<<

. 9
( 9)





Step 2: Use the SDM Firewall wizard to configure a ZBF on R3.

a. Click the Configure button at the top of the SDM screen, and then click Firewall and ACL.

b. Select Basic Firewall and click the Launch the selected task button. On the Basic Firewall
Configuration wizard screen, click Next.

c. Check the Inside (trusted) check box for FastEthernet0/1 and the Outside (untrusted) check box for
Serial0/0/1. Click Next. Click OK when the SDM access warning is displayed.

d. Select Low Security and click Next. In the Summary window, click Finish.

e. Click OK in the Commands Delivery Status window.


Step 3: Verify ZBF functionality.

a. From PC-C, ping the R2 interface S0/0/1 at IP address 10.2.2.2.

Are the pings successful? Why or why not?
________________________________________________________________________________

b. From external router R2, ping PC-C at IP address 192.168.3.3

Are the pings successful? Why or why not? _____________________________________________


273
c. From router R2, telnet to R3 at IP address 10.2.2.1.

Is the telnet successful? Why or why not? ______________________________________________

d. From PC-C on the R3 internal LAN, telnet to R2 at IP address 10.2.2.2 and use password
Cisc0vtypa55.

e. With the Telnet session open from PC-C to R2, issue the command show policy-map type
inspect zone-pair session on R3. Continue pressing enter until you see an Inspect Established
session section toward the end.


Step 4: Save the running configuration to the startup configuration.


Task 10. Configure Intrusion Prevention System (IPS) on R1 Using Cisco IOS
(Chapter 5)

Step 1: (Optional) Install the TFTP server on PC-A.

If a TFTP server is not currently installed on PC-A, download Tftpd32 from http://tftpd32.jounin.net and install
it on your desktop. If it is already installed, go to Step 2.


Step 2: Prepare the router and TFTP server.

To configure Cisco IOS IPS 5.x, the IOS IPS Signature package file and public crypto key files must be
available on PC-A. Check with your instructor if these files are not on the PC. These files can be downloaded
from Cisco.com with a valid user account that has proper authorization.

a. Verify that the IOS-Sxxx-CLI.pkg signature package file is in a TFTP folder. The xxx is the version
number and varies depending on which file was downloaded.

b. Verify that the realm-cisco.pub.key.txt file is available and note its location on PC-A. This is the public
crypto key used by IOS IPS.

c. Verify or create the IPS directory in router flash on R1. From the R1 CLI, display the content of flash
memory using the show flash command. Check whether the ipsdir directory exists and if it has files in
it.

d. If the ipsdir directory is not listed, create it.
R1#mkdir ipsdir
Create directory filename [ipsdir]? Press Enter
Created dir flash:ipsdir
e. If the ipsdir directory exists and the signature files are in it, you must remove the files to perform this
part of the lab. Switch to the ipsdir directory and verify that you are in it. Remove the files from the
directory, and then return to the flash root directory when you are finished.
R1#cd ipsdir

R1#pwd
flash:/ipsdir/

R1#delete R1*
Delete filename [/ipsdir/R1*]?
Delete flash:/ipsdir/R1-sigdef-typedef.xml? [confirm]

274
Delete flash:/ipsdir/R1-sigdef-category.xml? [confirm]
Delete flash:/ipsdir/R1-sigdef-default.xml? [confirm]
Delete flash:/ipsdir/R1-sigdef-delta.xml? [confirm]
Delete flash:/ipsdir/R1-seap-delta.xml? [confirm]
Delete flash:/ipsdir/R1-seap-typedef.xml? [confirm]

R1#cd flash:/
R1#pwd
flash:/

Step 3: Open the IPS crypto key file and copy the contents to the router.

On PC-A, locate the crypto key file named realm-cisco.pub.key.txt and open it using Notepad or another
text editor. On R1, enter global config mode, copy the contents of the file, and paste the contents to the
router.


Step 4: Create an IPS rule.

On R1, create an IPS rule named iosips. This rule will be used later on an interface to enable IPS.


Step 5: Configure the IPS signature storage location in router flash memory.

Specify the location flash:ipsdir where the signature files will be stored.


Step 6: Configure Cisco IOS IPS to use a pre-defined signature category.

