<<

. 7
( 9)



>>

ipsec sa


189
interface: Serial0/0/0
Crypto map tag: CMAP, local addr 10.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0xC1DD058(203280472)

inbound esp sas:
spi: 0xDF57120F(3747025423)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: FPGA:5, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4485195/877)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC1DD058(203280472)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: FPGA:6, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4485195/877)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
g. The previous example used pings to generate interesting traffic. What other types of traffic would result
in an SA forming and tunnel establishment?
____________________________________________________________________________________
____________________________________________________________________________________
________________________________________________________________________




190
Part 3. Configure a Site-to-Site IPsec VPN with SDM
In Part 3 of this lab, you configure an Ipsec VPN tunnel between R1 and R3 that passes through R2. In Task
2, you configure R1 using Cisco SDM. In Task 3, you mirror those settings to R3 using SDM utilities. You then
review and test the resulting configuration.


Task 1. Restore Router R1 and R3 to the Basic Settings
To avoid confusion as to what was entered in Part 2 of the lab, start by restoring R1 and R3 to the basic
configuration as described in Part 1 of this lab.


Step 1: Erase and reload the router.

a. Connect to the router console, and enter privileged EXEC mode.

b. Erase the startup config and then issue the reload command to restart the router.


Step 2: Restore the basic configuration.

a. When the router restarts, enter privileged EXEC mode with the enable command, and then enter
global config mode. Use the HyperTerminal Transfer > Send File function, copy and paste or use another
method to load the basic startup config for R1 and R3 that was created and saved in Part 1 of this lab.

b. Save the running config to the startup config for R1 and R3 using the copy run start command.

c. Test connectivity by pinging from host PC-A to PC-C. If the pings are not successful, troubleshoot the
router and PC configurations before continuing.


Task 2. Configure IPsec VPN Settings on R1 Using SDM

Step 1: Configure the enable secret password and HTTP router access prior to starting SDM.

a. From the CLI, configure the enable secret password for use with SDM on R1 and R3.
R1(config)#enable secret cisco12345

R3(config)#enable secret cisco12345
b. Enable the HTTP server on R1 and R3.
R1(config)#ip http server

R3(config)#ip http server

Step 2: Access SDM and set command delivery preferences.

a. Run the SDM application, or open a browser on PC-A and start SDM by entering the R1 IP address
192.168.1.1 in the address field.

Note: You might be prompted by Internet Explorer to allow ActiveX during several of these steps.
Click Allow.

b. Log in with no username and the enable secret password cisco12345.



191
c. In the Authentication Required dialog box, leave the Username field blank and enter cisco12345 in the
Password field. Click Yes.

d. If the IOS IPS login dialog displays, click the Cancel button to bypass this option.

e. Select Edit > Preferences to configure SDM to allow you to preview the commands before sending them
to the router. In the User Preferences window, check the Preview commands before delivering to router
check box and click OK.


Step 3: Start the SDM VPN wizard to configure R1.

a. Click the Configure button at the top of the SDM screen, and then click the VPN button. Select Site-to-
Site VPN from the list of options. The default option is Create Site-to-Site VPN. Read through the
description of this option.

b. What must you know to complete the configuration?
____________________________________________________________________________________
____________________________________________________________________________




c. Click the Launch the selected task button to begin the SDM Site-to-Site VPN wizard.

d. On the initial Site-to-Site VPN wizard window, the Quick Setup option is selected by default. Click the
View Details button to see what settings this option uses. What type of encryption does the default
transform set use? ______________________________

e. From the initial Site-to-Site VPN wizard window, select the Step by Step wizard, and then click Next.
Why would you use this option over the Quick setup option? ________________________________



192
Step 4: Configure basic VPN connection information settings.

a. From the VPN Connection Information window, select the interface for the connection, which should be
R1 Serial0/0/0.

b. In the Peer Identity section, select Peer with static address and enter the IP address of remote peer
R3 S0/0/1 (10.2.2.1).

c. In the Authentication section, click Pre-shared keys, and enter the pre-shared VPN key cisco12345.
Re-enter the key for confirmation. This key is what protects the VPN and keeps it secure. When finished,
your screen should look similar to the following. Once you have entered these settings correctly, click
Next.




Step 5: Configure IKE policy parameters.

IKE policies are used while setting up the control channel between the two VPN endpoints for key exchange.
This is also referred to as the IKE secure association (SA). In contrast, the IPsec policy is used during IKE
Phase II to negotiate an Ipsec security association to pass target data traffic.

