CCNA Lab Build

I am fortuante enough to have the equipment available to duplicate the lab topology used in the CCNA videos.  I made some minor changes to hardware to fit what I had.

[IMG]http://i62.tinypic.com/2qbdjir.jpg[/IMG]

 

As far as the routers go, R1 is a 2514, R2, R3, & R4 are all 2520, R5 & R6 are 1721s, and I also have another 2520 acting as a Frame Relay Switch.

The lab in the videos utilize three 3550 L3 switches, but I opted to use (1) 3550 for SW1 and (2) 2950 for SW2 and SW3. 

R6 was added, solely to simulate other WAN connections besides Frame Relay.  R5 and R6 came with one FastEthernet port and built-in VPN cards.  I added two WIC cards to them, one to add a 10MB ethernet port, and the other card to add a serial port.

 

With all that said, I have been studying remotely during my lunch hours.  I have a web-powered ethernet switch that I log into to fire-up the rack, and then shut it down when I'm finished.  Telnet was always the mode of choice, but the more I read about it, Telnet is not as secure as one would like it to be. 

I would like some guidance on how to configure this properly, so I could SSH into the rack when need be.  Maybe there would be a way to utilize one of the 1721 routers.

Currently, I have a Linksys WRT160Nv2 Wifi Router which the Cisco Access Server is connected to.  I'm  using the firewall built into the Linksys, along with Norton on the computer.  I also have a PIX 501, which is not currently connected, and I'm not quite sure how to implement that yet.

I know there is a lot here, but maybe we can work through this little by little.

 

Thank you!

Chris

Comments

  • Telnet isn't secure, because anyone capturing the packets in the middle can read the password.  One option is to run SSH, but low end routers like 2500 or 1700 have slow CPUs and will have trouble running SSH.  You could put the PIX 501 in front of the wifi router and connect that directly to your Internet link, and then run either an IPsec VPN (EasyVPN is the term for PIX 501) or SSL VPN which you can connect to remotely.

    If you want the easy way just set Telnet to a high port, like have the Linksys listen at 65023 and forward it to the access server at port 23.  If you want to learn how the other topics work then I would try SSH first, and then IPsec after that.

  • If I install the PIX in front of the Linksys router as desribed, will the speed of our normal internet traffic suffer?  The reason I ask is because, the PIX has 10MB Ethernet ports instead of 100MB Fast Ethernet.  Will that make a difference?

    That brings me to another question, if I were take one of the 1721 Routers and add a WIC-1ADSL card to it, will that give me a second FastEthernet interface, allowing me to use that for the main internet router?  Then I could use the Linksys as a secondary access point for the WIFI devices I have in the house.

  • PIX 501 has 10/100 ports: http://www.cisco.com/c/en/us/products/security/pix-501-security-appliance/index.html

     

    If your ISP link is ADSL then yes you can terminate it on the 1700.  That's what it's mainly meant for, it's a business SOHO router.

  • Hi Brian,

    I'm almost there with the lab build.

    I have the PIX connected
    directly to the DSL modem. Directly connected to the PIX is the desktop
    I am on right now. Also connected to the PIX is the old Linksys
    WRT160N, to give access to the wireless devices in the house.
    Currently, I am receiving DHCP address from the PIX on all wireless
    devices. I can ping 4.2.2.2 from each device. However, I am not able
    to access a website on any of the wireless devices. I do have NAT enabled on the
    inside interface. Otherwise I wouldn't be typing this message now.



    Here is the current config. Maybe you can figure out why I'm
    having problems. I attempted to enable RIP routing on the Linksys,
    thinking that had something to do with it.



    Everything is on the 192.168.1.0 network. Please disregard the 192.168.2.0 network, as I was using that for testing purposes.



    PIX Version 6.3(5)

    interface ethernet0 100full

    interface ethernet1 100full

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    hostname PIX

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names

    access-list acl-outside permit icmp any any

    access-list acl-outside permit tcp any interface outside eq www

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    ip address outside pppoe setroute

    ip address inside 192.168.1.1 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    access-group acl-outside in interface outside

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout sip-disconnect 0:02:00 sip-invite 0:03:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    telnet 192.168.1.0 255.255.255.0 inside

    telnet 192.168.2.0 255.255.255.0 inside

    telnet timeout 5

    ssh 192.168.2.0 255.255.255.0 inside

    ssh timeout 5

    console timeout 0

    vpdn group pppoe request dialout pppoe

    vpdn group pppoe localname xxxxx

    vpdn group pppoe ppp authentication pap

    vpdn username xxxx password *********

    dhcpd address 192.168.1.2-192.168.1.33 inside

    dhcpd dns 216.146.35.240 216.146.36.240

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd enable inside

    terminal width 80

  • On the Linksys router don’t use the “uplink” port to plug into the PIX, just use one of the regular switchports.  The Linksys doesn’t need to route anymore, it’s just a wireless bridge.  You should disable DHCP server and other routing functions on it.  This way your inside hosts should be getting their DHCP addresses from the PIX.

     

    Brian McGahan, 4 x CCIE #8593 (R&S/SP/SC/DC), CCDE #2013::13

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.INE.com

     

    From: [email protected] [mailto:[email protected]] On Behalf Of ceranes
    Sent: Sunday, April 27, 2014 6:35 PM
    To: Brian McGahan
    Subject: Re: [hardware] CCNA Lab Build

     

    Hi Brian,

    I'm almost there with the lab build.

    I have the PIX connected directly to the DSL modem. Directly connected to the PIX is the desktop I am on right now. Also connected to the PIX is the old Linksys WRT160N, to give access to the wireless devices in the house. Currently, I am receiving DHCP address from the PIX on all wireless devices. I can ping 4.2.2.2 from each device. However, I am not able to access a website on any of the wireless devices. I do have NAT enabled on the inside interface. Otherwise I wouldn't be typing this message now.

    Here is the current config. Maybe you can figure out why I'm having problems. I attempted to enable RIP routing on the Linksys, thinking that had something to do with it.

    Everything is on the 192.168.1.0 network. Please disregard the 192.168.2.0 network, as I was using that for testing purposes.

    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname PIX
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list acl-outside permit icmp any any
    access-list acl-outside permit tcp any interface outside eq www
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group acl-outside in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.2.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group pppoe request dialout pppoe
    vpdn group pppoe localname xxxxx
    vpdn group pppoe ppp authentication pap
    vpdn username xxxx password *********
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns 216.146.35.240 216.146.36.240
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    terminal width 80




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

  • Hey Brian,

    Just a quick update on the lab build.  After some further research and testing, I was able to get the Linksys to allow internet access to the wireless clients.  I discovered, the key was to place the Linksys in a different subnet (192.168.2.0).  Then turn off routing and NAT.  Then assign the WAN port a Static IP address from the 192.168.1.0 network.  This way when the WAN interface is connected to the PIX, it will assume it's another client in it's 1.0 network, and NAT the traffic through the firewall and onto the internet.  Everything is working great now!

    Thanks for your troublshooting help.

    Chris

Sign In or Register to comment.