Retire all signatures in the “all” category and then unretire the ios_ips basic category.


Step 7: Apply the IPS rule to interfaces S0/0/0 and Fa0/1.

a. Apply the iosips rule that you created on the S0/0/0 interface in the inbound direction.

b. Apply the IPS rule to the R1 Fa0/1 interface in the inbound direction.


Step 8: Verify the IOS IPS signature package location and TFTP server setup.

a. Verify connectivity between R1 and PC-A, the TFTP server.

b. Verify that the PC has the IPS signature package file in a directory on the TFTP server. This file is
typically named IOS-Sxxx-CLI.pkg, where xxx is the signature file version.

Note: If this file is not present, contact your instructor before continuing.

c. Start the TFTP server and set the default directory to the one that contains the IPS signature package.


Step 9: Copy the signature package from the TFTP server to the router.

Use the copy tftp command to retrieve the signature file. Be sure to use the idconf keyword at the
end of the copy command.

Note: Immediately after the signature package is loaded to the router, signature compiling begins.
Allow time for this process to complete. It can take several minutes.


275
a. Display the contents of the ipsdir directory created earlier.

b. Use the show ip ips all command to see an IPS configuration status summary. To which
interfaces and in which direction is the iosips rule applied? _______________________________


Step 10: Save the running configuration to the startup configuration.


Task 11. Configure IPS on R3 Using SDM (Chapter 5)

Step 1: (Optional) Install the TFTP server on PC-C.

If a TFTP server is not currently installed on PC-C, download Tftpd32 from http://tftpd32.jounin.net and install
it on your desktop. If it is already installed, go to Step 2.


Step 2: Prepare the router and TFTP server.

To configure Cisco IOS IPS 5.x, the IOS IPS signature package file and public crypto key files must be
available on PC-A. Check with your instructor if these files are not on the PC. These files can be downloaded
from Cisco.com with a valid user account that has proper authorization.

a. Verify that the IOS-Sxxx-CLI.pkg signature package file is in a TFTP folder. The xxx is the version
number and varies depending on which file was downloaded.

b. Verify that the realm-cisco.pub.key.txt file is available and note its location on PC-A. This is the public
crypto key used by Cisco IOS IPS.

c. Verify or create the IPS directory in router flash on R1. From the R1 CLI, display the content of flash
memory and check to see if the ipsdir directory exists.

d. If the ipsdir directory is not listed, create it in privileged EXEC mode.


Step 3: Verify the IOS IPS signature package and TFTP server setup.

a. Verify connectivity between R3 and PC-C, the TFTP server, using the ping command.

b. Verify that the PC has the IPS signature package file in a directory on the TFTP server. This file is
typically named IOS-Sxxx-CLI.pkg, where xxx is the signature file version.

Note: If this file is not present, contact your instructor before continuing.

c. Start Tftpd32 or another TFTP server and set the default directory to the one with the IPS signature
package in it. Take note of the filename for use in the next step.


Step 4: Access SDM using HTTPS.

a. Start the SDM application or open a browser on PC-C and start SDM by entering the R3 IP address at
https://192.168.3.1 in the address field. Be sure to use HTTPS as the protocol.

b. At the security certificate warning, click Continue to this website.

c. Log in with no username and the enable secret password cisco12345.



276
d. In the Authentication Required dialog box and IOS IPS Login dialog box, do not enter a username but
enter the enable secret password cisco12345.


Step 5: Use the SDM IPS Wizard to configure IPS.

a. Click the Configure button at the top of the SDM screen and then select Intrusion Prevention >
Create IPS. Click the Launch IPS Rule Wizard button to begin the IPS configuration. If prompted
regarding SDEE notification, click OK. Click Next at the welcome screen.

b. Apply the IPS rule in the inbound direction for FastEthernet0/1 and Serial0/0/1. Click Next.

c. In the Signature File and Public Key window, specify the signature file with a URL and use TFTP to
retrieve the file from PC-C. Enter the IP address of the PC-C TFTP server and the filename. Click OK.

d. In the Signature File and Public Key window, enter the name of the public key file realm-cisco.pub.

e. Open the public key file and copy the text that is between the phrase “key-string” and the word “quit.”
Paste the text into the Key field in the Configure Public Key section. Click Next.

f. In the Config Location and Category window, specify flash:/ipsdir as the location to store the signature
information. Click OK.

g. In the Choose Category field of the Config Location and Category window, choose basic.

h.Click Next to display the Summary window, and click Finish to deliver the commands to the router.
Click OK.

