Posted by: admin in Cisco
I have completed this lab on ASA 5510, the topology is as follow:
1. ASA Configuration.
hostname ciscoasa
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 198.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.30.1.97 255.255.255.0
!
global (outside) 1 interface
nat (inside) 1 172.30.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 198.1.1.2 1
!
aaa-server myradius protocol radius
aaa-server myradius host 172.30.1.66
key cisco
!
tunnel-group mywebvpn-group type webvpn
tunnel-group mywebvpn-group general-attributes
authentication-server-group myradius
tunnel-group mywebvpn-group webvpn-attributes
group-alias mywebvpn enable
!
webvpn
enable outside
url-list mywebvpn-url “Home Page” http://172.30.1.98 1
url-list mywebvpn-url “Forum” http://172.30.1.2 2
url-list mywebvpn-url “About Cisco Trainning” http://172.30.1.98/cisco 3
tunnel-group-list enable
|
2. ACS 4.0 Configuration.
1. Add a aaa client as follow:
2. Select radius attributes in “interface configuration”. Such as:
[3076\011] Tunneling-Protocols
[3076\071] WebVPN-Url-List
[3076\093] WebVPN-URL-Entry-Enable
[3076\094] WebVPN-File-Access-Enable
[3076\095] WebVPN-File-Server-Entry-Enable
[3076\096] WebVPN-File-Server-Browsing-Enable
3. Configure radius attributes in “group setup”.
Posted by: admin in Cisco
I have completed this lab on pemu windows version, the topology is as follow:
1. Configure address and NAT.
pixfirewall(config)# interface e0
pixfirewall(config-if)# ip address 218.1.1.1 255.255.255.0
pixfirewall(config-if)# no shutdown
pixfirewall(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
pixfirewall(config-if)# interface e1
pixfirewall(config-if)# ip address 172.16.254.1 255.255.255.0
pixfirewall(config-if)# no shutdown
pixfirewall(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
pixfirewall(config-if)# exit
pixfirewall(config)# nat (inside) 1 172.16.254.0 255.255.255.0
pixfirewall(config)# global (outside) 1 interface
|
2. Configure AAA authentication.
pixfirewall(config)# aaa-server test protocol radius
pixfirewall(config)# aaa-server test (inside) host 172.16.254.10 cisco
!
pixfirewall(config)# access-list access-internet extended permit ip any any
!
pixfirewall(config)# aaa authentication match access-internet inside test
!
pixfirewall(config)# access-list access-internet extended permit ip any any
pixfirewall(config)# aaa authentication match access-internet inside test
|
Posted by: admin in Cisco
I have completed this lab on pemu windows version, the topology is as follow:
1. Configure address and NAT.
pixfirewall(config)# interface e0
pixfirewall(config-if)# ip address 218.1.1.1 255.255.255.0
pixfirewall(config-if)# no shutdown
pixfirewall(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
pixfirewall(config-if)# interface e1
pixfirewall(config-if)# ip address 172.16.254.1 255.255.255.0
pixfirewall(config-if)# no shutdown
pixfirewall(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
pixfirewall(config-if)# exit
pixfirewall(config)# nat (inside) 1 172.16.254.0 255.255.255.0
pixfirewall(config)# global (outside) 1 interface
|
2. Configure AAA authentication.
pixfirewall(config)# aaa-server test protocol radius
pixfirewall(config)# aaa-server test (inside) host 172.16.254.10 cisco
!
pixfirewall(config)# access-list access-internet extended permit ip any any
!
pixfirewall(config)# aaa authentication match access-internet inside test
!
pixfirewall(config)# access-list access-internet extended permit ip any any
pixfirewall(config)# aaa authentication match access-internet inside test
|
Posted by: admin in Cisco
I have completed this lab on Catalyst 3750, the topology is as follow:
1. Set VTP mode to transparent.
Switch(config)#vtp mode transparent
2. Creat private vlans.
Switch(config)#vlan 20
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#vlan 501
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#vlan 502
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#vlan 503
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#vlan 20
Switch(config-vlan)#private-vlan association 501-503
3. Configure layer 2 ports on the switch.
Switch(config)#interface fastEthernet 1/0/1
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#switchport private-vlan mapping 20 add 501-503
Switch(config-if)#interface fastEthernet 1/0/2
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-association 20 503
Switch(config-if)#interface fastEthernet 1/0/3
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-association 20 503
Switch(config-if)#interface fastEthernet 1/0/4
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-association 20 502
Switch(config-if)#interface fastEthernet 1/0/5
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-association 20 501
Switch(config-if)#interface fastEthernet 1/0/6
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-association 20 501
4. Configure layer 3 ports on the switch.
Switch(config)#interface vlan 20
Switch(config-if)#private-vlan mapping 501-503
I have completed this lab on Dynamips 7200 simulator, the topology is as follow:
In fact, R1 and R2 is connected by their atm interface directly.1. CPE Configuration (R2)
no ip routing
!
interface FastEthernet0/0
no ip address
bridge-group 1
!
interface ATM1/0
no ip address
bridge-group 1
pvc 2/200
encapsulation aal5snap
!
!
bridge 1 protocol ieee
|
2. R1 Configuration
Notes: The atm card on dynamips does not support pppoe, we use R4 to deal with pppoe packet. So ,R1 do only bridging.
no ip routing
!
interface FastEthernet0/0
no ip address
bridge-group 1
!
interface ATM1/0
no ip address
bridge-group 1
pvc 1/100
encapsulation aal5snap
!
!
bridge 1 protocol ieee
|
3. Aggregation Router Configuration (R4)
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
!
username cisco password 0 cisco
!
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
pppoe enable
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool cisco
ppp authentication chap
!
ip local pool cisco 10.0.0.10 10.0.0.20
|
4. PPPOE client Configuration (R3)
vpdn enable
!
vpdn-group cisco
request-dialin
protocol pppoe
!
interface Ethernet0
no ip address
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname cisco
ppp chap password 0 cisco
!
ip route 0.0.0.0 0.0.0.0 Dialer0
|
I have completed this lab on Dynamips 7200 simulator, the topology is as follow:
In fact, R1 and R2 is connected by their atm interface directly.1. CPE Configuration (R2)
interface FastEthernet0/0
ip address 172.30.1.8 255.255.255.0
ip nat inside
duplex half
!
interface ATM1/0
no ip address
pvc 2/200
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname cisco
ppp chap password 0 cisco
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 dialer0
!
access-list 10 permit ip 172.30.1.0 0.0.0.255
ip nat inside source list 10 interface dialer 0 overload |
2. Aggregation Router Configuration (R1)
username cisco password 0 cisco
!
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface ATM1/0
no ip address
pvc 1/100
encapsulation aal5snap
protocol ppp Virtual-Template1
!
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool cisco
ppp authentication chap
!
ip local pool cisco 10.0.0.2 10.0.0.6
|
I have completed this lab on Dynamips 7200 simulator, the topology is as follow:
In fact, R1 and R2 is connected by their atm interface directly.
1. CPE Configuration (R2)
no ip routing
!
interface FastEthernet0/0
no ip address
bridge-group 1
!
interface ATM1/0
no ip address
bridge-group 1
pvc 2/200
encapsulation aal5snap
!
!
bridge 1 protocol ieee
|
2. Aggregation Router Configuration (R1)
bridge irb
!
interface Loopback0
ip address 202.1.1.1 255.255.255.0
!
interface ATM1/0
no ip address
bridge-group 1
pvc 1/100
encapsulation aal5snap
!
!
interface BVI1
ip address 172.30.1.8 255.255.255.0
!
bridge 1 protocol ieee
bridge 1 route ip
|
Posted by: admin in Cisco
http://7200emu.hacki.at/viewtopic.php?t=1690
The PEMU supports both PIX 7.x and pix 6.x code, so we can simulate a pix on our pc!