In the IKE Proposals window, a default policy proposal is displayed. You can use this one or create a new
one. What function does this IKE proposal serve?
________________________________________________________________________________

193
a. Click the Add button to create a new IKE policy.

b. Set up the security policy as shown in the Add IKE Policy dialog box below. These settings are
matched later on R3. When finished, click OK to add the policy. Then click Next.




c. Click the Help button to assist you with answering the following questions. What is the function of the
encryption algorithm in the IKE policy?
____________________________________________________________________________________
____________________________________________________________________________

d. What is the purpose of the hash function?
____________________________________________________________________________________
____________________________________________________________________________

e. What function does the authentication method serve?
____________________________________________________________________________________
____________________________________________________________________________

f. How is the Diffie-Hellman group in the IKE policy used?
____________________________________________________________________________________
____________________________________________________________________________

g. What event happens at the end of the IKE policy™s lifetime? ________________________________


Step 6: Configure a transform set.

The transform set is the IPsec policy used to encrypt, hash, and authenticate packets that pass through the
tunnel. The transform set is the IKE Phase 2 policy.

a. An SDM default transform set is displayed. Click the Add button to create a new transform set.

b. Set up the transform set as shown in the Transform Set dialog box below. These settings are matched
later on R3. When finished, click OK to add the transform set. Then click Next.




194
Step 7: Define interesting traffic.

You must define interesting traffic to be protected through the VPN tunnel. Interesting traffic will be defined
through an access list when applied to the router. If you enter source and destination subnets, SDM
generates the appropriate simple access list for you.

In the Traffic to protect window, enter the information as shown below. These are the opposite of the settings
configured on R3 later in the lab. When finished, click Next.




195
Step 8: Review the summary configuration and deliver commands to the router.

a. Review the summary of the Configuration window. It should look similar to the one below. Do not select
the checkbox for Test VPN connectivity after configuring. This is done after configuring R3.




196
b. In the Deliver Configuration to router window, select Save running config to router™s startup config
and click the Deliver button. After the commands have been delivered, click OK. How many commands
were delivered? ____________________


Task 3. Create a Mirror Configuration for R3

Step 1: Use SDM on R1 to generate a mirror configuration for R3.

a. On R1, select VPN > Site-to-Site VPN and click the Edit Site-to-Site VPN tab. You should see the
VPN configuration you just created on R1 listed. What is the description of the VPN?
________________________________________________________________________________

b. What is the status of the VPN and why?
________________________________________________________________________________

c. Select the VPN policy you just configured on R1 and click the Generate Mirror button in the lower right
of the window. The Generate Mirror window displays the commands necessary to configure R3 as a VPN
peer. Scroll through the window to see all the commands generated.




197
d. The text at the top of the window states that the configuration generated should only be used as a
guide for setting up a site-to-site VPN. What commands are missing to allow this crypto policy to function
on R3? _________________________________________________________________

Hint: Look at the description entry following the crypto map SDM_CMAP_1 command.


Step 2: Save the configuration commands for R3.

a. Click the Save button to create a text file for use in the next task.

b. Save the commands to the desktop or other location and name it VPN-Mirror-Cfg-for-R3.txt.

Note: You can also copy the commands directly from the Generate Mirror window.

c. (Optional) Edit the file to remove the explanation text at the beginning and the description entry
following the crypto map SDM_CMAP_1 command.




198
Task 4. Apply the Mirror Configuration to R3 and Verify the Configuration

Step 1: Access the R3 CLI and copy the mirror commands.

Note: You can also use SDM on R3 to create the appropriate VPN configuration, but copying and pasting
the mirror commands generated from R1 is easier.

On R3, enter privileged EXEC mode and then global config mode.

Copy the commands from the text file into the R3 CLI.


Step 2: Apply the crypto map to the R3 S0/0/1 interface.
R3(config)#interface s0/0/1
R3(config-if)#crypto map SDM_CMAP_1
*Jan 30 13:00:38.184: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step 3: Verify the VPN configuration on R3 using Cisco IOS.

a. Display the running config beginning with the first line that contains the string “0/0/1” to verify that the
crypto map is applied to S0/0/1.
R3#sh run | beg 0/0/1
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
crypto map SDM_CMAP_1
b. On R3, use the show crypto isakmp policy command to show the configured ISAKMP policies
on the router. Note that the default SDM policy is also present.
R3#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit

Protection suite of priority 10
encryption algorithm: AES “ Advanced Encryption Standard (256
bit keys
).
Hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 28800 seconds, no volume limit
c. In the above output, how many ISAKMP policies are there? _______________________________

d. Issue the show crypto ipsec transform-set command to display the configured IPsec policies
in the form of the transform sets.
R3#show crypto ipsec transform-set
Transform set Lab-Transform: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }

199
will negotiate = { Transport, },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
e. Use the show crypto map command to display the crypto maps that will be applied to the router.
R3#show crypto map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
Description: Apply the crypto map on the peer router's
interface having
IP address 10.2.2.1 that connects to this router.
Peer = 10.1.1.1
Extended IP access list SDM_1
access-list SDM_1 permit ip 192.168.3.0 0.0.0.255
192.168.1.0 0.0.0.255
Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
Lab-Transform: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map SDM_CMAP_1:
Serial0/0/1
f. In the above output, the ISAKMP policy being used by the crypto map is the SDM default policy with
sequence number priority 1, indicated by the number 1 in the first output line: Crypto Map
“SDM_CMAP_1” 1 ipsec-isakmp. Why is it not using the one you created in the SDM session ” the one
shown with priority 10 in Step 3b above?
________________________________________________________________________________

g. (Optional) You can force the routers to use the more stringent policy that you created by changing the
crypto map references in the R1 and R3 router configs as shown below. If this is done, the default
ISAKMP policy 1 can be removed from both routers.
R1(config)#interface s0/0/0
R1(config-if)#no crypto map SDM_CMAP_1
R1(config-if)#exit
*Jan 30 17:01:46.099: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R1(config)#no crypto map SDM_CMAP_1 1
R1(config)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#description Tunnel to 10.2.2.1
R1(config-crypto-map)#set peer 10.2.2.1
R1(config-crypto-map)#set transform-set Lab-Transform
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exit
R1(config)#int s0/0/0
R1(config-if)#crypto map SDM_CMAP_1
R1(config-if)#e
*Jan 30 17:03:16.603: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3(config)#interface s0/0/1
R3(config-if)#no crypto map SDM_CMAP_1
R3(config-if)#exit
R3(config)#no crypto map SDM_CMAP_1 1
R3(config)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

200
R3(config-crypto-map)#description Tunnel to 10.1.1.1
R3(config-crypto-map)#set peer 10.1.1.1
R3(config-crypto-map)#set transform-set Lab-Transform
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#int s0/0/1
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jan 30 22:18:28.487: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Task 5. Test the VPN Configuration Using SDM on R1.
a. On R1, use SDM to test the IPsec VPN tunnel between the two routers. Select VPN > Site-to-Site
VPN and click the Edit Site-to-Site VPN tab.

From the Edit Site to Site VPN tab, select the VPN and click Test Tunnel.

b. When the VPN Troubleshooting window displays, click the Start button to have SDM start
troubleshooting the tunnel.

c. When the SDM Warning window displays indicating that SDM will enable router debugs and generate
some tunnel traffic, click Yes to continue.

d. In the next VPN Troubleshooting window, the IP address of the R1 Fa0/1 interface in the source
network is displayed by default (192.168.1.1). Enter the IP address of the R3 Fa0/1 interface in the
destination network field (192.168.3.1) and click Continue to begin the debugging process.




201
e. If the debug is successful and the tunnel is up, you should see the screen below. If the testing fails,
SDM displays failure reasons and recommended actions. Click OK to remove the window.




202
f. You can save the report if desired; otherwise, click Close.

Note: If you want to reset the tunnel and test again, you can click the Clear Connection button from the
Edit Suite-to-Site VPN window. This can also be accomplished at the CLI using the clear crypto
session command.

g. Display the running config for R3 beginning with the first line that contains the string 0/0/1 to verify that
the crypto map is applied to S0/0/1.
R3#sh run | beg 0/0/1
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
crypto map SDM_CMAP_1
<output omitted>
h. Issue the show crypto isakmp sa command on R3 to view the security association created.


203
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.2.2.1 10.1.1.1 QM_IDLE 1001 0 ACTIVE
i. Issue the show crypto ipsec sa command. How many packets have been transformed between
R1 and R3? ____________________________
R3#show crypto ipsec sa

interface: Serial0/0/1
Crypto map tag: SDM_CMAP_1, local addr 10.2.2.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 116, #pkts encrypt: 116, #pkts digest: 116
#pkts decaps: 116, #pkts decrypt: 116, #pkts verify: 116
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.2.2.1, remote crypto endpt.: 10.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1
current outbound spi: 0x207AAD8A(544910730)

inbound esp sas:
spi: 0xAF102CAE(2937072814)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:7, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4558294/3037)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x207AAD8A(544910730)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: FPGA:8, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4558294/3037)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:




204
Task 6. Reflection
Would traffic on the Fast Ethernet link between PC-A and the R1 Fa0/0 interface be encrypted by the site-
to-site IPsec VPN tunnel? Why or why not?
________________________________________________________________________________
________________________________________________________________________________

What are some factors to consider when configuring site-to-site IPsec VPNs using the manual CLI
compared to using the SDM VPN wizard GUI?