Note: Allow the signature configuration process to complete. This can take several minutes.


Step 6: (Optional) Verify IPS functionality with SDM Monitor and SuperScan.

If SuperScan is not on PC-C, download the SuperScan 4.0 tool from the Scanning Tools group at
http://www.foundstone.com.

a. Start SuperScan on PC-C. Click the Host and Service Discovery tab. Check the Timestamp
Request check box, and uncheck the Echo Request check box. Scroll the UDP and TCP port selection
lists and notice the range of ports that will be scanned.

b. Click the Scan tab and enter the IP address of R2 S0/0/1 (10.2.2.2) in the Hostname/IP field.

Note: You can also specify an address range, such as 10.1.1.1 to 10.1.1.254, by entering an address
in the Start IP and End IP fields. The program scans all hosts with addresses in the range specified.

c. Click the button with the blue arrow in the lower left corner of the screen to start the scan.


Step 7: Check the results with SDM logging.

a. From Cisco SDM, choose Monitor > Logging.

b. Click the Update button. You will see that Cisco IOS IPS has been logging the port scans generated by
SuperScan.




277
c. What syslog messages did you see? You should see syslog messages on R3 and entries in the SDM
Monitor Log with descriptions that include one of these phrases: “Invalid DHCP Packet” or “DNS Version
Request.”


Step 8: Save the running configuration to the startup configuration.


Task 12. Back Up and Secure the Cisco Router IOS Image and Configuration
Files (Chapter 2)
Note: The procedures described here can also be used to back up the switch IOS images and configuration
files.


Step 1: Back up the IOS Image from R1 and R3 to a TFTP server.

Create a directory for the IOS images on PC-A and PC-C.

a. Start the TFTP server on PC-A and select the IOS images directory as the default directory.

b. Copy the R1 IOS image to the PC-A TFTP server as a backup in case the current image becomes
corrupted.

c. Start the TFTP server on PC-C and select the IOS images directory as the default directory.

d. Copy the R3 IOS image to the TFTP server as a backup in case the current image becomes corrupted.

Note: The IOS image on R1 should be the same as the one for R3, so a single backup could suffice for
both routers.


Step 2: Back up the configuration files from R1 and R3 to a TFTP server.

Create a directory for configurations on PC-A and PC-C.

a. Start the TFTP server on PC-A and select the Configs directory as the default directory.

b. Copy the R1 startup-config file to the PC-A TFTP server as a backup.

Note: If changes have been made to the running config, you can save them to the startup config
before backing up the config file.

c. Start the TFTP server on PC-C and select the Configs directory as the default directory.

d. Copy the R3 startup-config file to the PC-C TFTP server as a backup.


Step 3: Secure the Cisco IOS image and archive a copy of the running configuration for R1 and
R3.

a. Secure the IOS boot image to enable Cisco IOS image resilience and hide the file from dir and show
commands.

b. Secure the router running configuration and securely archive it in persistent storage (flash).




278
Step 4: Verify that the image and configuration are secured.

Display the status of configuration resilience and the primary bootset filename.


Part 4. Secure Network Switches (Chapter 6)

Task 1: Configure Passwords and a Login Banner on All Switches (Chapter 2)

Step 1: Configure the enable secret password.

Use an enable secret password of cisco12345.


Step 2: Encrypt a plaintext password.

Step 3: Configure the console line.

Configure a console password of ciscoconpass and enable login. Set the exec-timeout to log out after 5
minutes of inactivity. Prevent console messages from interrupting command entry.

Note: The vty lines for the switches are configured for SSH in Task 2.


Step 4: Configure a login warning banner.

Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner that says
“Unauthorized access strictly prohibited and prosecuted to the full extent of the
law”.


Step 5: Disable HTTP access.

HTTP access to the switch is enabled by default. To prevent HTTP access, disable the HTTP server and
HTTP secure server.


