CSPFA Remote Lab
Instructor Guide 2.0
Table of Contents
NETWORK TOPOLOGY 2
Remote Lab Description 2
Local Classroom Description 2
CLASSROOM SETUP 4
Equipment List 4
Physical Connections 5
Initial student PC Configuration 5
Classroom Router Configuration 6
REMOTE LAB SETUP 8
Establishing and Testing Connectivity to the Remote Lab 8
Telneting to the Remote Terminal Server 9
PIX Initial Configurations 10
Router Initial Configurations 10
Turning Secondary PIXen On and Off 12
CSPFA LAB SETTINGS AND CHANGES 17
Peer Pods 17
Chapter 5—Configure the PIX Firewall and Execute General Maintenance Commands
17
Chapter 6—Configuring Access Through the PIX Firewall 18
Chapter 7—Configure Inside Multiple Interfaces 18
Chapter 8—Configure the PIX Firewall’s DHCP Server and Client Features 19
Chapter 9—Configuring Syslog 20
Chapter 10—Configure ACLs in the PIX Firewall 20
Chapter 11—Configure and Test Advanced Protocol Handling on the Cisco PIX
Firewall 21
Chapter 12—Configure the PIX Firewall to Use IDS Signatures 21
10.92.92.0
.2
.1
.2
172.26.26.0
RL-RMT1-CSPFA RL-RMT2-CSPFA
.150
.2
.2
192.168.P.0
10.0.P.0
192.168.P.0
10.0.P.0
.100
rP
rP
172.30. P.0
.2
.1
.1
.2
172.30. P.0
.1 .1
.10
CSACS
DHCP
.50
WEB/FTP
172.26.26.0
172.17.P.0
RL-RTS-CSPFA
.100
RL-RTS-CSPFA
.2
.1
1
0
.
9
3
.
9
3
.
0
.102.102
Remote Lab Description
The remote lab is accessed via a PIX firewall, RL-PIX-CSPFA, from the Internet.
The trainer will initiate an IPsec VPN tunnel terminating on RL-PIX-CSPFA. RL-
PIX-CSPFA forwards all traffic to a router, RL-RMT-CSPFA, which routes traffic
based on the source IP address to one of three routers, RL-RMT1-CSPFA, RL-
RMT2-CSPFA, or RL-RTS-CSPFA. These routers will perform IP address
NATing and route the traffic to the necessary student pod.
Local Classroom Description
The classroom topology consists of ten (10) student PCs running Windows 2000
Server and all the required applications used in the labs. Another PC running
Windows 2000 Server will be the CA server. All PCs are directly connected to a
Cisco FastHub 400 or can be outfitted with Cisco Aironet wireless cards. If using
a Cisco FastHub 400, a Cisco 2611 router is connected to the hub. If using Cisco
350 Series PC Card w/Integrated
Diversity Antenna,128-bitWEP
Cisco AIR-PCM352 11 199
340 Series 11Mbps DSSS AP w/128-bit
WEP and 2 Int. Ant.
Cisco AIR-AP342E2C 1 799
FastHub 400: 12-port autosensing
10/100 manageable, stackable repeater
Cisco WS-C412 1 895
Cisco 2611: Dual Ethernet Modular
Router w/ Cisco IOS IP Software
Cisco CISCO2611 1 2495
• IP SW 2600 SF26C - IP SOFTWARE Cisco IP SW 2600 SF26C 1 0
• S26C-12205 Cisco 2600 Series IOS IP* Cisco S26C-12205T 1 0
• 32- to 48-MB DRAM Factory Upgrade for
the Cisco 2600 Series
Cisco MEM2600-32U48D 1 1000
• 8 to 16 MB Flash Factory Upgrade for
the Cisco 2600 Series
Cisco MEM2600-8U16FS 1 700
Note * The Cisco 2611 router may be purchased with any zero added cost image and be
later upgraded to the 12.2.6 IOS IP/FW/IDS PLUS IPSEC 3DES image, which can
be downloaded free of charge by Cisco Learning Partners through CCO.
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 5
Physical Connections
© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Aironet
Connections with Aironet
Note The classroom router is configured to get a DHCP address, including a default
route, on the outside interface (Ethernet 0/1). If DHCP is not supported at your
location then a manually enter IP address and default route must be configured.
RL-LCL-2611 Configuration
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RL-LCL-2611
!
enable secret 5 <ENABLE PASSWORD>
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 11
hash md5
authentication pre-share
group 2
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSPFA IP ADDRESS>
!
crypto ipsec transform-set RL-TRANS esp-3des esp-md5-hmac
!
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSPFA IP ADDRESS>
set security-association lifetime seconds 86400
no cdp run
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
no scheduler allocate
end
8 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Remote Lab Setup
This section covers the procedures required to connect to the remote lab and to
setup and test the lab devices before the beginning of class.
Establishing and Testing Connectivity to the Remote Lab
Perform the following procedures to establish and test connectivity to the remote
lab.
