CCNA Security

Lab - (Optional) Configuring a Remote Access VPN Server and

Client (Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet Interfaces.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

IP Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port

Fa0/1 192.168.1.1 255.255.255.0 N/A S1 Fa0/5

R1
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
R2 S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
Lo0 192.168.2.1 255.255.255.0 N/A N/A
Fa0/1 192.168.3.1 255.255.255.0 N/A S3 Fa0/5
R3
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 Fa0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 Fa0/18

Objectives
Part 1: Configure Basic Device Settings
 Configure hostnames, interface IP addresses, and access passwords.
 Configure the OSPF dynamic routing protocol on R2 and R3.
Part 2: Configuring a Remote Access VPN
 Use CCP to configure a router to support an Easy VPN server.
 Configure the Cisco VPN client on PC-A and connect to R2.
 Verify the configuration.
 Test VPN functionality.

Background / Scenario
VPNs can provide a secure method of transmitting data over a public network, such as the Internet. A
common VPN implementation is used for remote access to a corporate office from a telecommuter location
such as a small office or home office (SOHO).
In this lab, you build a multi-router network and configure the routers and hosts. You configure a remote
access IPsec VPN between a client computer and a simulated corporate network. You use CCP to configure
a Cisco Easy VPN server on the corporate edge gateway router and configure the Cisco VPN client on a host.
Then you connect to the corporate network through a simulated ISP router.
The Cisco VPN client allows organizations to establish end-to-end, encrypted (IPsec) VPN tunnels for secure
connectivity for mobile employees or teleworkers. It supports Cisco Easy VPN, which allows the client to
receive security policies upon a VPN tunnel connection from the central site VPN device (Cisco Easy VPN
Server), minimizing configuration requirements at the remote location. This is a scalable solution for remote
access deployments where it is impractical to individually configure policies for multiple remote PCs.
Note: The router commands and output in this lab are from a Cisco 1841 router with Cisco IOS Release
15.1(4)M8 (Advanced IP Services image). Other routers and Cisco IOS versions can be used. See the Router
Interface Summary Table at the end of the lab to determine which interface identifiers to use based on the
equipment in the lab. Depending on the router model and Cisco IOS version, the commands available and
output produced might vary from what is shown in this lab.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Note: Ensure that the routers and switches have been erased and have no startup configurations.
Instructor Note: Instructions for initializing the network devices are provided in Lab 0.0.0.0.

Required Resources
 3 Routers (Cisco 1841 with Cisco IOS Release 15.1(4)M8 Advanced IP Services image or comparable)
 2 Switches (Cisco 2960 or comparable)
 2 PCs (Windows Vista or Windows 7 with CCP 2.5, Cisco VPN Client, latest version of Java, Internet
Explorer, and Flash Player)
 Serial and Ethernet cables as shown in the topology
 Console cables to configure Cisco networking devices
CCP Notes:
 Refer to Lab 0.0.0.0 for instructions on how to install and run CCP.
 If the PC on which CCP is installed is running Windows Vista or Windows 7, it may be necessary to right-
click the CCP icon or menu item, and select Run as administrator.
 To run CCP, it may be necessary to temporarily disable antivirus programs and O/S firewalls. Ensure that
all pop-up blockers are turned off in the browser.
Instructor Notes:
Host PC-A is connected to R1, which simulates an ISP router. R1 is connected to R2, the corporate edge
gateway router. Router R2 connects to R3 to represent a multi-router internal corporate network. Routers R2
and R3 are configured with OSPF. The ISP router, R1, does not participate in the OSPF process. PC-A is
used to connect to R2 through R1 to configure R2 as a VPN server.
Although switches are shown in the topology, students can omit the switches and use crossover cables
between the PCs and routers R1 and R3.
The version of the Cisco VPN Client used in this lab is 5.0.07.0440 for use with Windows. You must have a
valid CCO account and service contract to download the file.
The basic running configurations for all three routers are captured after Part 2 of the lab is completed. All
configurations are found at the end of the lab.

Part 1: Configure Basic Device Settings

In Part 1, you set up the network topology and configure basic settings, such as the interface IP addresses,
dynamic routing, device access, and passwords.
Note: Perform all tasks on routers R1, R2, and R3. The procedure for R1 is shown here as an example.