Task 2. Configure Switches as NTP Clients (Chapter 2)
Note: Router R2 is the master NTP server. All other routers and switches learn their time from it, either
directly or indirectly.


Step 1: Configure S1, S2, and S3 to become NTP clients of R2.


Step 2: Verify that S1 has made an association with R2.


Task 3. Configure Syslog Support on All Switches (Chapter 2)

Step 1: (Optional) Install the syslog server on PC-A and PC-C.

If a syslog server is not currently installed on the host, download the latest version of Kiwi from
http://www.kiwisyslog.com or Tftpd32 from http://tftpd32.jounin.net and install it on your desktop. If it is already
installed, go to Step 2.

279
Step 2: Configure S1 to log messages to the PC-A syslog server.

a. Verify that you have connectivity between S1 and host PC-A by pinging the S1 VLAN 1 interface IP
address 192.168.1.11 from PC-A. If it is not successful, troubleshoot as necessary before continuing.

b. Configure the syslog service on the switch to send syslog messages to the syslog server.


Task 4. Configure the SSH Server on All Switches (Chapter 2)

Step 1: Configure a domain name.

Enter global configuration mode and set the domain name.


Step 2: Configure a privileged user for login from the SSH client.

Use the username command to create the user ID with the highest possible privilege level and a secret
password.


Step 3: Configure the incoming vty lines.

a. Configure vty access on lines 0 through 4. Specify that a privilege level of 15 is required to access the
vty lines, use the local user accounts for mandatory login and validation, and accept only SSH
connections.

b. Disable login for switch vty lines 5 through 15.


Step 4: Generate the RSA encryption key pair.

The switch uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure
the RSA keys with 1024 for the number of modulus bits.


Step 5: Verify SSH connectivity to S1 from the SSH client PC-A.

If the SSH client is not already installed, download either TeraTerm or PuTTY.

a. Launch the client, enter the VLAN 1 IP address, and enter the Admin01 username and password.

b. Close the PuTTY SSH session window with the exit or quit command.

c. Try to open a Telnet session to switch S1 from PC-A. Are you able to open the Telnet session? Why or
why not? _____________________________________________________________________


Task 5. Configure Authentication Using AAA and RADIUS on All Switches
(Chapter 3)

Step 1: (Optional) Download and configure the WinRadius software.

a. If WinRadius is not currently installed on PC-A and PC-C, download the latest version from
http://www.suggestsoft.com/soft/itconsult2000/winradius/. There is no installation setup. The
extracted WinRadius.exe file is executable.


280
b. Start the WinRadius.exe application. If the application is being started for the first time, follow the
instructions to configure the WinRadius server database.


Step 2: Configure users and passwords on the WinRadius server.

Note: If the RADIUS user accounts were previously configured, you can skip this step. If the RADIUS
server has been shut down and restarted, you must recreate the user accounts.

a. Add username RadAdmin with a password of RadAdminpa55.

b. Add username RadUser with a password of RadUserpa55.

Step 3: Enable AAA.
Create a AAA new model to enable AAA.
Step 4: Configure the default login authentication list.
Configure the list to first use RADIUS for the authentication service and then local, to allow access based
on the local switch database if a RADIUS server cannot be reached.


Step 5: Verify connectivity between S1 and the PC-A RADIUS server.

Ping from S1 to PC-A.

If the pings are not successful, troubleshoot the PC and switch configuration before continuing.


Step 6: Specify a RADIUS server.

Configure the switch to access the RADIUS server at PC-A. Specify auth-port 1812 and acct-port 1813,
along with the IP address and secret key of WinRadius for the RADIUS server.

Step 7: Test the RADIUS configuration by logging in to the console on S1.

a. Exit to the initial router screen that displays the following: R1 con0 is now available, Press RETURN to get
started.

b. Log in with the username RadAdmin and password RadAdminpass. Can you log in with minimal delay?
_________________________________________________________________________

Note: If you exit the WinRadius server and restart it, you must recreate the user accounts from Step 2.


Step 8: Test your configuration by connecting to S1 with SSH.

Clear the log on the WinRadius server by selecting Log > Clear.

a. Use PuTTY or another terminal emulation client to open an SSH session from PC-A to S1.

b. At the login prompt, enter the username RadAdmin defined on the RADIUS server and a password of
RadAdminpa55.

