Archive for May, 2007

20
May

Cisco IPSec EasyVPN & DMVPN on dynamips

   Posted by: admin   in Cisco, Cisco Dynamips Exams

I have completed this lab on Dynamips 7200 simulator, the topology is as follow:

1. R1 ConfigurationHUB.

!Basic configuration
interface Serial1/2

ip address 11.1.1.1 255.255.255.0

!

interface Loopback0

ip address 10.11.1.1 255.255.255.0

ip ospf network point-to-point

!

ip route 0.0.0.0 0.0.0.0 11.1.1.2

!

! DMVPN GRE part
interface Tunnel0

ip address 192.168.1.1 255.255.255.0

no ip redirects

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 10000

tunnel source Serial1/2

tunnel mode gre multipoint

tunnel key 10000

!

! DMVPN OSPF part
router ospf 1

network 10.11.1.0 0.0.0.255 area 0

network 192.168.1.0 0.0.0.255 area 0

!

interface Tunnel0

ip ospf network broadcast

!

! DMVPN IPSec part
crypto keyring dmvpn-key

  pre-shared-key address 0.0.0.0 0.0.0.0 key dmvpncisco

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp profile dmvpn-profile

   keyring dmvpn-key

   match identity address 0.0.0.0

!

crypto ipsec transform-set ccsp esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile dmvpn-ipsec-profile

set transform-set ccsp

set isakmp-profile dmvpn-profile

!

interface Tunnel0

tunnel protection ipsec profile dmvpn-ipsec-profile

!

!Configure EZVPN
aaa new-model

!

aaa authentication login vpn-login local

aaa authorization network vpn-author local

!

username wanglinlin password 0 cisco

!

ip local pool vpn-client-pool 10.20.1.1 10.20.1.200

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

!

crypto isakmp client configuration group myvpnclient

key clientcisco

domain vpneasy.net

pool vpn-client-pool

acl 101

save-password

!

crypto isakmp profile ezvpn-profile

   match identity group myvpnclient

   client authentication list vpn-login

   isakmp authorization list vpn-author

   client configuration address respond

!

crypto ipsec transform-set ezvpn-tr esp-3des esp-sha-hmac

!

crypto dynamic-map ezvpn-dynamic-map 10

set transform-set ezvpn-tr

set isakmp-profile ezvpn-profile

reverse-route

!

crypto map ezvpn-map 10 ipsec-isakmp dynamic ezvpn-dynamic-map

!

interface Serial1/2

crypto map ezvpn-map

!

!Use RRI and routing redistribution to advertise the client route to the VPN network.
router ospf 1

redistribute static subnets

2. R2 and R3 Configuration.
Reference to “Cisco IPSec DMVPN on dynamips”.

No Comments
20
May

Cisco IPSec DMVPN on dynamips

   Posted by: admin   in Cisco, Cisco Dynamips Exams

I have completed this lab on Dynamips 7200 simulator, the topology is as follow:

1. R1 ConfigurationHUB.

hostname r1!

interface Loopback0

  ip address 10.1.1.1 255.255.255.0

!

interface Serial0/0

  ip address 173.16.1.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 173.16.1.2

!

interface Tunnel0

  ip address 192.168.1.1 255.255.255.0

  ip nhrp authentication cisco

  ip nhrp map multicast dynamic

  ip nhrp network-id 10000

  tunnel source Serial0/0

  tunnel mode gre multipoint

  tunnel key 10000

!

router eigrp 100

  network 10.0.0.0

  network 192.168.1.0

  no auto-summary

!

interface Tunnel0

  no ip split-horizon eigrp 100

  no ip next-hop-self eigrp 100

!Modify EIGRP configuration for DMVPN.