Step 1: Cable the network as shown in the topology.

Attach the devices as shown in the topology diagram, and cable as necessary.

Step 2: Configure basic settings for each router.

a. Configure hostnames as shown in the topology.
b. Configure the physical interface IP addresses as shown in the IP addressing table.
c. Configure the logical loopback 0 interface on R2. This simulates the network from which the remote
access clients receive addresses (192.168.2.0/24). Because loopback interfaces are up by default, it is
not necessary to use the no shutdown command.
R2(config)# interface Loopback 0

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

R2(config-if)# ip address 192.168.2.1 255.255.255.0

d. Configure a clock rate for the serial router interfaces with a DCE serial cable attached.
R1(config)# interface S0/0/0
R1(config-if)# clock rate 64000

Step 3: Disable DNS lookup.

a. To prevent the router from attempting to translate incorrectly entered commands, disable DNS lookup.
R1(config)# no ip domain-lookup

Step 4: Configure the OSPF routing protocol on R2 and R3.

Note: R2 and R3 exchange routes in OSPF AS 101. R1 is acting as an ISP router and does not participate in
the OSPF routing process.
a. On R2, use the following commands:
R2(config)# router ospf 101
R2(config-router)# network 10.2.2.0 0.0.0.3 area 0
R2(config-router)# network 192.168.2.0 0.0.0.255 area 0
b. On R3, use the following commands:
R3(config)# router ospf 101
R3(config-router)# network 192.168.3.0 0.0.0.255 area 0
R3(config-router)# network 10.2.2.0 0.0.0.3 area 0

Step 5: Configure a static default route on R2.

Router R1 represents a connection to the Internet. A default route is configured on R2 for all traffic whose
destination network does not exist in the R2 routing table.
Note: Without the default route configured on R2, R2 cannot respond to the CCP HTTP connection from PC-
A later in the lab. Because R1 is not part of the OSPF domain and is not advertising the PC-A LAN, R2 does
not know about the 192.168.1.0/24 network.
a. Configure a static default route on R2 that points to the R1 S0/0/0 interface IP address.
R2(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1
b. Redistribute the static default into OSFP so that R3 also learns the route.
R2(config)# router ospf 101
R2(config-router)# default-information originate

Step 6: Configure PC host IP settings.

a. Configure a static IP address, subnet mask, and default gateway for PC-A, as shown in the IP addressing
table.
b. Configure a static IP address, subnet mask, and default gateway for PC-C, as shown in the IP addressing
table.

Step 7: Verify basic network connectivity.

a. Ping from PC-A to the R2 S0/0/0 interface at IP address 10.1.1.2.
If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Note: PC-A should be able to ping external R2 interface S0/0/0, but is unable to ping any of the internal
OSPF network IP addresses on R2 and R3.
b. Ping from R2 to PC-C on the R3 LAN.
If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.
Note: If you can ping from R2 to PC-C, you have demonstrated that the OSPF routing protocol is
configured and functioning correctly. If you cannot ping, but the device interfaces are up and IP
addresses are correct, use the show run and show ip route commands to help identify routing protocol-
related problems.

Step 8: Configure a minimum password length.

Note: Passwords in this lab are set to a minimum of 10 characters, but are relatively simple for the benefit of
performing the lab. More complex passwords are recommended in a production network.
Use the security passwords command to set a minimum password length of 10 characters.
R1(config)# security passwords min-length 10

Step 9: Configure the basic console and vty lines.

a. Configure a console password and enable login for router R1. For additional security, the exec-timeout
command causes the line to log out after 5 minutes of inactivity. The logging synchronous command
prevents console messages from interrupting command entry.
Note: To avoid repetitive logins during this lab, the exec-timeout can be set to 0 0, which prevents it from
expiring; however, we do not recommend this.
R1(config)# line console 0
R1(config-line)# password ciscoconpass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
R1(config-line)# logging synchronous
b. Configure the password on the vty lines for router R1.
R1(config)# line vty 0 4
R1(config-line)# password ciscovtypass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
c. Repeat these configurations on both R2 and R3.