Are you able to login to R1? _____




281
Task 6. Secure Trunk Ports (Chapter 6)

Step 1: Configure trunk ports on S1 and S2.

a. Configure port Fa0/1 on S1 as a trunk port.

b. Configure port Fa0/1 on S2 as a trunk port.

c. Verify that S1 port Fa0/1 is in trunking mode.


Step 2: Change the native VLAN for the trunk ports on S1 and S2.

Changing the native VLAN for trunk ports to an unused VLAN helps prevent VLAN hopping attacks.

a. Set the native VLAN on the S1 Fa0/1 trunk interface to an unused VLAN 99.

b. Set the native VLAN on the S2 Fa0/1 trunk interface to VLAN 99.


Step 3: Prevent the use of DTP on S1 and S2.

Set the trunk ports on S1 and S2 so that they do not negotiate by turning off the generation of DTP
frames.


Step 4: Verify the trunking configuration on port Fa0/1.

Step 5: Enable storm control for broadcasts.

Enable storm control for broadcasts on the trunk port with a 50 percent rising suppression level using the
storm-control broadcast command.


Step 6: Verify the configuration with the show run command.


Task 7. Secure Access Ports (Chapter 6)
By manipulating the STP root bridge parameters, network attackers hope to spoof their system, or a rogue
switch that they add to the network, as the root bridge in the topology. If a port that is configured with PortFast
receives a BPDU, STP can put the port into the blocking state by using a feature called BPDU guard.


Step 1: Disable trunking on S1, S2, and S3 access ports.

a. On S1, configure ports Fa0/5 and F0/6 as access mode only.

b. On S2, configure Fa0/18 as access mode only.

c. On S3, configure ports Fa0/5 and Fa0/18 as access mode only.


Task 8. Protect Against STP Attacks (Chapter 6)
The topology has only two switches and no redundant paths, but STP is still active. In this step, you enable
some switch security features that can help reduce the possibility of an attacker manipulating switches via
STP-related methods.

282
Step 1: Enable PortFast on S1, S2, and S3 access ports.

PortFast is configured on access ports that connect to a single workstation or server to enable them to
become active more quickly.

a. Enable PortFast on the S1 Fa0/5 and Fa0/6 access ports.

b. Enable PortFast on the S2 Fa0/18 access port.

c. Enable PortFast on the S3 Fa0/5 and Fa0/18 access port.


Step 2: Enable BPDU guard on the S1, S2, and S3 access ports.

BPDU guard is a feature that can help prevent rogue switches and spoofing on access ports. Enable BPDU
guard on the switch ports previously configured as access only.


Task 9. Configure Port Security and Disable Unused Ports (Chapter 6)

Step 1: Configure basic port security.

Shut down all end-user access ports that are in use and enable basic default port security. This sets the
maximum MAC addresses to 1 and the violation action to shutdown. Reissue the port security command
using the sticky option to allow the secure MAC address that is dynamically learned on a port to the switch
running configuration. Re-enable each access port to which port security was applied.


Step 2: Disable unused ports on S1 and S2.

As a further security measure, disable any ports not being used on the switch.

Ports Fa0/1, Fa0/5, and Fa0/6 are used on switch S1. Shut down the remaining Fast Ethernet ports and
the two Gigabit Ethernet ports.

Ports Fa01/ and Fa0/18 are used on switch S2. Shut down the remaining Fast Ethernet ports and the two
Gigabit Ethernet ports.

Ports Fa0/5 and Fa0/18 are used on switch S3. Shut down the remaining Fast Ethernet ports and the two
Gigabit Ethernet ports.


Step 3: (Optional) Move active ports to another VLAN and change the management VLAN.

As a further security measure, you can move all active end-user and router ports to a VLAN other than the
default VLAN 1 on the switches. You can also change the management VLAN from VLAN 1 to another VLAN,
but you must have at least one end-user host port in that VLAN to manage the switch remotely using Telnet,
SSH, or HTTP.

Note: The following configuration allows you to manage either switch remotely from either PC-A or PC-B. You
can only access the switches remotely using SSH, because Telnet and HTTP have been disabled. The
procedure for switch S3 is also shown.