2. R2 Configuration(Spoke).

hostname r2!

interface Loopback0

  ip address 10.2.2.1 255.255.255.0

!

interface Serial0/0

  ip address 173.16.2.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 173.16.2.2

!

interface Tunnel0

  ip address 192.168.1.2 255.255.255.0

  ip nhrp authentication cisco

  ip nhrp map multicast 173.16.1.1

  ip nhrp map 192.168.1.1 173.16.1.1

  ip nhrp network-id 10000

  ip nhrp nhs 192.168.1.1

  tunnel source Serial0/0

  tunnel mode gre multipoint

  tunnel key 10000

!

router eigrp 100

  network 10.0.0.0

  network 192.168.1.0

  no auto-summary

3. R3 Configuration(Spoke).

hostname r3!

interface Loopback0

  ip address 10.3.3.1 255.255.255.0

!

interface FastEthernet0/0

  ip address 173.16.3.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 173.16.3.2

!

interface Tunnel0

  ip address 192.168.1.3 255.255.255.0

  ip nhrp authentication cisco

  ip nhrp map multicast 173.16.1.1

  ip nhrp map 192.168.1.1 173.16.1.1

  ip nhrp network-id 10000

  ip nhrp nhs 192.168.1.1

  tunnel source FastEthernet0/0

  tunnel mode gre multipoint

  tunnel key 10000

!

router eigrp 100

  network 10.0.0.0

  network 192.168.1.0

  no auto-summary

4. Enable IPSec on R1 R2 and R3.

crypto isakmp policy 10encr 3des

hash sha

authentication pre-share

group 2

crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0       

!

crypto ipsec transform-set ccsp esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile cisco

set transform-set ccsp

!

interface Tunnel0

tunnel protection ipsec profile cisco

5. Use OSPF instead of EIGRP.

!If you want use OSPF as the routing protocol, you should do as follow:
!Hub router:
router ospf 1

network 10.0.0.0

network 192.168.1.0

!

interface tuunel 0

ip ospf network broadcast

!Spoke router:
router ospf 1

network 10.0.0.0

network 192.168.1.0

!

interface tuunel 0

ip ospf network broadcast

ip ospf priority 0

No Comments
20
May

Cisco high availability IPSec VPN on dynamips (loopback address)

   Posted by: admin   in Cisco

I have completed this lab on Dynamips 7200 simulator, the topology is as follow:

In the lab, both access links advertise IP reachability of the loopback interface on the R2. In the event of failure of one of the access links, the loopback is still reachable from R1. The redundant link will maintain the established IKE and IPSec security associations.

1. R1 Configuration.

R1#sh run
version 12.4
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 14.1.1.1
set transform-set ccsp
match address 101
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
ip address 11.1.1.1 255.255.255.0
crypto map cisco
!
router ospf 1
network 11.1.1.0 0.0.0.255 area 0
!
ip route 10.2.2.0 255.255.255.0 11.1.1.2
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

2. R2 Configuration.

R2#sh run
version 12.4
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto map cisco local-address Loopback0
crypto map cisco 10 ipsec-isakmp
set peer 11.1.1.1
set transform-set ccsp
match address 101
!
interface Loopback0
ip address 14.1.1.1 255.255.255.0
!
interface Loopback1
ip address 10.2.2.1 255.255.255.0
!
interface Serial1/0
ip address 12.1.1.1 255.255.255.0
crypto map cisco
!
interface Serial1/1
ip address 13.1.1.1 255.255.255.0
crypto map cisco
!
router ospf 1
network 12.1.1.0 0.0.0.255 area 0
network 13.1.1.0 0.0.0.255 area 0
network 14.1.1.0 0.0.0.255 area 0
!
ip route 10.1.1.0 255.255.255.0 11.1.1.1
No Comments
20
May

Cisco high availability IPSec VPN on dynamips (Multiple identity)

   Posted by: admin   in Cisco, Cisco Dynamips Exams

I have completed this lab on Dynamips 7200 simulator, the topology is as follow:

In the lab, both access link IP addresses are configured on R1 as IKE identities of R2. When R1 initiates IKE negotiation, the first peer IP address is used by IKE and becomes R2’s IKE identity for this peer. If this IKE SA times out during the negotiation, the second IP address becomes the IKE identity of the R2.