Step 10: Encrypt clear text passwords.

a. Use the service password-encryption command to encrypt the console, aux, and vty passwords.
R1(config)# service password-encryption
b. Issue the show run command. Can you read the console, aux, and vty passwords? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
No. The passwords are now encrypted
c. Repeat this configuration on both R2 and R3.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Step 11: Save the basic running configuration for all three routers.
Save the running configuration to the startup configuration from the privileged EXEC mode prompt.
R1# copy running-config startup-config

Part 2: Configuring a Remote Access VPN

In Part 2, you will configure a remote access IPsec VPN. You will use CCP to configure R2 as an Easy VPN
server and configure the Cisco VPN client on PC-A. The PC-A host simulates an employee connecting from
home over the Internet. Router R1 simulates an Internet ISP router.

Task 1: Prepare R2 for CCP Access and Easy VPN Server Setup.

Step 1: Configure user credentials for HTTPS router access prior to starting CCP.
a. Enable the secure HTTP server on R2.
R2(config)# ip http secure-server
b. Create an admin account on R2 with privilege level 15 for use with AAA and CCP.
R2(config)# username admin privilege 15 password cisco12345
c. Have CCP use the local database to authenticate web sessions.
R2(config)# ip http authentication local

Step 2: Access CCP and discover R2.

a. Run the CCP application on PC-A. In the Select/Manage Community window, in the IP
Address/Hostname field, enter the R2 IP address 10.1.1.2, in the Username field, enter admin and, in the
Password field, cisco12345. Click the Connect Securely check box, and then click OK.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

b. At the CCP Dashboard, click Discover to discover and connect to R1. If the discovery process fails, click
Discover Details to determine the possible problem in order to resolve the issue.
c. Click Yes to accept the certificate when the Security Certificate Alert window displays.

Task 2: Use the CCP VPN Wizard to Configure the Easy VPN Server.

Step 1: Launch the Easy VPN server wizard and configure AAA services.
a. At the top of the CCP home screen, click Configure. In the left pane, click Security > VPN > Easy VPN
Server.

b. Click Launch Easy VPN Server Wizard.

The Easy VPN Server wizard checks the router configuration to see if AAA is enabled. If not, the Enable
AAA window displays. AAA must be enabled on the router before the Easy VPN Server configuration
starts.
c. Click Yes to continue with the configuration.
d. If prompted to deliver the configuration to the router, click Deliver.
e. In the Command Delivery Status window, click OK. When the “AAA has been successfully enabled on the
router” message displays, click OK.
f. Now that AAA is enabled, you can start the Easy VPN Server wizard by clicking Next in the Welcome
window. Read through the descriptions of the tasks that the wizard guides you through.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

How does the client receive the IPsec policies?

____________________________________________________________________________________
____________________________________________________________________________________
They are centrally managed and pushed to the client by the server.
How does the Easy VPN remote server configuration differ from the site-to-site?
____________________________________________________________________________________
____________________________________________________________________________________
Both configure IKE polices and IPsec transforms. The remote access server configures a virtual template
interface and authentication, group policy lookup, and user authentication, among others.
g. Click Next when you are finished answering the above questions.

Step 2: Configure the virtual tunnel interface and authentication

a. From the pull-down list, select the Serial0/0/0 interface as the interface for the Easy VPN Server. This is
the interface on which the client connections terminate.
b. Select the Pre-shared Keys option for the authentication type and click Next to continue.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Step 3: Select the IKE proposal.

a. In the Internet Key Exchange (IKE) Proposals window, the default IKE proposal is used for R2.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

What is the encryption method used with the default IKE policy?
____________________________________________________________________________________
3DES
What is the hash algorithm used to ensure that the keys have not been tampered with?
____________________________________________________________________________________
SHA_1
b. Click Next to accept the default IKE policy.
Note: Configurations on both sides of the tunnel must match exactly. However, the Cisco VPN client
automatically selects the proper configuration for itself. Therefore, no IKE configuration is necessary on
the client PC.

Step 4: Select the transform set.

a. In the Transform Set window, the CCP default transform set is used. What is the ESP encryption method
used with the default transform set?
____________________________________________________________________________________
ESP_3DES

b. Click Next to accept the default transform set.

Step 5: Specify group authorization and group policy lookup.

a. In the Group Authorization and Group Policy Lookup window, select the Local option because a RADIUS
server is not available.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

b. Click Next to create a new AAA method list for the group policy lookup that uses the local router
database.