________________________________________________________________________________
________________________________________________________________________________


Router Interface Summary Table



Router Interface Summary
Router Model Ethernet Interface Ethernet Interface Serial Interface Serial Interface
#1 #2 #1 #2
1700 Fast Ethernet 0 Fast Ethernet 1 Serial 0 (S0) Serial 1 (S1)
(FA0) (FA1)
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
2600 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0 (S0/0) Serial 0/1 (S0/1)
(FA0/0) (FA0/1)
2800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of
Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface.
The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.




205
Chapter 8: Lab B: Configuring a Remote Access VPN Server and
Client

Topology




IP Addressing Table


Interface Switch Port
Device IP Address Subnet Mask Default Gateway
R1 FA0/1 192.168.1.1 255.255.255.0 N/A S1 FA0/5
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 FA0/1 192.168.3.1 255.255.255.0 N/A S3 FA0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 FA0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 FA0/18



206
Objectives
Part 1: Basic Router Configuration

Configure host names, interface IP addresses, and access passwords.

• Configure static routing.
Part 2: Configuring a Remote Access VPN
Configure a zone-based firewall (ZBF) on R3 using SDM.


Configure Router R3 to support Cisco Easy VPN Server using SDM.


Configure the Cisco VPN Client on PC-A and connect to R3.


Verify the configuration.


Test VPN functionality.



Background
VPNs can provide a secure method of transmitting data over a public network, such as the Internet. A
common VPN implementation is used for remote access to a corporate office from a telecommuter location
such as a small office or home office (SOHO).

In this lab, you build a multi-router network and configure the routers and hosts. You configure a remote
access IPsec VPN between a client computer and a simulated corporate network. You start by using SDM to
configure a zoned-based firewall (ZBF) to prevent connections from outside the corporate network. You also
use SDM to configure Cisco Easy VPN Server on the corporate gateway router. Next, you configure the Cisco
VPN Client on a host and connect to the corporate network through a simulated ISP router.

The Cisco VPN Client allows organizations to establish end-to-end, encrypted (IPsec) VPN tunnels for secure
connectivity for mobile employees or teleworkers. It supports Cisco Easy VPN, which allows the client to
receive security policies upon a VPN tunnel connection from the central site VPN device (Cisco Easy VPN
Server), minimizing configuration requirements at the remote location. Easy VPN is a scalable solution for
remote access deployments for which it is impractical to individually configure policies for multiple remote
PCs.

Router R1 represents a remote site, and R3 represents the corporate headquarters. Host PC-A simulates an
employee connecting from home or a small office over the Internet. Router R2 simulates an Internet ISP
router and acts as a passthrough with no knowledge of the VPN connection running through it.

Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12.4(20)T
(Advanced IP image). Other routers and Cisco IOS versions can be used. See the Router Interface Summary
table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab.
Depending on the router model and Cisco IOS version, the commands available and output produced might
vary from what is shown in this lab.

Note: Make sure that the routers and the switches have been erased and have no startup configurations.


Required Resources
3 routers with Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable (2 routers with SDM 2.5

installed)

2 switches (Cisco 2960 or comparable)



207
PC-A - Windows XP or Vista (with Cisco VPN Client)


PC-C (Windows XP or Vista)


Serial and Ethernet cables as shown in the topology


Rollover cables to configure the routers via the console



Part 1. Basic Router Configuration
In Part 1, you set up the network topology and configure basic settings, such as the interface IP addresses
and static routing. Perform the steps on the routers as indicated.


Step 1: Cable the network as shown in the topology.

Attach the devices shown in the topology diagram, and cable as necessary.


Step 2: Configure basic settings for all routers.

a. Configure host names as shown in the topology.

b. Configure the physical interface IP addresses as shown in the IP addressing table.

c. Configure a clock rate for the routers with a DCE serial cable attached to their serial interface.
R1(config)#interface S0/0/0
R1(config-if)#clock rate 64000
d. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands
as though they were host names.
R1(config)#no ip domain-lookup

Step 3: Configure static default routes on R1 and R3.

Configure a static default route from R1 to R2 and from R3 to R2.
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2

R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2

Step 4: Configure static routes on R2.

Configure a static route from R2 to the R1 LAN.
R2(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
Configure a static route from R2 to the R3 LAN.
R2(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1

Step 5: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C, as shown in the IP
addressing table.