From the console of your RL-LCL-2611 router:
Step 1 RL-LCL-2611> ping <YOUR LOCAL DEFAULT GATEWAY>
If unsuccessful
• check physical Internet connectivity.
• check ethernet link from RL-LCL-2611 to your Internet connection.
• check IP address received from DHCP:
RL-LCL-2611# show ip interface brief ethernet0/1
Step 2 RL-LCL-2611> ping <RL-PIX-CSPFA IP ADDRESS>
If unsuccessful
• check default gateway setting on RL-LCL-2611:
RL-LCL-2611# show ip route
• check RL-LCL-2611 configuration.
Telneting to the Remote Terminal Server
Note USE “CTRL+SHIFT+6 then X” TO EXIT A CONSOLE SESSION.
Telnet to RL-RTS-CSPFA:
C:\> telnet 10.0.P.100
User Access Verification
Password: cisco
RL-RTS-CSPFA>
For chapter 15 lab, Configure a Secure VPN Using IPSec Between a PIX Firewall
and a VPN Client, telnet to 172.26.26.150:
C:\> telnet 172.26.26.150
User Access Verification
Password: cisco
RL-RTS-CSPFA>10 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
PIX Initial Configurations
The PIX firewalls are resetted to default before each class. Check that all pod PIX
firewalls are resetted.
Note Pods 1 through 10 access their PIX from RL-RTS-CSPFA as follows:
RL-RTS-CSPFA> pPp (where P = pod number)
Translating "pPp"
Trying pPp (10.93.93.1, 2033) Open
pixfirewall> enable
Password: <enter>
pixfirewall#
To reset a PIX firewall:
pixP# write erase
!
memory-size iomem 15
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
!
interface Ethernet0/0
ip address 10.0.P.2 255.255.255.0
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Ethernet0/1
ip address 172.30.P.2 255.255.255.0
!
router eigrp 1
network 10.0.0.0
network 172.30.0.0
no auto-summary
no eigrp log-neighbor-changes
!
ip classless
no ip http server
!
line con 0
password cisco
User Name : instructor
Password : cisco
Copyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 13
TO TURN SECONDARY PIXEN OFF:
American Power Conversion Web/SNMP Management Card AOS v2.5.4
(c) Copyright 2000 All Rights Reserved MasterSwitch APP v2.1.0
Name : Unknown Date : 11/28/2001
Contact : Unknown Time : 10:08:53
Location : Unknown Up Time : 6 Days 22 Hours 38 Minutes
Status : P+ N+ A+ User : Outlet User
MasterSwitch : Serial Communication Established
Control Console
1- Device Manager
2- Network
3- System
4- Logout
?- Help, <ESC>- Main Menu, <ENTER>- Refresh
>
1
Device Manager
1- P1S ON
6- Sequenced Reboot
7- Delayed Reboot
8- Delayed Sequenced Reboot
9- Cancel Pending Commands
?- Help, <ESC>- Back, <ENTER>- Refresh
>
2
14 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Immediate Off
Turn all outlets OFF immediately.
Enter 'YES' to continue or <ENTER> to cancel :
YES (enter YES exactly)
Command successfully issued.
Press <ENTER> to continue
<ENTER>
ALL Accessible Outlets
Outlet Name Pwr On Dly Pwr Off Dly Reboot Dur.
1: OFF P1S Immediate Immediate 05 Seconds
2: OFF P2S Immediate Immediate 05 Seconds
3: OFF P3S Immediate Immediate 05 Seconds
4: OFF P4S Immediate Immediate 05 Seconds
5: OFF P5S Immediate Immediate 05 Seconds
Name : Unknown Date : 11/28/2001
Contact : Unknown Time : 10:03:33
Location : Unknown Up Time : 6 Days 22 Hours 33 Minutes
Status : P+ N+ A+ User : Outlet User
MasterSwitch : Serial Communication Established
Control Console
1- Device Manager
2- Network
3- System
4- Logout
?- Help, <ESC>- Main Menu, <ENTER>- Refresh
>
1
Device Manager
1- P1S OFF
2- P2S OFF
3- P3S OFF
4- P4S OFF
5- P5S OFF
6- P6S OFF
7- P7S OFF
8- P8S OFF
9- ALL Accessible Outlets
16 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc. Immediate On
Turn all outlets ON immediately.
Enter 'YES' to continue or <ENTER> to cancel :
YES (enter YES exactly)
Command successfully issued.
Press <ENTER> to continue
<ENTER>
ALL Accessible Outlets
Outlet Name Pwr On Dly Pwr Off Dly Reboot Dur.