1. R1 Configuration.

 R1#sh run
version 12.4
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto map cisco 10 ipsec-isakmp
 set peer 13.1.1.1
 set peer 12.1.1.1
 set transform-set ccsp
 match address 101
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
 ip address 11.1.1.1 255.255.255.0
crypto map cisco
!
router ospf 1
network 11.1.1.0 0.0.0.255 area 0
!
ip route 10.2.2.0 255.255.255.0 11.1.1.2
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 

2. R2 Configuration.

 R2#sh run
version 12.4
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto map cisco 10 ipsec-isakmp
 set peer 11.1.1.1
 set transform-set ccsp
 match address 101
!
interface Loopback1
 ip address 10.2.2.1 255.255.255.0
!
interface Serial1/0
 ip address 12.1.1.1 255.255.255.0
crypto map cisco
!
interface Serial1/1
 ip address 13.1.1.1 255.255.255.0
 crypto map cisco
!
router ospf 1
 network 12.1.1.0 0.0.0.255 area 0
 network 13.1.1.0 0.0.0.255 area 0
!
ip route 10.1.1.0 255.255.255.0 11.1.1.1
!
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 

No Comments
20
May

Cisco high availability IPSec VPN on dynamips (Stateful Failover)

   Posted by: admin   in Cisco, Cisco Dynamips Exams

I have completed this lab on Dynamips 7200 simulator, the topology is as follow:

On this lab, the VPN-GW peers (HUB1 and HUB2) are on a common public Ethernet using HSRP. The HSRP configuration makes one of the VPN-GW routers active and places the other one in standby at any given time. From an IPSec perspective, the spoke has an IPSec peer relationship with the HSRP virtual IP address owned by the active HSRP router. With stateful failover, a control channel is used to replicate the same SA information to public interfaces of the peer that is serving as the standby HSRP node. The replication of SA information ensures that the standby HSRP router and standby IPSec peer have the necessary information to immediately assume the role of an active HSRP and active IPSec peer.1. HUB1 Configuration.

crypto isakmp policy 10  encr 3des

authentication pre-share

group 2

crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set ccsp esp-3des esp-sha-hmac

!

crypto map cisco 10 ipsec-isakmp

set peer 173.1.1.2

set transform-set ccsp

match address 101

!

interface FastEthernet0/0

ip address 16.1.1.1 255.255.255.0

duplex half

standby 10 ip 16.1.1.254

standby 10 priority 101

standby 10 preempt

standby 10 name ipsec-public

standby 10 track FastEthernet1/0

crypto map cisco redundancy ipsec-public stateful

standby delay reload 120

!

interface FastEthernet1/0

ip address 10.2.2.1 255.255.255.0

duplex half

standby 20 ip 10.2.2.254

standby 20 priority 101

standby 20 preempt

standby 20 name ipsec-private

standby 20 track FastEthernet0/0

standby delay reload 120

!

ip route 0.0.0.0 0.0.0.0 16.1.1.3

!

access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

!

redundancy inter-device

scheme standby ipsec-private

!

ipc zone default

association 1

  no shutdown

  protocol sctp

   local-port 5000

     local-ip 10.2.2.1

   remote-port 5000

     remote-ip 10.2.2.2

2. HUB2 Configuration.

crypto isakmp policy 10  encr 3des

authentication pre-share

group 2

crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set ccsp esp-3des esp-sha-hmac

!

crypto map cisco 10 ipsec-isakmp

set peer 173.1.1.2

set transform-set ccsp

match address 101

!

interface FastEthernet0/0

ip address 16.1.1.2 255.255.255.0

duplex half

standby 10 ip 16.1.1.254

standby 10 priority 101

standby 10 preempt

standby 10 name ipsec-public

standby 10 track FastEthernet1/0

crypto map cisco redundancy ipsec-public stateful

standby delay reload 120

!

interface FastEthernet1/0

ip address 10.2.2.2 255.255.255.0

duplex half

standby 20 ip 10.2.2.254

standby 20 priority 101

standby 20 preempt

standby 20 name ipsec-private

standby 20 track FastEthernet0/0

standby delay reload 120

!

ip route 0.0.0.0 0.0.0.0 16.1.1.3

!

access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

!

redundancy inter-device

scheme standby ipsec-private

!