208
Step 6: Verify connectivity between PC-A and R3.

From PC-A, ping the R3 S0/0/1 interface at IP address 10.2.2.1.
PC-A:\>ping 10.2.2.1
Are the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 7: Configure a minimum password length.
Note: Passwords in this lab are set to a minimum of 10 characters, but are relatively simple for the benefit
of performing the lab. More complex passwords are recommended in a production network.
Use the security passwords command to set a minimum password length of 10 characters.
R1(config)#security passwords min-length 10

Step 8: Configure the enable secret password and console and vty lines.

a. Configure the enable secret password cisco12345 on R1.
R1(config)#enable secret cisco12345
b. Configure a console password and enable login for router R1. For additional security, the exec-
timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous
command prevents console messages from interrupting command entry.

Note: To avoid repetitive logins during this lab, the exec-timeout can be set to 0 0, which prevents
it from expiring. However, this is not considered a good security practice.
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
c. Configure the password on the vty lines for router R1.
R1(config)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
d. Repeat these configurations on R2 and R3.


Step 9: Encrypt clear text passwords.

a. Use the service password-encryption command to encrypt the console, aux, and vty passwords.

R1(config)#service password-encryption

b. Issue the show run command. Can you read the console, aux, and vty passwords? Why or why not?
___________________________________________

c. Repeat this configuration on R2 and R3.




209
Step 10: Configure a login warning banner on routers R1 and R3.

Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner.
R1(config)#banner motd $Unauthorized access strictly prohibited and
prosecuted to the full extent of the law$

Step 11: Save the basic running configuration for all three routers.

Save the running configuration to the startup configuration from the privileged EXEC prompt.
R1#copy running-config startup-config

Part 2. Configuring a Remote Access VPN
In Part 2 of this lab, you configure a firewall and a remote access IPsec VPN. R3 is configured as a VPN
server using SDM, and PC-A is configured as a Cisco VPN Client.


Task 1. Prepare R3 for SDM Access

Step 1: Configure HTTP router access and a AAA user prior to starting SDM.

a. Enable the HTTP server on R3.
R3(config)#ip http server
Note: For added security, you can enable the HTTP secure server on R3 using the ip http secure-
server command. The HTTP server and the HTTP secure server are disabled by default.

b. Create an admin01 account on R3 with privilege level 15 and a password of admin01pass for use with
AAA.
R3(config)#username admin01 privilege 15 password 0 admin01pass

Step 2: Access SDM and set command delivery preferences.

a. Run the SDM application or open a browser on PC-C. Start SDM by entering the R3 Fa0/1 IP address
192.168.3.1 in the address field.

b. Log in with no username and the enable secret password cisco12345.

c. In the Authentication Required dialog box, enter cisco12345 in the Password field and click OK.

d. If the IOS IPS Login dialog box appears, enter the enable secret password cisco12345.

e. Select Edit > Preferences to allow you to preview the commands before sending them to the router. In the
User Preferences window, check the Preview commands before delivering to router check box and click
OK.


Task 2. Configure a ZBF Firewall on R3

Step 1: Use the SDM Firewall Wizard to configure a zone-based firewall (ZBF) on R3.

a. Click the Configure button at the top of the SDM screen, and then click Firewall and ACL.



210
b. Select Basic Firewall and click the Launch the selected task button. On the Basic Firewall
Configuration wizard screen, click Next.

c. Check the Inside (trusted) check box for FastEthernet0/1 and the Outside (untrusted) check box for
Serial0/0/1. Click Next. Click OK when the SDM launch warning for Serial0/0/1 is displayed.




211
d. In the next window, select Low Security for the security level and click Next.

e. In the Summary window, click Finish.

f. Click Deliver to send the commands to the router. Click OK in the Commands Delivery Status window.
Click OK on the Information window. You are returned to the Edit Firewall Policy tab as follows.




Step 2: Verify firewall functionality.

a. From PC-C, ping the R2 interface S0/0/1 at IP address 10.2.2.2.

Are the pings successful? Why or why not?
_______________________________________________________________________________

b. From external router R2, ping PC-C at IP address 192.168.3.3

Are the pings successful? Why or why not?
_______________________________________________________________________________




212
Task 3. Use the SDM VPN Wizard to Configure the Easy VPN Server

Step 1: Launch the Easy VPN Server wizard and configure AAA services.

a. Click the Configure button at the top of the SDM home screen. Click the VPN task button to view the
VPN configuration page.

b. Select Easy VPN Server from the main VPN window, and then click Launch Easy VPN Server
Wizard.




c. The Easy VPN Server wizard checks the router configuration to see if AAA is enabled. If AAA is not
enabled, the Enable AAA window displays. AAA must be enabled on the router before the Easy VPN
Server configuration starts. Click Yes to continue with the configuration.

d. When prompted to deliver the configuration to the router, click Deliver.

e. In the Command Delivery Status window, click OK. When the message “AAA has been successfully
enabled on the router” displays, click OK.

f. When returned to the Easy VPN Server wizard window, click Next.

