LCL CLASSROOM REMOTE LAB .1 RL-RBB-CSPFA RL-RMT-CSPFA HUB 10.92.92.0 .2 .1 .2 172.26.26.0 RL-RMT1-CSPFA RL-RMT2-CSPFA .150 .2 .2 192.168.P.0 10.0.P.0 192.168.P.0 10.0.P.0 .100 rP rP 172.30. P.0 .2 .1 .1 .2 172.30. P.0 .1 .1 .10 CSACS DHCP .50 WEB/FTP 172.26.26.0 172.17.P.0 172.16.P.0 .7 .1 .7 .7 .1 pPs .1 .2 pPp .7 .2 172.17.P.0 .7 .1 .7 .7 .1 pPs .1 .2 .7 pPp .2 172.16.P.0 RL-RTS-CSPFA CSACS DHCP .10 .100 RL-RTS-CSPFA .100 RL-RTS-CSPFA .2 .1 1 0 . 9 3 . 9 3 . 0 .102.102 Remote Lab Description The remote lab is accessed via a PIX firewall, RL-PIX-CSPFA, from the Internet. The trainer will initiate an IPsec VPN tunnel terminating on RL-PIX-CSPFA. RL- PIX-CSPFA forwards all traffic to a router, RL-RMT-CSPFA, which routes traffic based on the source IP address to one of three routers, RL-RMT1-CSPFA, RL- RMT2-CSPFA, or RL-RTS-CSPFA. These routers will perform IP address NATing and route the traffic to the necessary student pod. Local Classroom Description The classroom topology consists of ten (10) student PCs running Windows 2000 Server and all the required applications used in the labs. Another PC running Windows 2000 Server will be the CA server. All PCs are directly connected to a Cisco FastHub 400 or can be outfitted with Cisco Aironet wireless cards. If using a Cisco FastHub 400, a Cisco 2611 router is connected to the hub. If using Cisco Aironet, then the Aironet access point is connected to the Cisco 2611 router. In either case, the other interface of the Cisco 2611 router is connected to an Internet accessible network. Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 3 Note THE CLASSROOM ROUTER WILL BE INITIATING THE IPSEC VPN TUNNEL. UDP PORT 500 (ISAKMP) AND IP PROTOCOL 50 (ESP) TRAFFIC MUST BE ALLOWED BY THE FIREWALL AT THE CLASSROOM LOCATION. SEE CLASSROOM ROUTER CONFIGURATION LATER IN THIS DOCUMENT. 4 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc. Classroom Setup This section covers the list of equipment and their physical connections as well as the configuration of student PCs and the classroom router that the Cisco Learning Partner will be required to perform when teaching this course. Equipment List DESCRIPTION MFR PART NO. QTY. LIST PRICE /EACH Student Laptop/PC and CA Server (varies) 11 (varies) • Windows 2000 Server Microsoft 11 (varies) • Internet Explorer 5.5 Microsoft 11 (varies) • Internet Information Services 5.0 Microsoft 11 (varies) • Pentium III 800 MHz (or better) Intel 11 (varies) • 256 MB RAM (or better) (varies) 11 (varies) • 8 GB Hard Drive (or better) NTFS partitioned (varies) 11 (varies) • CD-ROM/Floppy Drive (varies) 11 (varies) • Aironet Adapter or 10/100 Ethernet NIC (varies) 11 (varies) 350 Series PC Card w/Integrated Diversity Antenna,128-bitWEP Cisco AIR-PCM352 11 199 340 Series 11Mbps DSSS AP w/128-bit WEP and 2 Int. Ant. Cisco AIR-AP342E2C 1 799 FastHub 400: 12-port autosensing 10/100 manageable, stackable repeater Cisco WS-C412 1 895 Cisco 2611: Dual Ethernet Modular Router w/ Cisco IOS IP Software Cisco CISCO2611 1 2495 • IP SW 2600 SF26C - IP SOFTWARE Cisco IP SW 2600 SF26C 1 0 • S26C-12205 Cisco 2600 Series IOS IP* Cisco S26C-12205T 1 0 • 32- to 48-MB DRAM Factory Upgrade for the Cisco 2600 Series Cisco MEM2600-32U48D 1 1000 • 8 to 16 MB Flash Factory Upgrade for the Cisco 2600 Series Cisco MEM2600-8U16FS 1 700 Note * The Cisco 2611 router may be purchased with any zero added cost image and be later upgraded to the 12.2.6 IOS IP/FW/IDS PLUS IPSEC 3DES image, which can be downloaded free of charge by Cisco Learning Partners through CCO. Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 5 Physical Connections © 2001, Cisco Systems, Inc. www.cisco.com Connections with Aironet Connections with Aironet 1 2 3 4 5 6 7 8 9 10 ETHERNET 0/0ETHERNET 0/1 Cisco 2611 CONSOLE Internet © 2001, Cisco Systems, Inc. www.cisco.com Connections with Hub Connections with Hub 1 2 3 4 5 6 7 8 9 10 1X 2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X FastHub 400 ETHERNET 0/0ETHERNET 0/1 Cisco 2611 CONSOLE Internet Initial student PC Configuration IP ADDRESS 10.1.P.3 MASK 255.255.255.0 GATEWAY 10.1.P.1 6 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc. Classroom Router Configuration You will need the following parameters from Cisco’s ILSG lab administrator before configuring the classroom router:  RL-PIX-CSPFA IP ADDRESS (IPsec peer IP address)  AUTHENTICATION KEY Note The classroom router is configured to get a DHCP address, including a default route, on the outside interface (Ethernet 0/1). If DHCP is not supported at your location then a manually enter IP address and default route must be configured. RL-LCL-2611 Configuration ! version 12.1 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname RL-LCL-2611 ! enable secret 5 <ENABLE PASSWORD> ! ip subnet-zero ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 11 hash md5 authentication pre-share group 2 crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSPFA IP ADDRESS> ! crypto ipsec transform-set RL-TRANS esp-3des esp-md5-hmac ! crypto map RL-MAP 22 ipsec-isakmp set peer <RL-PIX-CSPFA IP ADDRESS> set security-association lifetime seconds 86400 set transform-set RL-TRANS set pfs group2 match address TO-RMT ! interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 secondary ip address 10.1.2.1 255.255.255.0 secondary ip address 10.1.3.1 255.255.255.0 secondary ip address 10.1.4.1 255.255.255.0 secondary ip address 10.1.5.1 255.255.255.0 secondary ip address 10.1.6.1 255.255.255.0 secondary ip address 10.1.7.1 255.255.255.0 secondary Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 7 ip address 10.1.8.1 255.255.255.0 secondary ip address 10.1.9.1 255.255.255.0 secondary ip address 10.1.10.1 255.255.255.0 secondary ip address 172.27.27.100 255.255.255.0 no cdp enable ! interface Ethernet0/1 ip address dhcp no cdp enable crypto map RL-MAP ! ip classless no ip http server ! ip access-list extended TO-RMT permit ip 10.1.0.0 0.0.255.255 any permit ip 172.27.27.0 0.0.0.255 any no cdp run ! line con 0 transport input none line aux 0 line vty 0 4 login ! no scheduler allocate end 8 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc. Remote Lab Setup This section covers the procedures required to connect to the remote lab and to setup and test the lab devices before the beginning of class. Establishing and Testing Connectivity to the Remote Lab Perform the following procedures to establish and test connectivity to the remote lab. From the console of your RL-LCL-2611 router: Step 1 RL-LCL-2611> ping <YOUR LOCAL DEFAULT GATEWAY> If unsuccessful • check physical Internet connectivity. • check ethernet link from RL-LCL-2611 to your Internet connection. • check IP address received from DHCP: RL-LCL-2611# show ip interface brief ethernet0/1 Step 2 RL-LCL-2611> ping <RL-PIX-CSPFA IP ADDRESS> If unsuccessful • check default gateway setting on RL-LCL-2611: RL-LCL-2611# show ip route From the Pod 1 student PC: Step 3 C:\> ping 10.1.1.1 If unsuccessful • check Aironet link or ethernet link from the PC to Aironet access point or hub. • check ethernet link from RL-LCL-2611 to Aironet access point or hub. • check IP address/netmask settings on the student PC. • check Aironet configuration and range. • check RL-LCL-2611 configuration. Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 9 Step 4 C:\> ping 10.90.90.1 This will initiate the VPN tunnel to the remote PIX. It will take a few ping tries before the VPN tunnel is established and the ping is successful. If unsuccessful • ensure that you’ve given the router/PIX enough time to setup the VPN tunnel. • check default gateway setting on the student PC. • check the ISAKMP settings on RL-LCL-2611: crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSPFA IP ADDRESS> • check the IPSEC settings on RL-LCL-2611: crypto map RL-MAP 22 ipsec-isakmp set peer <RL-PIX-CSPFA IP ADDRESS> • clear all security associations (SAs) on the RL-LCL-2611: RL-LCL-2611# clear crypto sa From each student PC (1 through 10) Step 5 C:\> ping 10.0.P.100 (remote terminal server) If unsuccessful • check Aironet link or ethernet link from the PC to Aironet access point or hub. • check IP address/netmask/default gateway settings on the student PC. • check Aironet configuration and range. • check RL-LCL-2611 configuration. Telneting to the Remote Terminal Server Note USE “CTRL+SHIFT+6 then X” TO EXIT A CONSOLE SESSION. Telnet to RL-RTS-CSPFA: C:\> telnet 10.0.P.100 User Access Verification Password: cisco RL-RTS-CSPFA> For chapter 15 lab, Configure a Secure VPN Using IPSec Between a PIX Firewall and a VPN Client, telnet to 172.26.26.150: C:\> telnet 172.26.26.150 User Access Verification Password: cisco RL-RTS-CSPFA> 10 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc. PIX Initial Configurations The PIX firewalls are resetted to default before each class. Check that all pod PIX firewalls are resetted. Note Pods 1 through 10 access their PIX from RL-RTS-CSPFA as follows: RL-RTS-CSPFA> pPp (where P = pod number) Translating "pPp" Trying pPp (10.93.93.1, 2033) Open pixfirewall> enable Password: <enter> pixfirewall# To reset a PIX firewall: pixP# write erase Erase PIX configuration in flash memory? [confirm] <enter> pixP# reload Proceed with reload? [confirm] <enter> Rebooting Router Initial Configurations The student routers should already by configured with a default configuration before each class. Check that all student routers are already configured. Note Pods 1 through 10 access their router console from RL-RTS-CSPFA as follows: RL-RTS-CSPFA> rP (where P = pod number) Translating "rP" Trying rP (10.91.91.1, 2033) Open rP> enable Password: cisco rP# Router Default Configuration Note Remember to replace the Ps with the actual pod number. ! version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RL-RPCSPFA ! no logging console [...]... Inc CSPFA Remote Lab Instructor Guide 2.0 11 Turning Secondary PIXen On and Off Note The secondary PIXen used for Chapter 14’s failover lab MUST be OFF at all times, except when doing the lab To turn them ON or OFF, you connect to manageable power strips that control power to the secondary PIXen units Note Access the manageable power strip for Pods 1 through 8 from RL-RTS -CSPFA as follows: RL-RTS -CSPFA> ... apc1 Translating "apc1" Trying sP (10.93.93.1, 2063) Open User Name : instructor Password : cisco Access the manageable power strip for Pods 9 and 10 from RL-RTS -CSPFA as follows: RL-RTS -CSPFA> apc2 Translating "apc2" Trying sP (10.93.93.1, 2064) Open User Name : instructor Password : cisco 12 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc TO TURN SECONDARY PIXEN OFF:... System Logout ?