ipc zone default

association 1

  no shutdown

  protocol sctp

   local-port 5000

     local-ip 10.2.2.2

   remote-port 5000

     remote-ip 10.2.2.1

3. SPOKE Configuration.

crypto isakmp policy 10  encr 3des

authentication pre-share

group 2

crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set ccsp esp-3des esp-sha-hmac

!

crypto map cisco 10 ipsec-isakmp  

set peer 16.1.1.254

set transform-set ccsp

match address 101

!

interface Loopback0

ip address 10.1.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 173.16.1.2 255.255.255.0

crypto map cisco

!

ip route 10.2.2.0 255.255.255.0 173.16.1.1

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

No Comments
9
May

Cisco IOS SSL VPN on Dynamips test note

   Posted by: admin   in Cisco, Cisco Dynamips Exams

(Part 3:Cisco Secure Desktop)
 Continue discussion in part 1, the topology is as follow:

Cisco Secure Desktop (CSD) extends the security of SSL VPN technology. CSD provides a separate partition on a user’s workstation for session activity. This vault area is encrypted during sessions and completely removed at the end of an SSL VPN session.

1. Preparing for Cisco Web VPN. (the same as part 1 or part 2)
 Because of the CSD is a plugin to Web VPN, so we must configure the WebVPN as part1 or part2.
 2. Installing and enabling CSD.
 

Copy the CSD image to dynamips 7200 disk0 via ftp, and then install CSD.
 c7206# copy ftp disk0:Address or name of remote host [10.10.1.2]?

Source filename [sslclient-win-1.1.2.169.pkg]? securedesktop-ios-3.1.1.45-k9.pkg

Destination filename [securedesktop-ios-3.1.1.45-k9.pkg]?

Accessing ftp://10.10.1.2/securedesktop-ios-3.1.1.45-k9.pkg…

Loading securedesktop-ios-3.1.1.45-k9.pkg !!!!!!!

[OK - 1697952/4096 bytes]

1697952 bytes copied in 76.704 secs (22136 bytes/sec)!

c7206(config)# webvpn install csd disk0:/securedesktop-ios-3.1.1.45-k9.pkg

SSLVPN Package Cisco-Secure-Desktop : installed successfully

!

c7206(config)# webvpn context mywebvpn-context1

c7206(config-webvpn-context)# csd enable

!enable CSD in default context policy.
  3. Configure CSD policy.
 All the CSD policy must configure in a special web page, we can not configure the CSD policy via CLI. Login “https://gataway_addr/csd_admin.html” to start the policy admin, the username is “admin”, and the password is enable password or enable secret of the router.Note: In my lab, the CSD admin address is “https://198.1.1.1/csd_admin.html”. The Cisco official documentation has an error, it says that the admin address is “https://gataway_addr/csd_admin”.

Select the webvpn context, in my lab, the context name is “mywebvpn-context1”.

The CSD admin home page, it is very similar witch Cisco VPN 3000 concentrator.

Locations let you deploy an appropriately secure environment to hosts that connect through the VPN. They let you increase security on hosts that you determine are likely to be insecure, and offer flexibility to clients you determine are secure. You can restrict user privileges when they connect from unknown computers.In my lab, I create two location: test1 and test2. The first location identify the user by the address of 198.1.1.2, if the user doesn’t match the condition, they will be set to the second location. The second location doesn’t have any condition, so all the user except 198.1.1.2 will match this condition.

Test1 condition is as follow:

Define the user’s privilege, by default, all the privilege is off.

Configure the general option, such as desktop switching and desktop timeout.Configure the virtual desktop settings, such as DOS-CMD restricting.

We can also define the favorites of Internet Explore of the virtual desktop.4. Feature test.
 Login WebVPN , and then the WebVPN will start the CSD installing program.When the installation completes, the CSD interface is as follow:

The Cisco copyright info, aha, I like it.

The virtual desktop is as follow.When you quit the virtual desktop, the CSD software will delete all the file and information in the virtual desktop, it is so cool!

Note : In CSD, I suggest do not enable SSL VPN split tunneling, if you enable this , the CSD looks meaningless.

