1 2 3 4 Previous Next 52 Replies Latest reply: Mar 7, 2012 7:00 AM by Redistribution Go to original post RSS
      • 45. Re: Pictures of my new CCNP Lab - Want Opinions
        Redistribution

        As of now I have like 3*2950's , 1L3 swtich, and getting 1841(in next 2 weeks) router,and home internet connection. Need to know what all devices I need and how to set this up. I just want to provide remote access to one of my CCNP study parter . it would be very much appreciated if you could help me build this.

         

        I have a basic hands on LINUX/ UBUNTU and few other flavours.

         

        thanks Gerard,

         

         

        Regards,

        Amogha

        • 46. Re: Pictures of my new CCNP Lab - Want Opinions
          Gerard Weese

          amoghakp wrote:

           

          As of now I have like 3*2950's , 1L3 swtich, and getting 1841(in next 2 weeks) router,and home internet connection. Need to know what all devices I need and how to set this up. I just want to provide remote access to one of my CCNP study parter . it would be very much appreciated if you could help me build this.

           

          I have a basic hands on LINUX/ UBUNTU and few other flavours.

           

          thanks Gerard,

           

           

          Regards,

          Amogha

          What does your internet edge look like? Your looking to support clients(users) from the outside of your private network I will assume 192.x.x.x network and currently you probably run an edge device that gets an DHCP address from your ISP. What is that device that connects those two networks? A consumer router like a Linksys, Netgear WiFi Router? or a Cisco router running IOS? or A cisco Firewall like Pix 501? or an ASA 5505?

           

          **************EXAMPLE********

          INSIDENET----------------------------EDGEDEVICE------------------------------INTERNET

          inside IP 192.x     inside IP 192.x (FirewallRules)OutsideIP x.x                Google and others

          **********************************

           

          what you need to do is pass traffic from public to private most home networks don't do that. and on cisco IOS you would do this with an extended ACL. and Dyamic NAT which cisco likes to call PAT(port adress translation) or can sometimes be called NAT overload. so your inside network has a server running SSH(can be a router) lets say on 192.x.x.5 and NAT translates it to the outside address x.x.x.x you still need the firewall ACL extended rule to instruct the firewall to pass the specific SSH trafic from outside to specific inside host(192.x.x.5)

           

          the ACL I could venture a guess at but the NAT rules always bug me a bit and since

          I'm away from my gear right now, give me some time and I will draw something up for you for a few scenarios later tonight.

           

          -Gerard

          • 47. Re: Pictures of my new CCNP Lab - Want Opinions
            Patrick Geschwindner - CCIE R&S, CCSI

            I would simply use a plain VPN solution with one of your routers. If you cannot spare a physical router as your internet demarcation, then use a GNS router to terminate your VPN tunnel. This is an easy task, but if someone is interested, I can supply a simple config which works with the standard Cisco VPN client.

            • 48. Re: Pictures of my new CCNP Lab - Want Opinions
              Redistribution

              Thank you Patric so much,

               

              if you could give me the sample config it would be great.

               

              Regards,

              Amogha

              • 49. Re: Pictures of my new CCNP Lab - Want Opinions
                Redistribution

                Thanks Gerard,

                 

                I am looking for both the ideas of yours and Patricks's lets see how it goes, I know I will get back to you for sure for more on this

                 

                Regards,

                Amogha

                • 50. Re: Pictures of my new CCNP Lab - Want Opinions
                  Patrick Geschwindner - CCIE R&S, CCSI

                  Here is an Example which I use for years. I hope I did not forget any detail. I am not encrypting the payload, I just want a transparent tunnel so I have direct access to my labs. This is configured on my 2811 connected to the internet on F0/1. I did not include the "ip nat inside" interfaces carrying the inside segemnts. My internal segments are 19.168.16.0, 64.0, 128.0. etc

                   

                  service password-encryption

                  aaa new-model

                  !

                  !

                  aaa authentication login userauthen local

                  aaa authentication login bogus line

                  aaa authorization network groupauthor local

                  !

                  username patrick privilege 15 password 7 ******  <- this is user/pass for the PC-client, just add more users if needed

                  !

                  crypto isakmp policy 10

                  encr 3des

                  authentication pre-share

                  group 2

                  !

                  crypto isakmp client configuration group vpnclients

                  key *******   <- this is the preshared key you need for the client-entry on your PC

                  pool vpnclient1_pool

                  acl split_tunnel_acl   <- this avoids internet traffic from your client to fo through the VPN

                  !

                  !

                  crypto ipsec transform-set vpnclient-set esp-null esp-sha-hmac <- I'm not encrypting the payload (esp-null)

                  !

                  crypto dynamic-map dynmap 10

                  set transform-set vpnclient-set

                  qos pre-classify

                  !

                  !

                  crypto map clientmap client authentication list userauthen

                  crypto map clientmap isakmp authorization list groupauthor

                  crypto map clientmap client configuration address respond

                  crypto map clientmap 10 ipsec-isakmp dynamic dynmap

                  !

                  interface FastEthernet0/1

                  description Internet Transport Segment

                  ip address dhcp

                  crypto map clientmap   <- this lets the router listen to ESP protocol

                  !

                  ip local pool vpnclient1_pool 192.168.20.1 192.168.20.31  <- this is the IP address pool for your VPN clients

                  !

                  ip nat inside source list nat_allow interface FastEthernet0/1 overload <- Nat to the outside interface

                  !

                  ip access-list extended nat_allow   <- prevent VPN addresses to be NAT'ed

                  deny   ip 192.168.0.0 0.0.255.255 192.168.20.0 0.0.0.255

                  permit ip 192.168.0.0 0.0.255.255 any

                  !

                  ip access-list extended split_tunnel_acl <- internet access is outside of the tunnel for the client

                  permit ip 192.168.16.0 0.0.0.255 192.168.20.0 0.0.0.31   <- permit the address you need to be tunneled

                  permit ip 192.168.128.0 0.0.0.255 192.168.20.0 0.0.0.31

                  permit ip 192.168.64.0 0.0.0.255 192.168.20.0 0.0.0.31

                  permit ip 192.168.18.0 0.0.0.255 192.168.20.0 0.0.0.31

                   

                   

                  Hope that works out for you

                  • 51. Re: Pictures of my new CCNP Lab - Want Opinions
                    Joshua Johnson - CCNP R&S

                    Yup I still love the mount on the wall idea, must be hard to deal with the pci cards though.

                     

                    Nice on the security configs Patrick, I hope to lean all about that very soon so I can implement it all on my own home lab, very nice indeed!

                    1 2 3 4 Previous Next