This is my configuration:
pemu.exe -net nic,vlan=0,macaddr=00:10:78:00:00:01 -net pcap,vlan=0,ifname=\Device\NPF_{6D278640-9DBA-4BCF-9180-7E7DA8F45522} -net nic,vlan=1,macaddr=00:10:78:00:00:02 -net pcap,vlan=1,ifname=\Device\NPF_{6D278640-9DBA-4BCF-9180-7E7DA8F45522} -net nic,vlan=2,macaddr=00:10:78:00:00:03 -net pcap,vlan=2,ifname=\Device\NPF_{6D278640-9DBA-4BCF-9180-7E7DA8F45522} -serial telnet::7001,server
128MB RAMTotal NICs found: 3
i82559 Ethernet at irq 9 MAC: 0010.7800.0001
i82559 Ethernet at irq 11 MAC: 0010.7800.0002
i82559 Ethernet at irq 11 MAC: 0010.7800.0003
BIOS Flash=am29f400b @ 0xd8000
Initializing flashfs…
flashfs[7]: 2 files, 2 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 16128000
flashfs[7]: Bytes used: 2048
flashfs[7]: Bytes available: 16125952
flashfs[7]: flashfs fsck took 1 seconds.
flashfs[7]: Initialization complete.
Running Activation Key: 0×00000000 0×00000000 0×00000000 0×00000000 0×00000000
This activation key is not valid, use default settings only
————————————————————————–
. .
| |
||| |||
.|| ||. .|| ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
————————————————————————–
Cisco PIX Security Appliance Software Version 7.2(2)
Copyright (c) 1996-2006 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Type help or ‘?’ for a list of available commands.
pixfirewall>
pixfirewall> |
Posted by: admin in Cisco
The topology is as follow:Note:
The user must connect to the Easy VPN Remote directly or via a HUB, you can not put a switch between the user and Easy VPN Remote.
1. Configure the Easy VPN Remote.
crypto ipsec client ezvpn mylab
connect auto
group myezvpn key cisco1234
mode network-extension
peer 173.16.1.5
username wanglinlin password cisco
xauth userid mode local
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
crypto ipsec client ezvpn mylab inside
!
interface Serial0/0/0
ip address 173.16.1.1 255.255.255.252
clock rate 64000
crypto ipsec client ezvpn mylab
!
ip route 0.0.0.0 0.0.0.0 173.16.1.2
|
2. Configure AAA on the Remote.
aaa new-model
!
username cisco password 0 cisco
!
aaa authentication login default group local
aaa authentication dot1x default group radius
!
ip radius source-interface FastEthernet0/0
!
radius-server host 172.30.1.66 auth-port 1645 acct-port 1646 key cisco
|
3. Configure DHCP address pool on the Remote.
ip dhcp excluded-address 10.1.1.1
ip dhcp excluded-address 10.2.2.1
!
ip dhcp pool private
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
!
ip dhcp pool public
network 10.2.2.0 255.255.255.0
default-router 10.2.2.1
|
4. Configure 802.1x authentication on the Remote.
dot1x system-auth-control
dot1x re-authentication
!
interface FastEthernet0/0
dot1x port-control auto
dot1x reauthentication
|
5. Configure identity profile on the Remote.
identity profile default
template Virtual-Template1
!
interface Loopback10
ip address 10.2.2.1 255.255.255.0
!
interface Virtual-Template1
ip unnumbered Loopback10
|
6. Configure PAT to provide Internet access on the Remote.
interface Loopback10
ip nat inside
!
interface Virtual-Template1
ip nat inside
!
interface Serial0/0/0
ip nat outside
!
access-list 1 permit 10.2.2.0 0.0.0.255
!
ip nat inside source list 1 interface Serial0/0/0 overload
|
Posted by: admin in Cisco
I have completed this lab on Dynamips 7200 simulator, the topology is as follow:
1. L2TP Over IPSec Server Configuration (R1)
R1#sh run
version 12.4
!
hostname R1
!
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username stve6307 password 0 cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map cc 10
set nat demux
set transform-set ccsp
!
crypto map cisco 10 ipsec-isakmp dynamic cc
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/2
ip address 11.1.1.1 255.255.255.252
serial restart-delay 0
crypto map cisco
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool l2tp-pool
ppp authentication chap
!
ip local pool l2tp-pool 192.168.1.1 192.168.1.100
!
ip route 0.0.0.0 0.0.0.0 11.1.1.2
|
2. Windows Configuration
1. Import the register as follow:
————————–
REGEDIT4 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters]
“ProhibitIpSec”=dword:00000001
————————–
2. Use gpedit.msc to configure “IP security policy”, please refer to Microsoft.com.
3. Setup a dialer interface and dial to the server.
|