No Comments
9
May

Cisco IOS SSL VPN on Dynamips test note

   Posted by: admin   in Cisco, Cisco Dynamips Exams

(Part 2:SSL VPN)
Continue discussion in part 1, the topology is as follow:

 

The Cisco SSL VPN supports on working on full-tunnel mode. In full-tunnel mode, an SSL tunnel is used to move data to and from the internal networks at the network (IP) layer. When the user logs into the SSLVPN gateway, the SSL VPN client (SVC) is automatically downloaded and installed at the end user’s PC, and the tunnel connection is established. Once the connection is established, the user has full VPN access to the corporate network.1. Preparing for Cisco Web VPN. (the same as part 1)
c7206(config)# int fa0/0c7206(config-if)# ip add 198.1.1.1 255.255.255.0

c7206(config-if)# no shutdown

c7206(config-if)# exit

!

c7206(config)# int fa1/0

c7206(config-if)# ip add 10.10.1.1 255.255.255.0

c7206(config-if)# no shutdown

c7206(config-if)# exit

!

c7206(config)# aaa new-model

c7206(config)# aaa authentication login default local

!define the default aaa authentication list, allow the administrator to login this router, this configuration is foreign to the Web VPN.
!

c7206(config)# aaa authentication login aaa-webvpn local

c7206(config)# username steve6307 password cisco

!define the WebVPN authentication list.
!

c7206(config)# webvpn gateway mygateway

c7206(config-webvpn-gateway)# ip address 198.1.1.1 port 443

c7206(config-webvpn-gateway)# inservice

!define the WebVPN gateway address and port, usually the port is 443.
!

c7206(config)# webvpn context mywebvpn-context1

c7206(config-webvpn-context)# gateway mygateway domain group1

c7206(config-webvpn-context)# aaa authentication list aaa-webvpn

c7206(config-webvpn-context)# inservice

!define a WebVPN context. You must select a gateway and a aaa authentication list for each context. The domain name is very important to the configuration, because the end user will select the context by this domain name in the future.
2. Configure Cisco SSL VPN.
First of all, format the dynamips 7200 router disk0.
c7206# format disk0:

Then, copy the SVC(SSL VPN Client) package to the 7200 disk0.
Note: the dynamips works on low efficiency, so I suggest to use FTP to copy the SVC.
c7206(config)# ip ftp username cisco

c7206(config)# ip ftp password cisco

!

c7206# copy ftp disk0:

Address or name of remote host []? 10.10.1.2

Source filename []? sslclient-win-1.1.2.169.pkg          

Destination filename [sslclient-win-1.1.2.169.pkg]?

Accessing ftp://10.10.1.2/sslclient-win-1.1.2.169.pkg…

Loading sslclient-win-1.1.2.169.pkg !!

[OK - 415090/4096 bytes]

415090 bytes copied in 22.900 secs (18126 bytes/sec)

Install the SVC.
c7206(config)# webvpn install svc disk0:/sslclient-win-1.1.2.169.pkg

SSLVPN Package SSL-VPN-Client : installed successfully

c7206(config)# ip local pool ssl-user 192.168.10.1 192.168.10.99

!define the SSL VPN user address pool.
!

c7206(config)# int loopback0

c7206(config-if)# ip address 192.168.10.254 255.255.255.0

c7206(config-if)# exit

!In Cisco IOS, if the SSL VPN user pool doesn’t have the save range with your inside network, you should define a loopback interface.
!In my lab, my inside network range is 10.10.1.0/24, and my address pool range is 192.168.10.1~99, so I need to define a loopback interface with the address 192.168.10.254.
!

c7206(config)# webvpn context mywebvpn-context1

c7206(config-webvpn-context)# policy group context1-policy

c7206(config-webvpn-group)# functions svc-enabled

c7206(config-webvpn-group)# svc address-pool ssl-user

c7206(config-webvpn-group)# exit

!define the group policy, allow the user to use the SSL VPN function.
!

c7206(config-webvpn-context)# default-group-policy context1-policy

!assign the policy as the default group policy.
3. Configure the SSL VPN split tunneling. (optional)
c7206(config)# webvpn context mywebvpn-context1

c7206(config-webvpn-context)# policy group context1-policy

c7206(config-webvpn-group)# svc split include 10.10.1.0 255.255.255.0

!In the split tunnel list, I configured the inside network range. This means the WebVPN service will notify the SSL VPN Client to modify there local routing table, and then the client can access inside network and Internet at the same time.
4. Feature test.
Login WebVPN , and then I saw the page as follow:

Then the WebVPN started the SVC install program.