Step 6: Configure User Authentication (XAuth).

a. In the User Authentication (XAuth) window, you can specify where user information will be configured.
Choices include an external server, such as a RADIUS server, a local database or both. Check the
Enable User Authentication check box and accept the default of Local Only.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Where does the router look for valid user account and passwords to authenticate remote VPN users
when they attempt to log in?
____________________________________________________________________________________
____________________________________________________________________________________
The local router user database. If the username is not locally defined on R2, the user cannot log in.
b. Click Add User Credentials. In the User Accounts window, you can view currently defined users or add
new users. What is the name of the user currently defined, and what is the user privilege level?
____________________________________________________________________________________
admin, with privilege level 15
How was this user defined?
____________________________________________________________________________________
It was defined during the initial Cisco IOS CLI configuration.
c. In the User Accounts window, click Add to add another user. Enter the username user01 with a
password of user01pass, and check the Encrypt Password Using MD5 Hash Algorithm check box. Leave
the privilege level at 1.
What is the range of privilege levels that can be set for a user?
____________________________________________________________________________________
0 through 15

d. Click OK to accept the user01 entries, and then click OK to close the User Accounts window.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

e. In the User Authentication (XAuth) window, click Next to continue.

Step 7: Specify group authorization and user group policies.

a. In the Group Authorization and User Group Policies window, you must create at least one group policy for
the VPN server.

b. Click Add to create a group policy.

c. In the Add Group Policy window, enter VPN-Access as the name of this group. Enter a new pre-shared
key of cisco12345, and then re-enter it.
d. Leave the Pool Information box checked. Enter a starting address of 192.168.2.101, an ending address
of 192.168.2.150, and a subnet mask of 255.255.255.0.
e. Enter 50 for the Maximum Connections Allowed.
f. Click OK to accept the entries.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

g. If a CCP warning message displays indicating that the IP addresses in the pool and the IP address of the
Loopback0 interface are in the same subnet. Click Yes to confirm.
Why use an IP network for the VPN clients pool that is associated with a loopback interface?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
R2 will advertise the entire loopback network 192.168.2.0/24 to other routers as one full subnet and not
simply host routes for VPN clients. This significantly increases stability throughout the OSPF routing
domain.
How does R3 route traffic to the VPN clients?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
R3 learns the subnet used by R2’s loopback interface as advertised through OSPF. Therefore, R3 sends
traffic destined for VPN clients to a next hop of R2.
h. When you return to the Group Authorization window, click the Configure Idle Timer check box and enter
one hour (1). This disconnects idle users if there is no activity for one hour and allows others to connect.
Click Next to continue.

i. If the Cisco Tunneling Control Protocol (cTCP) window displays, do not enable cTCP. Click Next to
continue.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Step 8: Review the configuration summary and deliver the commands.

a. Scroll through the commands that CCP will send to the router. Do not click the Test VPN connectivity
after configuring check box. Click Finish.
b. If prompted to deliver the configuration to the router, click Deliver.

c. In the Command Delivery Status window, click OK. How many commands were delivered?
____________________________________________________________________________________
35 with CCP 2.5

Step 9: Test the VPN server.

a. You are returned to the main VPN window with the Edit Easy VPN Server tab selected. Click Test VPN
Server in the bottom right corner of the screen.
b. In the VPN Troubleshooting window, click Start.
c. Your screen should look similar to the one below. Click OK to close the information window. Click Close
to exit the VPN Troubleshooting window.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Note: If you receive a failure after testing the VPN server, close the VPN Troubleshooting window.
1) Click the Edit button on top right of Edit Easy VPN Server Tab.
2) Click OK in the Edit Easy VPN Server Connection window.
3) Click OK in the Easy VPN Server Passthrough Configuration window.
4) Click the box to the right of the FastEthernet0/1 interface indicating that it is inside (Trusted).
5) Rerun Test VPN Server by clicking on that button on bottom right of Edit Easy VPN Server Tab.
6) Click Start button and test should pass this time.

Task 3: Use the Cisco VPN Client to Test the Remote Access VPN.

Step 1: (Optional) Install the Cisco VPN client.

