Skip navigation
Cisco Learning Home > CCNP R&S Study Group > Discussions
7783 Views 52 Replies Latest reply: Mar 7, 2012 7:00 AM by Redistribution RSS Go to original post 1 2 3 4 Previous Next

Currently Being Moderated
  • Redistribution 44 posts since
    Jan 12, 2010
    Currently Being Moderated
    45. Mar 2, 2012 1:43 PM (in response to Gerard Weese)
    Re: Pictures of my new CCNP Lab - Want Opinions

    As of now I have like 3*2950's , 1L3 swtich, and getting 1841(in next 2 weeks) router,and home internet connection. Need to know what all devices I need and how to set this up. I just want to provide remote access to one of my CCNP study parter . it would be very much appreciated if you could help me build this.

     

    I have a basic hands on LINUX/ UBUNTU and few other flavours.

     

    thanks Gerard,

     

     

    Regards,

    Amogha

  • Gerard Weese 220 posts since
    Jan 30, 2010

    amoghakp wrote:

     

    As of now I have like 3*2950's , 1L3 swtich, and getting 1841(in next 2 weeks) router,and home internet connection. Need to know what all devices I need and how to set this up. I just want to provide remote access to one of my CCNP study parter . it would be very much appreciated if you could help me build this.

     

    I have a basic hands on LINUX/ UBUNTU and few other flavours.

     

    thanks Gerard,

     

     

    Regards,

    Amogha

    What does your internet edge look like? Your looking to support clients(users) from the outside of your private network I will assume 192.x.x.x network and currently you probably run an edge device that gets an DHCP address from your ISP. What is that device that connects those two networks? A consumer router like a Linksys, Netgear WiFi Router? or a Cisco router running IOS? or A cisco Firewall like Pix 501? or an ASA 5505?

     

    **************EXAMPLE********

    INSIDENET----------------------------EDGEDEVICE------------------------------INTERNET

    inside IP 192.x     inside IP 192.x (FirewallRules)OutsideIP x.x                Google and others

    **********************************

     

    what you need to do is pass traffic from public to private most home networks don't do that. and on cisco IOS you would do this with an extended ACL. and Dyamic NAT which cisco likes to call PAT(port adress translation) or can sometimes be called NAT overload. so your inside network has a server running SSH(can be a router) lets say on 192.x.x.5 and NAT translates it to the outside address x.x.x.x you still need the firewall ACL extended rule to instruct the firewall to pass the specific SSH trafic from outside to specific inside host(192.x.x.5)

     

    the ACL I could venture a guess at but the NAT rules always bug me a bit and since

    I'm away from my gear right now, give me some time and I will draw something up for you for a few scenarios later tonight.

     

    -Gerard

  • I would simply use a plain VPN solution with one of your routers. If you cannot spare a physical router as your internet demarcation, then use a GNS router to terminate your VPN tunnel. This is an easy task, but if someone is interested, I can supply a simple config which works with the standard Cisco VPN client.

  • Redistribution 44 posts since
    Jan 12, 2010

    Thank you Patric so much,

     

    if you could give me the sample config it would be great.

     

    Regards,

    Amogha

  • Redistribution 44 posts since
    Jan 12, 2010
    Currently Being Moderated
    49. Mar 5, 2012 8:18 AM (in response to Gerard Weese)
    Re: Pictures of my new CCNP Lab - Want Opinions

    Thanks Gerard,

     

    I am looking for both the ideas of yours and Patricks's lets see how it goes, I know I will get back to you for sure for more on this

     

    Regards,

    Amogha

  • Currently Being Moderated
    50. Mar 5, 2012 11:45 AM (in response to Redistribution)
    Re: Pictures of my new CCNP Lab - Want Opinions

    Here is an Example which I use for years. I hope I did not forget any detail. I am not encrypting the payload, I just want a transparent tunnel so I have direct access to my labs. This is configured on my 2811 connected to the internet on F0/1. I did not include the "ip nat inside" interfaces carrying the inside segemnts. My internal segments are 19.168.16.0, 64.0, 128.0. etc

     

    service password-encryption

    aaa new-model

    !

    !

    aaa authentication login userauthen local

    aaa authentication login bogus line

    aaa authorization network groupauthor local

    !

    username patrick privilege 15 password 7 ******  <- this is user/pass for the PC-client, just add more users if needed

    !

    crypto isakmp policy 10

    encr 3des

    authentication pre-share

    group 2

    !

    crypto isakmp client configuration group vpnclients

    key *******   <- this is the preshared key you need for the client-entry on your PC

    pool vpnclient1_pool

    acl split_tunnel_acl   <- this avoids internet traffic from your client to fo through the VPN

    !

    !

    crypto ipsec transform-set vpnclient-set esp-null esp-sha-hmac <- I'm not encrypting the payload (esp-null)

    !

    crypto dynamic-map dynmap 10

    set transform-set vpnclient-set

    qos pre-classify

    !

    !

    crypto map clientmap client authentication list userauthen

    crypto map clientmap isakmp authorization list groupauthor

    crypto map clientmap client configuration address respond

    crypto map clientmap 10 ipsec-isakmp dynamic dynmap

    !

    interface FastEthernet0/1

    description Internet Transport Segment

    ip address dhcp

    crypto map clientmap   <- this lets the router listen to ESP protocol

    !

    ip local pool vpnclient1_pool 192.168.20.1 192.168.20.31  <- this is the IP address pool for your VPN clients

    !

    ip nat inside source list nat_allow interface FastEthernet0/1 overload <- Nat to the outside interface

    !

    ip access-list extended nat_allow   <- prevent VPN addresses to be NAT'ed

    deny   ip 192.168.0.0 0.0.255.255 192.168.20.0 0.0.0.255

    permit ip 192.168.0.0 0.0.255.255 any

    !

    ip access-list extended split_tunnel_acl <- internet access is outside of the tunnel for the client

    permit ip 192.168.16.0 0.0.0.255 192.168.20.0 0.0.0.31   <- permit the address you need to be tunneled

    permit ip 192.168.128.0 0.0.0.255 192.168.20.0 0.0.0.31

    permit ip 192.168.64.0 0.0.0.255 192.168.20.0 0.0.0.31

    permit ip 192.168.18.0 0.0.0.255 192.168.20.0 0.0.0.31

     

     

    Hope that works out for you

  • Joshua Johnson - CCNP R&S 5,130 posts since
    Sep 22, 2009

    Yup I still love the mount on the wall idea, must be hard to deal with the pci cards though.

     

    Nice on the security configs Patrick, I hope to lean all about that very soon so I can implement it all on my own home lab, very nice indeed!

  • Redistribution 44 posts since
    Jan 12, 2010

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)