 

After the installation, the SVC started successfully, and then I have unrestricted permission of the inside network accessing.

Now, I can see the SSL VPN Client info.

The Cisco copyright info is as follow, aha, this is so cool!

No Comments
9
May

Cisco IOS SSL VPN on Dynamips test note

   Posted by: admin   in Cisco, Cisco Dynamips Exams

(Part 1:Web VPN)
 This test note describes how to configure Cisco SSL VPN on Cisco IOS routers. The whole lab is build on Dynamips 7200 simulator.

SSL VPNs use a methodology to transport private data across the public Internet. Instead of relying upon the end user to have a configured client on an agency-managed computer, SSL VPNs use SSL /HTTPS which is the secure transport mechanism built-in to all standard Web browsers. Using an SSL VPN, the connection between the user and the internal resource occurs via an HTTPS connection at the application-layer.

I have completed all the Cisco SSL labs on Dynamips 7200 simulator, the topology is as follow:

The Dynagen configuration is as follow:

autostart = false
[localhost]
port = 7200
udp = 10000
workingdir = ..\Temp\
   
    [[router R1]]
    image = ..\IOS\c7200-advsecurityk9-mz.124-9.T1.bin
    model = 7200
    console = 3001
    npe = npe-400
    ram = 128
    confreg = 0×2142
    exec_area = 64
    slot0 = PA-C7200-IO-FE
    slot1 = PA-FE-TX
    f0/0 = SW1 1
    f1/0 = SW1 2
     [[ethsw SW1]]
    1 = dot1q 1
    2 = dot1q 1
    3 = access 1 NIO_gen_eth:\Device\NPF_{E4377B71-C2A8-40A9-9FB6-639EE19D2F75}

1. Preparing for Cisco Web VPN.
c7206(config)# int fa0/0

c7206(config-if)# ip add 198.1.1.1 255.255.255.0

c7206(config-if)# no shutdown

c7206(config-if)# exit

!

c7206(config)# int fa1/0

c7206(config-if)# ip add 10.10.1.1 255.255.255.0

c7206(config-if)# no shutdown

c7206(config-if)# exit

!

c7206(config)# aaa new-model

c7206(config)# aaa authentication login default local

!define the default aaa authentication list, allow the administrator to login this router, this configuration is foreign to the Web VPN.
!

c7206(config)# aaa authentication login aaa-webvpn local

c7206(config)# username steve6307 password cisco

!define the WebVPN authentication list.
!

c7206(config)# webvpn gateway mygateway

c7206(config-webvpn-gateway)# ip address 198.1.1.1 port 443

c7206(config-webvpn-gateway)# inservice

!define the WebVPN gateway address and port, usually the port is 443.
!

c7206(config)# webvpn context mywebvpn-context1

c7206(config-webvpn-context)# gateway mygateway domain group1

c7206(config-webvpn-context)# aaa authentication list aaa-webvpn

c7206(config-webvpn-context)# inservice

!define a WebVPN context. You must select a gateway and a aaa authentication list for each context. The domain name is very important to the configuration, because the end user will select the context by this domain name in the future.
 2. Basic feature test(Web browsing).
I used Firefox to test the WebVPN feature. I entered “https://198.1.1.1/group1” in the address bar, and then I saw the WebVPN home page.

Note: the url format is https://webvpn_gateway_addr/context_domain_name

I entered my username and password in the dialog box, and then click “Login”.

Now I have successfully logon the webvpn!

I entered the Internal Server IP address in the URL page, and then I accessed the internal server web page successfully.

