All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 26
CCNA Security
Chapter 8 Lab C Optional: Configuring a Remote Access VPN Server and Client
Instructor Version
Grey Highlighting
– indicates answers provided on instructor lab copies only
Topology
Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces.
IP Addressing Table
Device Interface
IP Address Subnet Mask
Default Gateway Switch Port
R1 Fa01
192.168.1.1 255.255.255.0
NA S1 Fa05
S000 DCE 10.1.1.1 255.255.255.252
NA NA
R2 S000
10.1.1.2 255.255.255.252
NA NA
S001 DCE 10.2.2.2 255.255.255.252
NA NA
Loopback 0 192.168.2.1
255.255.255.0 NA
NA R3
Fa01 192.168.3.1
255.255.255.0 NA
S3 Fa05 S001
10.2.2.1 255.255.255.252
NA NA
PC-A NIC
192.168.1.3 255.255.255.0
192.168.1.1 S1 Fa06
PC-C NIC
192.168.3.3 255.255.255.0
192.168.3.1 S3 Fa018
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 26
Objectives
Part 1: Basic Router Configuration
Configure host names, interface IP addresses, and access passwords. Configure the EIGRP dynamic routing protocol on R2 and R3.
Part 2: Configuring a Remote Access VPN
Use CCP to configure a router to support an Easy VPN server. Configure the Cisco VPN client on PC-A and connect to R2.
Verify the configuration. Test VPN functionality.
Background
VPNs can provide a secure method of transmitting data over a public network, such as the Internet. A common VPN implementation is used for remote access to a corporate office from a telecommuter location
such as a small office or home office SOHO. In this lab, you build a multi-router network and configure the routers and hosts. You configure a remote
access IPsec VPN between a client computer and a simulated corporate network. You use CCP to configure a Cisco Easy VPN server on the corporate edge gateway router and configure the Cisco VPN client on a host.
Then you connect to the corporate network through a simulated ISP router.
The Cisco VPN client allows organizations to establish end-to-end, encrypted IPsec VPN tunnels for secure connectivity for mobile employees or teleworkers. It supports Cisco Easy VPN, which allows the client to
receive security policies upon a VPN tunnel connection from the central site VPN device Cisco Easy VPN Server, minimizing configuration requirements at the remote location. This is a scalable solution for remote
access deployments where it is impractical to individually configure policies for multiple remote PCs.
Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12.420T Advanced IP image. Other routers and Cisco IOS versions can be used. See the Router Interface Summary
table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. Depending on the router model and Cisco IOS version, the commands available and the output produced
might vary from what is shown in this lab.
Note: Make sure that the routers and the switches have been erased and have no startup configurations. Instructor Note: Instructions for erasing switches and routers are provided in the Lab Manual, located on
Academy Connection in the Tools section.
Required Resources
3 routers Cisco 1841 with Cisco IOS Release 12.420T1 or comparable
Note: This lab requires that R2 have a comparable IOS and hardware characteristics to R1 and R3 in order for it to play the role of the VPN server.
2 switches Cisco 2960 or comparable PC-A: Windows XP, Vista, or Windows 7 with Cisco VPN Client and CCP 2.5 installed
PC-C: Windows XP, Vista, or Windows 7 Serial and Ethernet cables as shown in the topology
Rollover cables to configure the routers via the console
CCP Notes:
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 26
Refer to Chp 00 Lab A for instructions on how to install CCP. Hardwaresoftware recommendations for CCP include Windows XP, Vista, or Windows 7 with Java version 1.6.0_11 up to 1.6.0_21,
Internet Explorer 6.0 or above and Flash Player Version 10.0.12.36 and later. If the PC on which CCP is installed is running Windows Vista or Windows 7, it may be necessary to
right-click on the CCP icon or menu item, and choose Run as administrator.
In order to run CCP, it may be necessary to temporarily disable antivirus programs and OS firewalls. Make sure that all pop-up blockers are turned off in the browser.
Instructor Notes: Host PC-A is connected to R1, which simulates an ISP router. R1 is connected to R2, the corporate edge
gateway router. Router R2 connects to R3 to represent a multirouter internal corporate network. Routers R2 and R3 are configured with EIGRP. The ISP router, R1, does not participate in the EIGRP process. PC-A is used to
connect to R2 through R1 to configure R2 as a VPN server. Although switches are shown in the topology, students can omit the switches and use crossover cables between
the PCs and routers R1 and R3. The version of the Cisco VPN Client used in this lab is 4.8.02.0010 for use with Windows XP. You must have a
valid CCO account and service contract to download the file. The basic running configs for all three routers are captured after Part 2 of the lab is completed. All configs are
found at the end of the lab.
