Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 5
Physical Connections
© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Aironet
Connections with Aironet
1 3 4 5 6 7 8 9 10 CA
ETHERNET 0/0ETHERNET 0/1
Cisco 2611
CONSOLE
Internet
2
© 2001, Cisco Systems, Inc.
www.cisco.com
Connections with Hub
Connections with Hub
1 2 3 4 5 6 7 8 9 10
1X
2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X
FastHub 400
ETHERNET 0/0ETHERNET 0/1
Cisco 2611
CONSOLE
Internet
CA
Initial Student PC Configuration
IP ADDRESS 172.27.27.P
MASK 255.255.255.0
GATEWAY 172.27.27.100
6 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Classroom Router Configuration
You will need the following parameters from Cisco’s ILSG lab administrator
before configuring the classroom router:
RL-PIX-CSVPN IP ADDRESS (IPsec peer IP address)
AUTHENTICATION KEY
Note The classroom router is configured to get a DHCP address, including a default
route, on the outside interface (Ethernet 0/1). If DHCP is not supported at your
location then a manually entered IP address and default route must be configured.
RL-LCL-2611 Configuration
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RL-LCL-2611
!
enable secret 5 <ENABLE PASSWORD>
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 11
hash md5
authentication pre-share
group 2
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSVPN IP ADDRESS>
!
crypto ipsec transform-set RL-TRANS esp-3des esp-md5-hmac
!
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSVPN IP ADDRESS>
Set security-association lifetime seconds 86400
set transform-set RL-TRANS
set pfs group2
match address TO-RMT
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0 secondary
ip address 10.1.2.1 255.255.255.0 secondary
ip address 10.1.3.1 255.255.255.0 secondary
ip address 10.1.4.1 255.255.255.0 secondary
ip address 10.1.5.1 255.255.255.0 secondary
ip address 10.1.6.1 255.255.255.0 secondary
ip address 10.1.7.1 255.255.255.0 secondary
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 7
ip address 10.1.8.1 255.255.255.0 secondary
ip address 10.1.9.1 255.255.255.0 secondary
ip address 10.1.10.1 255.255.255.0 secondary
ip address 192.168.201.1 255.255.255.0 secondary
ip address 192.168.202.1 255.255.255.0 secondary
ip address 192.168.203.1 255.255.255.0 secondary
ip address 192.168.204.1 255.255.255.0 secondary
ip address 192.168.205.1 255.255.255.0 secondary
ip address 192.168.206.1 255.255.255.0 secondary
ip address 192.168.207.1 255.255.255.0 secondary
ip address 192.168.208.1 255.255.255.0 secondary
ip address 192.168.209.1 255.255.255.0 secondary
ip address 192.168.210.1 255.255.255.0 secondary
ip address 172.27.27.100 255.255.255.0
no cdp enable
!
interface Ethernet0/1
ip address dhcp
no cdp enable
crypto map RL-MAP
!
ip classless
no ip http server
!
ip access-list extended TO-RMT
permit ip 10.1.0.0 0.0.255.255 any
permit ip 172.27.27.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any
no cdp run
!
line con 0
transport input none
line aux 0
line vty 0 4
password 7 120E5619050A0F176B
login
!
end
8 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Remote Lab Setup
This section covers the procedures required to connect to the remote lab and to
setup and test the lab devices before the beginning of class.
Establishing and Testing Connectivity to the Remote Lab
Perform the following procedures to establish and test connectivity to the remote
lab.
From the console of your RL-LCL-2611 router:
Step 1 RL-LCL-2611> ping <YOUR LOCAL DEFAULT GATEWAY>
If unsuccessful
• check physical Internet connectivity.
• check ethernet link from RL-LCL-2611 to your Internet connection.
• check IP address received from DHCP:
RL-LCL-2611# show ip interface brief ethernet0/1
Step 2 RL-LCL-2611> ping <RL-PIX-CSVPN IP ADDRESS>
If unsuccessful
• check default gateway setting on RL-LCL-2611:
RL-LCL-2611# show ip route
From the Pod 1 student PC:
Step 3 C:\> ping 172.27.27.100
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check ethernet link from RL-LCL-2611 to Aironet access point or hub.
• check IP address/netmask settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 9
Step 4 C:\> ping 10.90.90.1
This will initiate the VPN tunnel to the remote PIX. It will take a few ping tries
before the VPN tunnel is established and the ping is successful.
If unsuccessful
• ensure that you’ve given the router/PIX enough time to setup the VPN tunnel.
• check default gateway setting on the student PC.
• check the ISAKMP settings on RL-LCL-2611:
crypto isakmp key <AUTHENTICATION KEY> address <RL-PIX-CSVPN IP ADDRESS>
• check the IPSEC settings on RL-LCL-2611:
crypto map RL-MAP 22 ipsec-isakmp
set peer <RL-PIX-CSVPN IP ADDRESS>
• clear all security associations (SAs) on the RL-LCL-2611:
RL-LCL-2611# clear crypto sa
From each student PC (1 through 5)
Step 5 C:\> ping 172.26.26.100 (remote terminal server)
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check IP address/netmask/default gateway settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
From each student PC (6 through 10)
Step 6 C:\> ping 172.26.26.120 (remote terminal server)
If unsuccessful
• check Aironet link or ethernet link from the PC to Aironet access point or hub.
• check IP address/netmask/default gateway settings on the student PC.
• check Aironet configuration and range.
• check RL-LCL-2611 configuration.
10 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Telneting to the Remote Terminal Server
Note USE “CTRL+SHIFT+6 then X” TO EXIT A CONSOLE SESSION.