3. WebVPN extended services.
 Now, let’s talk about how to configure the webvpn extended services:

1. File-access feature.

2. Custom the url-list.

3. Port-forward feature.

3.1. File-access feature
 The file-access feature can provide browsing and file access of files on the windows file server (NetBIOS name service server).

To use the file access-feature, the user must have “file-access file-entry file-browsing” privilege.

c7206(config)# webvpn context mywebvpn-context1

c7206(config-webvpn-nbnslist)# nbns-server 10.10.1.2

c7206(config-webvpn-nbnslist)# exit

!You must define the NetBIOS name server for IOS WebVPN. In fact, this is optional if you use the ip address to access the file server in the future.
!

c7206(config-webvpn-context)# policy group context1-policy

c7206(config-webvpn-group)# functions file-access

c7206(config-webvpn-group)# functions file-browse

c7206(config-webvpn-group)# functions file-entry

c7206(config-webvpn-group)# exit

!define the group policy for this context, assign the “file-access file-entry file-browsing” privilege.
!

c7206(config-webvpn-context)# default-group-policy context1-policy

!assign the group policy as default policy.
  Feature test:
 Login WebVPN again, I saw the page as follow:

I entered “\\10.10.1.2” as the network path, and then the browser prompted me to enter my username and password to access the resources of my file server:

3.2. Custom the url-list
 c7206(config-webvpn-context)# url-list myurl

c7206(config-webvpn-url)#url-text “Home Page” url-value http://10.10.1.2

c7206(config-webvpn-url)#url-text “Site2″ url-value http://10.10.1.3

!

c7206(config-webvpn-context)#policy group context1-policy

c7206(config-webvpn-group)#url-list myurl

Feature test:
 Login WebVPN again, I saw the page as follow:

3.3. Port-forward
 Port-forward feature provides access for remote end users to client and server applications that communicate over known, fixed TCP ports. Each internal server and port number that the user can have access to has to be configured on the gateway. The entries specify the local port number and the destination server name and port number to use for TCP port forwarding.

c7206(config-webvpn-context)# port-forward myport

c7206(config-webvpn-port-fwd)# local-port 2323 remote-server 10.10.1.2 remote-port 23 description test

c7206(config-webvpn-port-fwd)# exit

!

c7206(config-webvpn-context)# policy group context1-policy

c7206(config-webvpn-group)# port-forward myport

!when I login the WebVPN, the browser load the JAVA App, and then I can telnet the internal server via telnet localhost 2323 port.
  Feature test:
 Login WebVPN again, I saw the page as follow:

Click “Application Access”, and then the browser can load the java app.

No Comments
9
May

Cisco IOS PPTP on dynamips

   Posted by: admin   in Cisco, Cisco Dynamips Exams

I have completed this lab on Dynamips 7200 simulator, the topology is as follow:

The Dynagen configuration is as follow:

autostart = false
[localhost]
port = 7200
udp = 10000
workingdir = ..\Temp\
   
    [[router R2]]
    image = ..\IOS\c7200-advsecurityk9-mz.124-9.T1.bin
    model = 7200
    console = 3002
    npe = npe-400
    ram = 128
    confreg = 0×2142
    exec_area = 64
    mmap = false
    slot0 = PA-C7200-IO-FE
    slot1 = PA-4T
    f0/0 = SW1 2
    s1/0 = R3 s1/1
 

    [[router R3]]
    image = ..\IOS\c3620-i-mz.122-37.bin
    model = 3620
    console = 3003
    ram = 32
    confreg = 0×2142
    exec_area = 16
    mmap = false
    slot0 = NM-1FE-TX
    slot1 = NM-4T
    f0/0 = SW1 3
     [[ethsw SW1]]
2 = dot1q 1
3 = dot1q 1
    4 = access 1 NIO_gen_eth:\Device\NPF_{E4377B71-C2A8-40A9-9FB6-639EE19D2F75}

1. PPTP Server Configuration (R2).


 

PPTP_S(config)#interface FastEthernet0/0PPTP_S(config-if)#ip address 10.10.1.1 255.255.255.0