Configure a new VLAN for users on each switch using the following commands.

Note: You could also configure VLAN 10 on switch S3, but it would not communicate with VLAN 10 on
switches S1 and S2.

283
S1(config)#vlan 10
S1(config-vlan)#name Users

S2(config)#vlan 10
S2(config-vlan)#name Users

S3(config)#vlan 30
S3(config-vlan)#name Users
a. Add the current active access (non-trunk) ports to the new VLAN.
S1(config)#interface range fa0/5 “ 6
S1(config-if)#switchport access vlan 10

S2(config)#interface fa0/18
S2(config-if)#switchport access vlan 10

S3(config)#interface fa0/5
S3(config-if)#switchport access vlan 30

S3(config)#interface fa0/18
S3(config-if)#switchport access vlan 30
b. On each switch, remove the management VLAN IP address from VLAN 1 (configured in Part 1 of the
lab) and shut it down. The following example is for switch S1.
S1(config)#interface vlan 1
S1(config-if)#no ip address
S1(config-if)#shutdown
c. Configure a management VLAN IP address for the VLAN 10 interface on S1 and S2 and enable it.
S1(config)#interface vlan 10
S1(config-if)#ip address 192.168.1.11 255.255.255.0
S1(config-if)#no shutdown

S2(config)#interface vlan 10
S2(config-if)#ip address 192.168.1.12 255.255.255.0
S2(config-if)#no shutdown
d. Configure a management VLAN IP address for the VLAN 30 interface on S3 and enable it.
S3(config)#interface vlan 30
S3(config-if)#ip address 192.168.3.11 255.255.255.0
S3(config-if)#no shutdown

Step 4: Save the running-config to the startup-config.


Part 5. Configuring VPN Remote Access
In Part 5, you configure a remote access IPsec VPN. R3 is configured as an Easy VPN server using SDM, and
the Cisco VPN Client is configured on PC-A. The PC-A host simulates an employee connecting from home or a
remote office over the Internet. Router R2 simulates an Internet ISP router.

Task 1. Use the SDM VPN Wizard to Configure the Easy VPN Server (Chapter 8)

Step 1: Access SDM using HTTPS.

a. Start the SDM application or open a browser on PC-C and start SDM by entering the R3 IP address at
https://192.168.3.1 in the address field. Be sure to use HTTPS as the protocol.

284
b. At the security certificate warning, click Continue to this website.

c. Log in with no username and the enable secret password cisco12345.

d. In the Authentication Required dialog box and IOS IPS Login dialog box, do not enter a username, but
enter enable secret password cisco12345.
Step 2: Launch the Easy VPN Server Wizard.
a. Click the Configure button at the top of the SDM home screen and click the VPN task button to view
the VPN configuration page.

b. Select Easy VPN Server from the main VPN window, and then click Launch Easy VPN Server
Wizard.

Note: The Easy VPN Server Wizard checks the router configuration to see if AAA is enabled. If AAA is
not enabled, the Enable AAA window displays. AAA was enabled on the router previously.


Step 3: Configure the virtual tunnel interface and authentication.

Select the interface on which the client connections terminate. Click the Unnumbered to radio button,
and select the Serial0/0/1 interface from the pull-down menu.

Select Pre-shared Keys for the authentication type and click Next to continue.


Step 4: Select an IKE proposal.

In the Internet Key Exchange (IKE) Proposals window, the default IKE proposal is used for R3. Click Next
to accept the default IKE policy.


Step 5: Select the transform set.

In the Transform Sets window, the default SDM transform set is used. Click Next to accept the default
transform set.


Step 6: Specify the group authorization and group policy lookup.

In the Group Authorization and Group Policy Lookup window, select the Local option.

Click Next to create a new AAA method list for group policy lookup that uses the local router database.


Step 7: Configure user authentication (XAuth).

In the User Authentication (Xauth) window, check the Enable User Authentication check box and select
Local Only.

a. Click the Add User Credentials button. In the User Accounts window, you can view currently defined
local users or add new users. Which user account is currently defined locally? __________________

b. Add the new user VPNUser1 with a password of VPNUser1pa55 and click OK.

c. Click OK to close the User Accounts window. Click Next.