213
g. Now that AAA is enabled, you can start the Easy VPN Server wizard by clicking the Launch Easy VPN
Server Wizard button. Read through the descriptions of the tasks that the wizard guides you through.




How does the client receive the IPsec policies? ___________________________________________

How does the Easy VPN remote server configuration differ from the site-to-site?
____________________________________________________________________________________
____________________________________________________________________________________

h. Click Next when you are finished answering the above questions.


Step 2: Configure the virtual tunnel interface and authentication.

a. Select the interface on which the client connections terminate. Click the Unnumbered to radio button
and select the Serial0/0/1 interface from the pull-down menu.

b. Select Pre-shared Keys for the authentication type and click Next to continue.




214
215
Step 3: Select an IKE proposal.

a. In the IKE Proposals window, the default IKE proposal is used for R3.




What is the encryption method used with the default IKE policy? ____________

What is the hash algorithm used to ensure that the keys have not been tampered with? _____________

b. Click Next to accept the default IKE policy.

Note: Configurations on both sides of the tunnel must match exactly. The Cisco VPN Client automatically
selects the proper configuration for itself. Therefore, an IKE configuration is not necessary on the client
PC.




216
Step 4: Select the transform set.

a. In the Transform Set window, the default SDM transform set is used. What ESP encryption method is
used with the default transform set? _________________




b. Click Next to accept the default transform set.




217
Step 5: Specify group authorization and group policy lookup.

a. In the Group Authorization and Group Policy Lookup window, select the Local option.




b. Click Next to create a new AAA method list for group policy lookup that uses the local router database.




218
Step 6: Configure user authentication (XAuth).

a. In the User Authentication (Xauth) window, you can specify to store user information on an external
server, such as a RADIUS server or a local database, or both. Select the Enable User
Authentication check box and accept the default of Local Only.




Where does the router look for valid user accounts and passwords to authenticate remote VPN users
when they attempt to log in?
________________________________________________________________________________

b. Click the Add User Credentials button. In the User Accounts window, you can view currently defined
users or add new users.

What is the name of the user currently defined and what is the user privilege level? ______________
How was this user defined? __________________________________________________________




219
c. In the User Accounts window, click the Add button to add another user. Enter the username VPNuser1
with a password of VPNuser1pass. Select the check box for encrypting the password using the MD5
hash algorithm. Leave the privilege level at 1.

What is the range of privilege level that can be set for a user? _________________________




d. Click OK to accept the VPNuser1 entries, and then click OK to close the User Accounts window.




e. In the User Authentication (XAuth) window, click Next to continue.




220
Step 7: Specify group authorization and user group policies.

In the Group Authorization and User Group Policies window, you must create at least one group policy for
the VPN server.




a. Click Add to create a group policy.

b. In the Add Group Policy window, enter VPN-Access as the name of this group. Enter a new pre-
shared key of cisco12345 and then re-enter it.

c. Leave the Pool Information box checked and enter a starting address of 192.168.3.100, an ending
address of 192.168.3.150, and a subnet mask of 255.255.255.0.

d. Enter 50 for the Maximum Connections Allowed.

e. Click OK to accept the entries.




221
f. An SDM warning message displays indicating that the IP addresses in the pool and the IP address of
the FastEthernet0/1 interface are in the same subnet. Click Yes to continue.

g. When you return to the Group Authorization window, check the Configure Idle Timer check box and
enter one hour (1). This disconnects idle users if there is no activity for one hour and allows others to
connect. Click Next to continue.




222
h. When the Cisco Tunneling Control Protocol (cTCP) window displays, do not enable cTCP. Click Next
to continue.

i. When the Easy VPN Server Passthrough Configuration window displays, make sure that the Action
Modify check box is checked. This option allows SDM to modify the firewall on S0/0/1 to allow IPsec VPN
traffic to reach the internal LAN. Click OK to continue.




223
Step 8: Review the configuration summary and deliver the commands.

a. Scroll through the commands that SDM will send to the router. Do not check the check box to test the
VPN. Click Finish.

b. When prompted to deliver the configuration to the router, click Deliver.




c. In the Command Delivery Status window, click OK. How many commands are delivered? _________


224
Step 9: Test the VPN Server.

a. You are returned to the main VPN window with the Edit Easy VPN Server tab selected. Click the Test
VPN Server button in the lower right corner of the screen.

b. In the VPN Troubleshooting window, click the Start button.

c. Your screen should look similar to the one below. Click OK to close the information window. Click
Close to exit the VPN Troubleshooting window.