If not already installed, install the Cisco VPN client software on host PC-A. If you do not have the Cisco VPN
client software, contact your instructor.
Instructor Notes: The version of the Cisco VPN Client used in this lab is 5.0.07.0440 for use with
Windows 7. You must have a valid CCO account and service contract to download the file. Extract the
.exe or .zip file and begin the installation. Accept the defaults as prompted. Click Finish when the VPN
Client has been successfully installed. Click Yes to restart the computer for the configuration changes to
take effect.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Step 2: Configure PC-A as a VPN client to access the R2 VPN server.

a. Start the Cisco VPN client and select the Connection Entries tab, click the New icon.

b. Enter the following information to define the new connection entry. Click Save when you are finished.
Connection Entry: VPN-R2
Description: Connection to R2 internal network
Host: 10.1.1.2 (IP address of the R2 S0/0/0 interface)
Group Authentication Name: VPN-Access (Defines the address pool configured in Task 2)
Password: cisco12345 (Pre-shared key configured in Task 2)
Confirm Password: cisco12345
Note: The group authentication name and password are case-sensitive and must match the ones created
on the VPN server.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Step 3: Test access from PC-A without a VPN connection.

a. Open a command prompt on PC-A, and ping the PC-C IP address at 192.168.3.3 on the R3 LAN. Are the
pings successful? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The pings failed because PC-A still has an IP address (192.168.1.3) that is outside the OSPF domain.
PC-A cannot access the internal PC-C host in the OSPF network 192.168.3.0/24 without an address
within the OSPF domain (from the VPN access group associated with the 192.168.2.0/24 network).
Note: After creating a VPN connection entry, you must activate it. Currently, the VPN tunnel is not up.

Step 4: Establish a VPN connection and login.

a. Select the newly created connection VPN-R2 and click the Connect icon. You can also double-click the
connection entry.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

b. Enter the username user01 created previously on the VPN router, and enter the password user01pass.
c. Click OK to continue. The VPN Client window minimizes to a lock icon in the tools system tray of the
taskbar. When the lock is closed, the VPN tunnel is up. When it is open, the VPN connection is down.

Task 4: Verify the VPN Tunnel between the Client, Server, and Internal Network.

Step 1: Check the VPN Client status.

a. Double-click the VPN lock icon to expand the VPN Client window.
b. What does it say about the connection status at the top of the window?
____________________________________________________________________________________
Status: Connected

Step 2: Check the tunnel statistics.

a. On the VPN connection menu bar, click Status > Statistics to display the Tunnel Details tab.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 19 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

What is the Client IP address obtained from the VPN server?

____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary but can range from 192.168.2.101 through 192.168.2.150. The pool of addresses was
defined in Task 2.
Note: Each time you disconnect and reconnect to the VPN server, you receive a new IP address until the
limit is reached.
b. What is the VPN server address?
____________________________________________________________________________________
10.1.1.2
How many packets have been encrypted?
____________________________________________________________________________________
Answers will vary
What is the encryption method being used?
____________________________________________________________________________________
168-bit 3-DES
What is the authentication being used?
____________________________________________________________________________________
HMAC-SHA1

Step 3: Check the Cisco IOS messages on R2 when the tunnel is created.
Open the console connection for R2 and locate the message displayed indicating that the virtual interface
came up when the VPN Client connection was created.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 20 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

R2#
*Feb 2 16:09:08.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2,
changed state to up
R2#

Step 4: Verify the VPN connection.

a. From the PC-A command prompt, issue the ipconfig /all command to see the network connections
currently in use.
C:\> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : PC-A

Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom 570x Gigabit Controller
Physical Address. . . . . . . . . : 00-0B-DB-04-A5-CD
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
b. What is the configuration for the first local area connection?
IP Address: __________________________________________ 192.168.1.3
Subnet Mask: __________________________________________ 255.255.255.0
Default Gateway: __________________________________________ None since the VPN tunnel is
activated
Description: __________________________________________ Broadcom 570x Gigabit Controller
(Answers will vary)
c. What is the configuration for Local Area Connection 2?
IP Address: __________________________________________ 192.168.2.104 (answers will vary
– 192.168.2.101-.150)

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 21 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Subnet Mask: __________________________________________ 255.255.255.0

Default Gateway: __________________________________________ 192.168.2.1 (R2 Lo0 interface)
Description: __________________________________________ Cisco Systems VPN Adapter

Step 5: Test the access from the client with the VPN connection.
With the VPN connection from computer PC-A to router R2 activated, open a command prompt on PC-A, and
ping the PC-C IP address at 192.168.3.3 on the R3 LAN. Are the pings successful? Explain.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
The pings are now successful because PC-A has an IP address (192.168.2.104 in this case) that was
assigned by the VPN server and is inside the OSPF domain. PC-A can access the internal PC-C host in the
OSPF network 192.168.3.0/24 now because it is in the VPN access group associated with the 192.168.2.0/24
network.