Part 1: Basic Router Configuration
In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP addresses, dynamic routing, device access, and passwords.
Note: Perform all tasks on routers R1, R2, and R3. The procedure for R1 is shown here as an example.
Step 1: Cable the network as shown in the topology.
Attach the devices shown in the topology diagram, and cable as necessary.
Step 2: Configure basic settings for each router.
a. Configure hostnames as shown in the topology. b. Configure the physical interface IP addresses as shown in the IP addressing table.
c. Configure the logical loopback 0 interface on R2. This simulates the network from which the remote access clients receive addresses 192.168.2.024. Because loopback interfaces are up by default, it
is not necessary to use the no shutdown command.
R2config
interface Loopback 0
R2config-if ip address 192.168.2.1 255.255.255.0
d. Configure a clock rate for the serial router interfaces with a DCE serial cable attached. R1config
interface S000
R1config-if clock rate 64000
Step 3: Disable DNS lookup.
To prevent the router from attempting to translate incorrectly entered commands, disable DNS lookup. R1config
no ip domain-lookup
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 26
Step 4: Configure the EIGRP routing protocol on R2 and R3.
Note: R2 and R3 exchange routes in EIGRP AS 101. R1 is acting as an ISP router and does not participate in
the EIGRP routing process. a. On R2, use the following commands.
R2config router eigrp 101
R2config-router network 10.1.1.0 0.0.0.3
R2config-router
network 10.2.2.0 0.0.0.3
R2config-router network 192.168.2.0 0.0.0.255
R2config-router no auto-summary
b. On R3, use the following commands. R3config
router eigrp 101
R3config-router network 192.168.3.0 0.0.0.255
R3config-router
network 10.2.2.0 0.0.0.3
R3config-router no auto-summary
Step 5: Configure a static default route on R2.
Router R1 represents a connection to the Internet. A default route is configured on R2 for all traffic whose destination network does not exist in the R2 routing table.
Note: Without the default route configured on R2, R2 cannot respond to the CCP HTTP connection from PC-A later in the lab. Because R1 is not part of the EIGRP domain and is not advertising the PC-A LAN,
R2 does not know about the 192.168.1.024 network.
a. Configure a static default route on R2 that points to the R1 S000 interface IP address. R2config
ip route 0.0.0.0 0.0.0.0 10.1.1.1
b. Redistribute the static default into EIGRP so that R3 also learns the route. R2config
router eigrp 101
R2config-router redistribute static
Step 6: Configure PC host IP settings.
a. Configure a static IP address, subnet mask, and default gateway for PC-A, as shown in the IP addressing table.
b. Configure a static IP address, subnet mask, and default gateway for PC-C, as shown in the IP addressing table.
Step 7: Verify basic network connectivity.
a. Ping from PC-A to the R2 S000 interface at IP address 10.1.1.2. Are the results successful? Yes. If the pings are not successful, troubleshoot the basic device configurations before continuing.
Note: PC-A should be able to ping external R2 interface S000 but is not able to ping any of the internal EIGRP network IP addresses on R2 and R3.
b. Ping from R2 to PC-C on the R3 LAN. Are the results successful? Yes. If the pings are not successful, troubleshoot the basic device configurations before continuing.
Note: If you can ping from R2 to PC-C, you have demonstrated that the EIGRP routing protocol is configured and functioning correctly. If you cannot ping but the device interfaces are up and IP addresses
are correct, use the show run and show ip route commands to help identify routing protocol-related problems.
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 26
Step 8: Configure a minimum password length.
Note: Passwords in this lab are set to a minimum of 10 characters but are relatively simple for the benefit of performing the lab. More complex passwords are recommended in a production network.
Use the security passwords command to set a minimum password length of 10 characters.
R1config security passwords min-length 10
Step 9: Configure the basic console and vty lines.
a. Configure a console password and enable login for router R1. For additional security, the exec- timeout command causes the line to log out after 5 minutes of inactivity. The logging
synchronous command prevents console messages from interrupting command entry.
Note: To avoid repetitive logins during this lab, the exec-timeout can be set to 0 0, which prevents it from expiring. However, this is not considered a good security practice.
R1config line console 0
R1config-line password ciscoconpass
R1config-line
exec-timeout 5 0
R1config-line login
R1config-line logging synchronous
b. Configure the password on the vty lines for router R1. R1config
line vty 0 4
R1config-line password ciscovtypass
R1config-line
exec-timeout 5 0
R1config-line login
c. Repeat these configurations on both R2 and R3.
Step 10: Encrypt clear text passwords.
a. Use the service password-encryption command to encrypt the console, aux, and vty