225
Task 4. Use the Cisco VPN Client to Test the Remote Access VPN

Step 1: (Optional) Install the Cisco VPN client.

If the Cisco VPN Client software on host PC-A is not installed, install it now. If you do not have the Cisco VPN
Client software, contact your instructor.




Step 2: Configure PC-A as a VPN client to access the R1 VPN server.
a. Start the Cisco VPN Client and select Connection Entries > New, or click the New icon with the red
plus sign (+) on it.




b. Enter the following information to define the new connection entry. Click Save when you are finished.



226
Connection Entry: VPN-R3

Description: Connection to R3 internal network

Host: 10.2.2.1 (IP address of the R3 S0/0/1 interface)

Group Authentication Name: VPN-Access (defines the address pool configured in Task 2)

Password: cisco12345 (pre-shared key configured in Task 2)

Confirm Password: cisco12345
Note: The group authentication name and password are case-sensitive and must match the ones created
on the VPN Server.




Step 3: Test access from PC-A without a VPN connection.

In the previous step, you created a VPN connection entry on the VPN client computer PC-A but have not
activated it, so the VPN tunnel is not yet up.

Open a command prompt on PC-A and ping the PC-C IP address at 192.168.3.3 on the R3 LAN. Are the
pings successful? Why or why not?
____________________________________________________________________________________
____________________________________________________________________________________


Step 4: Establish a VPN connection and log in.

a. Select the newly created connection VPN-R3 and click the Connect icon. You can also double-click
the connection entry.


227
b. Enter the previously created username VPNuser1 in the VPN Client User Authentication dialog box
and enter the password VPNuser1pass. Click OK to continue. The VPN Client window minimizes to a
lock icon in the tools tray of the taskbar. When the lock is closed, the VPN tunnel is up. When it is open,
the VPN connection is down.




Task 5. Verify the VPN Tunnel Between the Client, Server, and Internal Network

Step 1: Open the VPN Client icon.

a. Double-click the VPN lock icon to expand the VPN Client window.

What does it say about the connection status at the top of the window? ________________________

b. From the PC-A command line, issue the ipconfig command.

What is the IP address of the first Local Area Connection? __________________________________

What is the IP address of Local Area Connection 2? _______________________________________


Step 2: Close the VPN connection and reopen it.

a. Click the Disconnect icon in the VPN Client window to close the VPN-R3 connection.

b. Click the Connect icon and log in again as VPNuser1.


228
What is the IP address of Local Area Connection 2 now? __________________________

Note: Each time you disconnect and reconnect to the VPN server, you receive a new IP address until the
limit is reached.


Step 3: Check the tunnel statistics.

a. Select Status > Statistics. Click the Tunnel Details tab.




b. What is the current address obtained from the R3 VPN server and what is the range of addresses that
can be assigned?
______________________________________________________________________________

What is the VPN server address? _____________________

How many packets have been encrypted? ______________

What is the encryption method? ______________________

What is the authentication method? ___________________

c. Leave the VPN Client Statistics window open.


Step 4: Test access from the client PC-A using the VPN connection.

With the VPN connection from computer PC-A to router R3 activated, open a command prompt on PC-A
and ping the PC-C IP address at 192.168.3.3 on the R3 LAN. Are the pings successful? Why or why
not? ________________________________________________________________________

How many packets have now been encrypted? __________________________________________




229
Step 5: Check the Cisco IOS message on R3 when the tunnel is created.

Open the console connection for R3 and locate the message displayed indicating that the virtual interface
came up when the VPN Client connection was made.

What is the name of the interface on R3 that is activated for the VPN? __________________________


Step 6: Verify the VPN connection information for PC-A.

From the PC-A command prompt, issue the ipconfig /all command to see the network connections.

a. What is the configuration for the first Local Area Connection?
IP Address: ________________________________________
Subnet Mask: ______________________________________
Default Gateway: ___________________________________
Description: _______________________________________
b. What is the configuration for Local Area Connection 2?
IP Address: ________________________________________
Subnet Mask: ______________________________________
Default Gateway: ___________________________________
Description: ________________________________________

Step 7: Telnet from PC-A to R3.

From the PC-A command prompt, telnet to R3 at the Fa0/1 IP address 192.168.3.1. Log in as admin01
with a password of admin01pass. What is the router command prompt and why is this?
______________________________________________________________________________

a. Issue the show run command to view the various commands generated by SDM to configure the VPN
Server.

b. Issue the show users command to see connections to router R3. What connections are present?
_____________________________________________________________________________

c. Close the Telnet connection using the quit or exit command.


Task 6. Reflection
Why is VPN a good option for remote users?