1: ON P1S Immediate Immediate 05 Seconds
2: ON P2S Immediate Immediate 05 Seconds
3: ON P3S Immediate Immediate 05 Seconds
4: ON P4S Immediate Immediate 05 Seconds
5: ON P5S Immediate Immediate 05 Seconds
6: ON P6S Immediate Immediate 05 Seconds
7: ON P7S Immediate Immediate 05 Seconds
8: ON P8S Immediate Immediate 05 Seconds
1- Immediate On
2- Immediate Off
3- Immediate Reboot
4- Delayed On
POD 2
POD 3
POD 4
POD 5 <==>
POD 6
POD 7
POD 8
POD 9
POD 10
Chapter 5—Configure the PIX Firewall and Execute General
Maintenance Commands
© 2001, Cisco Systems, Inc.
www.cisco.com
Inside host,
web and FTP server
Backbone, web,
FTP, and TFTP server
Pod perimeter router
PIX Firewall
192.168.P.0/24
.1
e1 inside .1
e0 outside .2
e2 dmz .1
Bastion host,
web and FTP server
172.26.26.50
web and ftp server
172.26.26.50
.2
172.16.P.0/24
Internet
Remote
Access
10.0.P.3
10.1.P.3
NATChapter 7—Configure Inside Multiple Interfaces
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 7 Lab Visual Objective
Chapter 7 Lab Visual Objective
Inside host
web and FTP server
Backbone server
web, FTP, and TFTP server
Pod perimeter router
PIX Firewall
192.168.P.0/24
.1
e1 inside .1
e0 outside .2
e2 dmz .1
Bastion host
web and FTP server
.1
.2
DHCP client
Backbone server
DHCP, web, FTP, and TFTP server
.2172.16.P.0/24
.50
Bastion host
web and FTP server
DHCP pool
192.168.P.75-192.168.P.99
10.0.P.3
10.1.P.3
NATSETTING FROM TO
Task 2 >>>>>>>>>>>>>>>>>> SKIP NOT REQUIRED
20 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Chapter 9—Configuring Syslog
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 9 Lab Visual Objective
Chapter 9 Lab Visual Objective
Inside host
Syslog server
Backbone server,
web, FTP, and TFTP server
Pod perimeter router
PIX Firewall
.1
e1 inside .1
e0 outside .2
Internet
e2 dmz .1
Bastion host,
web and FTP server
172.26.26.50
Backbone, web,
FTP, and TFTP server
.2
172.16.P.0/24
Remote
Access
10.0.P.3
10.1.P.3
NATCopyright © 2001, Cisco Systems, Inc. CSPFA Remote Lab Instructor Guide 2.0 21
Chapter 11—Configure and Test Advanced Protocol
Handling on the Cisco PIX Firewall
THIS LAB DOES NOT HAVE A VISUAL OBJECTIVE
SETTING FROM TO
Task 3, Step 8 If the FTP client is hung,
press Ctrl+C until you
break back to the C:\
prompt.
The FTP client will hang
up after entering “quit”.
10.1.P.3
NATSETTING FROM TO
Task 2, Step 6
packet size
65000
20000
22 CSPFA Remote Lab Instructor Guide 2.0 Copyright © 2001, Cisco Systems, Inc.
Chapter 13—Configure AAA on the PIX Firewall Using
CSACS for Windows NT
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 13 Lab Visual
Objective
Chapter 13 Lab Visual
Objective
.1
10.0.P.0
172.16.P.0.1
.2
192.168.P.0
.1
.2
Student workstation
Pod DMZ server
web or FTP
Chapter 14—Failover
© 2001, Cisco Systems, Inc.
www.cisco.com
Chapter 14 Lab Visual
Objective
Chapter 14 Lab Visual
Objective
Internet
Secondary
PIX Firewall
Primary
PIX Firewall
10.0.P.0 /24
192.168.P.0/24
Backbone server
web, FTP, and
TFTP server
172.26.26.50/24
e2 .1
e0 .2
e0 .7
e1 .7e1 .1
.2
DMZ
failover cable
172.16.P.0/24
.1
e2 .7
e3 .1 e3 .7
172.17.0.0/24
Pod1 perimeter router
Internet NT server:
FTP, web
172.26.26.50/24
172.30.Q.2 /24 s0
Pod2 perimeter router
10.0.Q.0 /24
PIX Firewall
192.168.P.0/24
.1 e0
e1 Inside .1
NTP NT server:
Syslog, IIS,
FTP, and web server
10.0.P.0 /24
Pod 1 Pod 2
172.30.P.2 /24 s0
e0 Outside .2
Internet
Remote
Access
10.0.P.3
10.1.P.3
NAT
Remote
Access
10.0.Q.3
10.1.Q.3
NAT
172.26.26.P/24
172.26.26.100 /24
.2
172.16.P.0 /24
e2 .1
bastionhost
Inside AAA and Web server
10.0.P.10
.2
Remote
Access
172.26.26.P
172.27.27.P
NATSETTING FROM TO
Task 1, Step 6 172.26.26.P 172.27.27.P
Task 1, Step 8 172.26.26.100 172.27.27.100
Copyright: Tài liệu đại học ©