PPTP_S(config-if)#no shutdown

PPTP_S(config)#interface Serial1/0

PPTP_S(config-if)#ip address 173.16.1.5 255.255.255.252

PPTP_S(config-if)#no shutdown

PPTP_S(config)#ip route 0.0.0.0 0.0.0.0 173.16.1.6

PPTP_S(config)#username cisco@cisco.com password 0 cisco

PPTP_S(config)#vpdn enable

PPTP_S(config)#vpdn-group myl2tp

PPTP_S(config-vpdn)#accept-dialin

PPTP_S(config-vpdn-acc-in)#protocol pptp

PPTP_S(config-vpdn-acc-in)#virtual-template 1

PPTP_S(config-vpdn-acc-in)#exit

PPTP_S(config)#interface Virtual-Template1

PPTP_S(config-if)#ip unnumbered FastEthernet0/0

PPTP_S(config-if)#encapsulation ppp

PPTP_S(config-if)#peer default ip address pool l2tp-user

PPTP_S(config-if)#ppp authentication ms-chap

PPTP_S(config)#ip local pool l2tp-user 10.10.1.50 10.10.1.59

2. Windows Client Configuration.


 Use the windows dialer configuration guide to complete the configuration.

No Comments
9
May

Cisco IOS l2tp voluntary tunnel mode on dynamips

   Posted by: admin   in Cisco, Cisco Dynamips Exams

I have completed this lab on Dynamips 7200 simulator, the topology is as follow:

The Dynagen configuration is as follow:

autostart = false
[localhost]
port = 7200
udp = 10000
workingdir = ..\Temp\
   
    [[router R2]]
    image = ..\IOS\c7200-advsecurityk9-mz.124-9.T1.bin
    model = 7200
    console = 3002
    npe = npe-400
    ram = 128
    confreg = 0×2142
    exec_area = 64
    mmap = false
    slot0 = PA-C7200-IO-FE
    slot1 = PA-4T
    f0/0 = SW1 2
    s1/0 = R3 s1/1
 

    [[router R3]]
    image = ..\IOS\c3620-i-mz.122-37.bin
    model = 3620
    console = 3003
    ram = 32
    confreg = 0×2142
    exec_area = 16
    mmap = false
    slot0 = NM-1FE-TX
    slot1 = NM-4T
    f0/0 = SW1 3
     [[ethsw SW1]]
2 = dot1q 1
3 = dot1q 1
    4 = access 1 NIO_gen_eth:\Device\NPF_{E4377B71-C2A8-40A9-9FB6-639EE19D2F75}

1. ENT LNS L2TP Configuration (R2).

ENT_LNS(config)#interface FastEthernet0/0ENT_LNS(config-if)#ip address 10.10.1.1 255.255.255.0

ENT_LNS(config-if)#no shutdown

ENT_LNS(config)#interface Serial1/0

ENT_LNS(config-if)#ip address 173.16.1.5 255.255.255.252

ENT_LNS(config-if)#no shutdown

ENT_LNS(config)#ip route 0.0.0.0 0.0.0.0 173.16.1.6

ENT_LNS(config)#username cisco@cisco.com password 0 cisco

ENT_LNS(config)#vpdn enable

ENT_LNS(config)#vpdn-group myl2tp

ENT_LNS(config-vpdn)#accept-dialin

ENT_LNS(config-vpdn-acc-in)#protocol l2tp

ENT_LNS(config-vpdn-acc-in)#virtual-template 1

ENT_LNS(config-vpdn-acc-in)#exit

ENT_LNS(config-vpdn)#no l2tp tunnel authentication

ENT_LNS(config)#interface Virtual-Template1

ENT_LNS(config-if)#ip unnumbered FastEthernet0/0

ENT_LNS(config-if)#encapsulation ppp

ENT_LNS(config-if)#peer default ip address pool l2tp-user

ENT_LNS(config-if)#ppp authentication chap

ENT_LNS(config)#ip local pool l2tp-user 10.10.1.50 10.10.1.59

2. Windows Client Configuration.
First of all, modify the windows register as follow and restart the windows:

REGEDIT4[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters]

“ProhibitIpSec”=dword:00000001

Then use the windows dialer configuration guide to complete the configuration.

No Comments