Step 6: Telnet to R2 from PC-A.

a. From the PC-A command prompt, telnet to R2 at the Lo0 IP address 192.168.2.1. Log in as admin with
the password cisco12345. What is the router command prompt and why?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Because the user admin was defined with privilege level 15 (the highest), the prompt defaults to
privileged EXEC mode (R2#).
b. Issue the show run command to view the various commands generated by CCP to configure the VPN
server.
c. Issue the show users command to see the connections to router R2. What connections are present?
____________________________________________________________________________________
____________________________________________________________________________________
The console connection and the vty connection from PC-A by the user admin.
d. Exit the Telnet session with the quit or exit command.
e. Telnet from PC-A to R2 again at the Lo0 IP address 192.168.2.1. Log in as user01 with the password
user01pass. What is the router command prompt and why is this?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Because user user01 was defined with privilege level 1 (the lowest), the prompt defaults to user EXEC
mode (R2>).
f. Exit the Telnet session with the quit or exit command.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 22 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

g. Right-click the VPN Client icon in the tools tray and select Disconnect, or click the VPN-R2 connection
and click the Disconnect icon.

Reflection
Why is VPN a good option for remote users?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary but should include the following: It is a flexible technology that is widely supported by
equipment vendors. Service is commonly available from ISPs. A VPN server can be set up independent of the
ISP if desired. VPN provides easy and secure access to internal LAN resources for remote workers and
business partners. Any authorized person with an Internet connection can access internal resources as if they
were on the local LAN.

Router Interface Summary Table

Router Interface Summary

Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2

1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
(Fa0/0) (Fa0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.

Router Configs
Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces.

Router R1 after Part 2

R1#show run

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 23 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

Building configuration...

Current configuration : 1238 bytes

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 24 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
password ciscoconpass
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password ciscovtypass
login
!
scheduler allocate 20000 1000
end

Router R2 after Part 2

R2#show run
Building configuration...

Current configuration : 2700 bytes

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 25 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

security passwords min-length 10

logging message-counter syslog
enable secret 5 $1$T5rj$SdPauuFGQGqdqixl9y01S.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
username admin privilege 15 password 7 01100F175804575D72181B
username user01 secret 5 $1$YmkE$DGJQzwBzH7Z45hVZz7lm10
archive
log config
hidekeys
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN-Access
key cisco12345
pool SDM_POOL_1
max-users 50
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPN-Access
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto IPsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 26 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

set security-association idle-time 3600

set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
ip address 10.1.1.2 255.255.255.252
no fair-queue
!
interface Serial0/0/1
ip address 10.2.2.2 255.255.255.252
clock rate 64000
!
interface Virtual-Template1 type tunnel
ip unnumbered Serial0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
no ip address
!
router ospf 101
default-information originate
network 10.1.1.0 0.0.0.3 area 0
network 10.2.2.0 0.0.0.3 area 0
network 192.168.2.0 area 0
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 27 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

ip local pool SDM_POOL_1 192.168.2.101 192.168.2.150

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip http server
ip http authentication local
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 05080F1C22434D061715160118
logging synchronous
line aux 0
line vty 0 4
exec-timeout 5 0
password 7 110A1016141D1D181D3A2A373B
!
scheduler allocate 20000 1000
end

Router R3 after Part 2

R3#show run
Building configuration...

Current configuration : 1303 bytes

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 28 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

!
archive
log config
hidekeys
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
!
interface Vlan1
no ip address
!
router ospf 101
network 10.2.2.0 0.0.0.3 area 0
network 192.168.3.0 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 03075218050022434019181604

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 29 of 30
Lab - (Optional) Configuring a Remote Access VPN Server and Client

logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7 121A0C0411041A10333B253B20
login
!
scheduler allocate 20000 1000
end

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 30 of 30