285
Step 8: Specify group authorization and user group policies.

In the Group Authorization and User Group Policies window, you must create at least one group policy for the
VPN server.

Click Add to create a group policy.

a. In the Add Group Policy window, enter VPN-Access in the Name of This Group field. Enter a new
pre-shared key of cisco12345 and then re-enter it. Leave the Pool Information box checked. Enter a
starting address of 192.168.3.200, an ending address of 192.168.3.250, and a subnet mask of
255.255.255.0.

b. Click OK to accept the entries.

c. An SDM warning message displays indicating that the IP address pool and the Fast Ethernet 0/1
address are in the same subnet. Click Yes to continue.

d. Check the Configure Idle Timer check box and enter 1 hour, 0 minutes, and 0 seconds.

e. When the Cisco Tunneling Control Protocol (cTCP) window displays, do not enable cTCP. Click OK if a
firewall warning message displays. Click Next to continue.

f. When the Easy VPN Server Pass-through Configuration window displays, make sure that the Action
Modify check box is checked. This option allows SDM to modify the firewall on S0/0/1 to allow IPsec VPN
traffic to reach the internal LAN.


Step 9: Review the configuration summary and deliver the commands.

Scroll through the commands that SDM will send to the router. Click Finish.


Step 10: Test the VPN Server

You are returned to the main VPN window with the Edit VPN Server tab selected. Click the Test VPN Server
button in the lower right corner of the screen. In the VPN Troubleshooting window, click the Start button. Click
Close to exit the VPN Troubleshooting window.


Task 2. Use the Cisco VPN Client to Test the Remote Access VPN (Chapter 8)

Step 1: (Optional) Install the Cisco VPN client.

If the Cisco VPN Client software is not already installed on host PC-A, install it now. If you do not have the
Cisco VPN Client software or are unsure of the process, contact your instructor.


Step 2: Configure PC-A as a VPN client to access the R3 VPN server.

Start the Cisco VPN Client. Select Connection Entries > New or click the New icon with the plus sign (+)
on it.

Enter the following information to define the new connection entry. Click Save when you are finished.

Connection Entry: VPN-Corp

Description: Connection to R3 corporate network

286
Host: 10.2.2.1 (IP address of the R3 S0/0/1 interface)

Group Authentication Name: VPN-Access (specifies the address pool configured in Task 2)

Password: cisco12345 (pre-shared key configured in Task 2)

Confirm Password: cisco12345
Note: The group authentication name and password are case-sensitive and must match the ones created
on the VPN Server.

Step 3: Test access from PC-A without a VPN connection.

Note: In the previous step, you created a VPN connection entry on the VPN client computer PC-A, but
have not activated it yet.

Open a command prompt on PC-A and ping the PC-C IP address at 192.168.3.3 on the R3 LAN. Are the
pings successful? Why or why not?
____________________________________________________________________________________
____________________________________________________________________________________


Step 4: Establish a VPN connection and login.

Select the newly created connection VPN-Corp and click the Connect icon. You can also double-click
the connection entry.

a. When the VPN Client User Authentication dialog box displays, enter the username VPNUser1 created
previously on the VPN router R3, and enter the password of VPNUser1pa55. Click OK to continue. The
VPN Client window minimizes to a lock icon in the tools tray of the taskbar. When the lock is closed, the
VPN tunnel is up. When it is open, the VPN connection is down.


Step 5: Test access from the client with the VPN connection.

With the VPN connection from computer PC-A to router R3 activated, open a command prompt on PC-A
and ping the R3 default gateway at 192.168.3.1. Then ping the PC-C IP address at 192.168.3.3 on the R3
LAN. Are the pings successful? Why or why not?
____________________________________________________________________________________
____________________________________________________________________________________


Router Interface Summary Table

Router Interface Summary
Router Model Ethernet Interface Ethernet Interface Serial Interface Serial Interface
#1 #2 #1 #2
1700 Fast Ethernet 0 Fast Ethernet 1 Serial 0 (S0) Serial 1 (S1)
(FA0) (FA1)
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
2600 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0 (S0/0) Serial 0/1 (S0/1)
(FA0/0) (FA0/1)
2800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)

287
Router Interface Summary
Note: To find out how the router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of
Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface.
The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.




288

<<

. 9
( 9)