Lab Chapters 5 through 7
For labs in chapters 5 through 8, student pods 1 through 5, telnet to RL-RMT1-
CSVPN at IP address 172.26.26.100. Student pods 6 through 10, telnet to RL-
RMT2-CSVPN at IP address 172.26.26.120.
Pods 1 through 5:
C:\> telnet 172.26.26.100
User Access Verification
Password: cisco
RL-RMT1-CSVPN>
Pods 6 through 10:
C:\> telnet 172.26.26.120
User Access Verification
Password: cisco
RL-RMT2-CSVPN>
Lab Chapter 8
For lab chapters 8 ONLY, all students will telnet to 192.168.1PP.100 (where PP =
pod number, i.e., 01, 02, , 10).
C:\> telnet 192.168.1PP.100
User Access Verification
Password: cisco
RL-RMT1-CSVPN>
(pods 1 through 5)
RL-RMT2-CSVPN>
(pods 6 through 10)
Lab Chapters 9 through 14
For labs in chapters 9 through 14 student pods 1 through 5, telnet to RL-RMT1-
CSVPN at IP address 10.0.P.100. Student pods 6 through 10, telnet to RL-RMT2-
CSVPN at IP address 10.0.P.100.
C:\> telnet 10.0.P.100
User Access Verification
Password: cisco
RL-RMT1-CSVPN>
(pods 1 through 5)
RL-RMT2-CSVPN>
(pods 6 through 10)
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 11
VPN Concentrator Initial Configurations
The VPN concentrators are resetted by the students as part of their lab activities. If
you want, check that all VPN concentrators are resetted before the class.
Note Pods 1 through 5 access their VPN concentrator console from RL-RMT1-CSVPN
as follows:
RL-RMT-CSVPN1> vP (where P = pod number)
Translating "vP"
Trying vP (10.91.91.1, 2033) Open
Login: admin
Password: admin
Pods 6 through 10 access their VPN concentrator console from RL-RMT2-CSVPN
as follows:
RL-RMT-CSVPN2> vP (where P = pod number)
Translating "vP"
Trying vP (10.92.92.1, 2033) Open
Login: admin
Password: admin
To reset a VPN concentrator:
Note If you get the Quick prompt for the system time or date parameters, the device has
already been resetted to factory defaults.
Main -> 2
Admin -> 3
Admin -> 2
Admin -> 3
Admin -> 2
Note Do not attempt to log into the first login prompt you see as it takes several moments
for the Cisco VPN 3000 Concentrator to complete the reboot function. A login
prompt appears when the reboot is completed.
12 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
Hardware Client Initial Configurations
The hardware client are resetted by the students as part of their lab activities. If
you want, check that all hardware clients are resetted before the class.
Note Pods 1 through 5 access their VPN concentrator console from RL-RMT1-CSVPN
as follows:
RL-RMT-CSVPN1> cP (where P = pod number)
Translating "cP"
Trying cP (10.91.91.1, 2033) Open
Login: admin
Password: admin
Pods 6 through 10 access their VPN concentrator console from RL-RMT2-CSVPN
as follows:
RL-RMT-CSVPN2> cP (where P = pod number)
Translating "cP"
Trying cP (10.92.92.1, 2033) Open
Login: admin
Password: admin
To reset a hardware client:
Note If you get the Quick prompt for the system time or date parameters, the device has
already been resetted to factory defaults.
Main -> 2
Admin -> 2
Admin -> 2
Admin -> 3
Admin -> 2
Note Do not attempt to log into the first login prompt you see as it takes several moments
for the Cisco VPN 3002 Hardware Client to complete the reboot function. A login
prompt appears when the reboot is completed.
Copyright © 2001, Cisco Systems, Inc. CSVPN Remote Lab Instructor Guide 1.0 13
Router Initial Configurations
The student routers should already by configured with a default configuration
before each class. Check that all student routers are already configured.
Note Pods 1 through 5 access their router console from RL-RMT1-CSVPN as follows:
RL-RMT-CSVPN1> rP (where P = pod number)
Translating "rP"
Trying rP (10.91.91.1, 2033) Open
rP> enable
Password: cisco
rP#
Pods 6 through 10 access their router console from RL-RMT2-CSVPN as follows:
RL-RMT-CSVPN2> rP (where P = pod number)
Translating "rP"
Trying rP (10.92.92.1, 2033) Open
rP> enable
Password: cisco
rP#
Router Default Configuration
Note Remember to replace the Ps with the actual pod number.
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname rP
!
no logging console
enable password cisco
!
memory-size iomem 15
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
!
interface Ethernet0/0
ip address 10.0.P.2 255.255.255.0
no ip directed-broadcast
!
14 CSVPN Remote Lab Instructor Guide 1.0 Copyright © 2001, Cisco Systems, Inc.
interface Ethernet0/1
ip address 172.30.P.2 255.255.255.0
no ip directed-broadcast
!
router eigrp 1
network 10.0.0.0
network 172.30.0.0
no auto-summary
!
ip classless
no ip http server
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password cisco
login
!
no scheduler allocate
end
PIX Initial Configurations
The student PIXen should already by configured with a default configuration
before each class. Check that all student PIXen are already configured.
Note Pods 1 through 5 access their PIX console from RL-RMT1-CSVPN as follows:
RL-RMT-CSVPN1> pP (where P = pod number)
Translating "pP"
Trying rP (10.91.91.1, 2033) Open
pixfirewall> enable
Password: <enter>
pixfirewall#
Pods 6 through 10 access their PIX console from RL-RMT2-CSVPN as follows:
RL-RMT-CSVPN2> pP (where P = pod number)
Translating "pP"
Trying rP (10.92.92.1, 2033) Open
pixfirewall> enable
Password: <enter>
pixfirewall#
Không có nhận xét nào:
Đăng nhận xét