- Help, - Main Menu, - Refresh > 4 You are now in passthru mode 16 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc CSPFA Lab Settings and Changes Note P = POD NUMBER: 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10 Peer Pods The instructor must assign peer pods for labs that require pods to access each other Pods 1 through 5 can only be peered with a pod between... Inside 1 10.0.Q.0 /24 Remote Access Remote Access 10.1.P.3 24 CSPFA Remote Lab Instructor Guide 2.0 NAT 10.1.Q.3 NTP NT server: Syslog, IIS, FTP, and web server © 2001, Cisco Systems, Inc 10.0.Q.3 NTQ NT server: Syslog, IIS, FTP, and web server www.cisco.com Copyright © 2001, Cisco Systems, Inc Configure a Secure VPN Using IPSec Between a PIX Firewall and a VPN Client Chapter 15 Lab Visual Objective... FROM TO Task 2 >>>>>>>>>>>>>>>>>> SKIP NOT REQUIRED Copyright © 2001, Cisco Systems, Inc CSPFA Remote Lab Instructor Guide 2.0 19 Chapter 9—Configuring Syslog Chapter 9 Lab Visual Objective Internet Pod perimeter router 1 192.168.P.0/24 e0 outside 2 172.16.P.0/24 PIX Firewall 2 e2 dmz 1 e1 inside 1 10.0.P.3 Remote Access 172.26.26.50 Backbone server, web, FTP, and TFTP server Bastion host, web, and... Systems, Inc Chapter 10—Configure ACLs in the PIX Firewall Chapter 10 Lab Visual Objective Internet Pod perimeter router 1 192.168.P.0/24 e0 outside 2 172.16.P.0/24 PIX Firewall 2 e2 dmz 1 e1 inside 1 10.0.P.3 Remote Access 172.26.26.50 Backbone, web, FTP, and TFTP server © 2001, Cisco Systems, Inc 20 CSPFA Remote Lab Instructor Guide 2.0 Bastion host, web and FTP server NAT 10.1.P.3 Inside host, web... and FTP server 10.0.P.3 Remote Access NAT 172.26.26.50 Backbone, web, FTP, and TFTP server © 2001, Cisco Systems, Inc SETTING 10.1.P.3 Inside host Syslog server www.cisco.com FROM TO 65000 20000 Task 2, Step 6 packet size Copyright © 2001, Cisco Systems, Inc CSPFA Remote Lab Instructor Guide 2.0 21 Chapter 13—Configure AAA on the PIX Firewall Using CSACS for Windows NT Chapter 13 Lab Visual Objective... Firewall 172.16.P.0 e2 1 10.0.P.0 10.0.P.3 Remote Access AAA server 2 e1 Pod DMZ server web or FTP NAT 10.1.P.3 Student workstation © 2001, Cisco Systems, Inc SETTING www.cisco.com FROM TO 10.0.P.3 10.1.P.3 Task 1, Step 8 Windows NT Server IP Address 22 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc Chapter 14—Failover Chapter 14 Lab Visual Objective 172.26.26.50/24 Internet... Chapter 5 Lab Visual Objective Internet Pod perimeter router 1 192.168.P.0/24 e0 outside 2 172.16.P.0/24 PIX Firewall 2 e2 dmz 1 e1 inside 1 10.0.P.3 Remote Access 172.26.26.50 Backbone, web, FTP, and TFTP server © 2001, Cisco Systems, Inc Copyright © 2001, Cisco Systems, Inc Bastion host, web and FTP server NAT 10.1.P.3 Inside host, web and FTP server www.cisco.com CSPFA Remote Lab Instructor Guide 2.0. .. AAA and Web server 10.0.P.10 © 2001, Cisco Systems, Inc Remote Access NAT 172.16.P.0 /24 172.26.26.P/24 www.cisco.com SETTING FROM TO Task 1, Step 6 172.26.26.P 172.27.27.P Task 1, Step 8 172.26.26.100 172.27.27.100 Copyright © 2001, Cisco Systems, Inc CSPFA Remote Lab Instructor Guide 2.0 25 Chapter 16—Upgrade the PIX Firewall Image Chapter 16 Lab Visual Objective Internet Pod Perimeter Router 1 192.168.P.0/24 . 10. 1. 10. X 10. 91.91 .0 .2 10. 90. 90. 0 CSPFA Remote Lab CSPFA Remote Lab .1 1 3 5 7 92 4 6 8 10 1 72. 27 .27 .1 1 72. 27 .27 .3 1 72. 27 .27 .5 1 72. 27 .27 .7 1 72. 27 .27 .91 72. 27 .27 .2. LAB .1 RL-RBB -CSPFA RL-RMT -CSPFA HUB 10. 92. 92. 0 .2 .1 .2 1 72. 26 .26 .0 RL-RMT1 -CSPFA RL-RMT2 -CSPFA .1 50 .2 .2 1 92. 168.P .0 10. 0.P .0 1 92. 168.P .0 10. 0.P .0 . 100 rP rP 1 72. 30. P .0 .2 .1 .1 .2 1 72. 30. P .0 .1 .1 . 10 CSACS DHCP . 50 WEB/FTP 1 72. 26 .26 .0 1 72. 17.P .0 1 72. 16.P .0 .7 .1 .7 .7 .1 pPs .1 .2 pPp .7 .2 1 72. 17.P .0 .7 .1 .7 .7 .1 pPs .1 .2 .7 pPp .2 1 72. 16.P .0 RL-RTS -CSPFA CSACS DHCP . 10 . 100 RL-RTS -CSPFA . 100 RL-RTS -CSPFA .2 .1 1 0 . 9 3 . 9 3 . 0 .1 02 . 1 02