Router Interface Summary Table
Router Interface Summary
Router Model Ethernet Interface Ethernet Interface Serial Interface Serial Interface
#1 #2 #1 #2
1700 Fast Ethernet 0 Fast Ethernet 1 Serial 0 (S0) Serial 1 (S1)
(FA0) (FA1)
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
2600 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0 (S0/0) Serial 0/1 (S0/1)
(FA0/0) (FA0/1)


230
Router Interface Summary
2800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of
Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface.
The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.




231
Chapter 8: Lab C (Optional): Configuring a Remote Access VPN
Server and Client

Topology




IP Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port
R1 FA0/1 192.168.1.1 255.255.255.0 N/A S1 FA0/5
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
Loopback 0 192.168.2.1 255.255.255.0 N/A N/A
R3 FA0/1 192.168.3.1 255.255.255.0 N/A S3 FA0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 FA0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 FA0/18


Objectives
Part 1: Basic Router Configuration

Configure host names, interface IP addresses, and access passwords.



232
• Configure the EIGRP dynamic routing protocol on R2 and R3.
Part 2: Configuring a Remote Access VPN
Configure a router to support an Easy VPN server using SDM.


Configure the Cisco VPN client on PC-A and connect to R2.


Verify the configuration.


Test VPN functionality.



Background
VPNs can provide a secure method of transmitting data over a public network, such as the Internet. A
common VPN implementation is used for remote access to a corporate office from a telecommuter location
such as a small office or home office (SOHO).

In this lab, you build a multi-router network and configure the routers and hosts. You configure a remote
access IPsec VPN between a client computer and a simulated corporate network. You use SDM to configure
a Cisco Easy VPN server on the corporate edge gateway router and configure the Cisco VPN client on a host.
You then connect to the corporate network through a simulated ISP router.

The Cisco VPN client allows organizations to establish end-to-end, encrypted (Ipsec) VPN tunnels for secure
connectivity for mobile employees or teleworkers. It supports Cisco Easy VPN, which allows the client to
receive security policies upon a VPN tunnel connection from the central site VPN device (Cisco Easy VPN
Server), minimizing configuration requirements at the remote location. This is a scalable solution for remote
access deployments where it is impractical to individually configure policies for multiple remote PCs.

Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12.4(20)T
(Advanced IP image). Other routers and Cisco IOS versions can be used. See the Router Interface Summary
table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab.
Depending on the router model and Cisco IOS version, the commands available and output produced might
vary from what is shown in this lab.

Note: Make sure that the routers and the switches have been erased and have no startup configurations.


Required Resources
3 routers with SDM 2.5 installed (Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable)


Note: This lab requires that R2 have a comparable IOS and hardware characteristics to R1 and R2 in
order for it to play the role of the VPN server.

2 switches (Cisco 2960 or comparable)


PC-A (Windows XP or Vista, with Cisco VPN Client)


PC-C (Windows XP or Vista)


Serial and Ethernet cables as shown in the topology


Rollover cables to configure the routers via the console





233
Part 1. Basic Router Configuration
In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP
addresses, dynamic routing, device access, and passwords.

Note: Perform all tasks on routers R1, R2, and R3. The procedure for R1 is shown here as an example.


Step 1: Cable the network as shown in the topology.

Attach the devices shown in the topology diagram, and cable as necessary.


Step 2: Configure basic settings for each router.

a. Configure host names as shown in the topology.

b. Configure the physical interface IP addresses as shown in the IP addressing table.

c. Configure the logical loopback 0 interface on R2. This simulates the network from which the remote
access clients receive addresses (192.168.2.0/24). It is not necessary to use the no shutdown
command because loopback interfaces are up by default.
R2(config)#interface Loopback 0
R2(config-if)#ip address 192.168.2.1 255.255.255.0
d. Configure a clock rate for the serial router interfaces with a DCE serial cable attached.
R1(config)#interface S0/0/0
R1(config-if)#clock rate 64000

Step 3: Disable DNS lookup.

To prevent the router from attempting to translate incorrectly entered commands, disable DNS lookup.
R1(config)#no ip domain-lookup

Step 4: Configure the EIGRP routing protocol on R2 and R3.

Note: R2 and R3 exchange routes in EIGRP AS 101. R1 is acting as an ISP router and does not
participate in the EIGRP routing process.

a. On R2, use the following commands.
R2(config)#router eigrp 101
R2(config-router)#network 10.1.1.0 0.0.0.3
R2(config-router)#network 10.2.2.0 0.0.0.3
R2(config-router)#network 192.168.2.0 0.0.0.255
R2(config-router)#no auto-summary
b. On R3, use the following commands.

<<

. 7
( 9)



>>