Cisco Packet Tracer 8.x labs

Lab instructions

This lab will show you how to configure site-to-site IPSEC VPN using the Packet Tracer 8.2 ASA 5505 firewall. By default, the Cisco ASA 5505 firewall denies the traffic entering the outside interface if no explicit ACL has been defined to allow the traffic. This default behaviour helps protecting the enterprise network from the internet during the VPN configuration.

Packet Tracer 8.2 also features the newest Cisco ASA 5506-X firewall.

In this lab, a small branch office will be securely connected to the enterprise campus over the internet using a broadband DSL connection to demonstrate ASA 5505 site-to-site VPN capabilities. Not dynamic routing protocol will be configured between the two sites. 

 Campus addressing scheme :

• Campus IP addresses : 172.16.0.0/17
• DC : 172.16.0.0/18
• Users : 172.16.64.0/20
• DMZ : 172.16.96.0/21
• Network devices : 172.16.252.0/23
• L3 P2p links : 172.16.254.0/24

Branch office 1 IP subnet : 172.16.129.0/24

Enterprise internet IP addresses : 134.95.56.16/28

IPSEC VPN configuration to apply :

• ESP Encryption : AES-256
• AH hash algorithm : SHA
• Pre shared key : SHAREDSECRET

Introduction

A growing challenge for network administrators is to be able to control who is allowed - and who isn't - to access the organization's internal network. This access control is mandatory for critical infrastructure protection in your network. It is not on public parts of the network where guest users should be able to connect.

Port security is a feature implemented in Cisco Catalyst switches which helps network engineers in implementing network security on network boundaries.

In its most basic form, the Port Security feature remembers the MAC address of the device connected to the switch edge port and allows only that MAC address to be active on that port. If any other MAC address is detected on that port, port security feature shutdown the switch port.

The switch can be configured to send a SNMP trap to a network monitoring solution to alert that a port is disabled for security reasons.

Lab instructions

SSL VPN technology can be configured in three ways :

• Thin Client VPN
• SSL VPN Client
• Clientless SSL VPN (WebVPN)

Clientless SSL VPN is a technology allowing limited but secure access to internal network ressources from any location using a web browser. No specific VPN client is needed, a remote user only needs an SSL-enabled web browser to access http- or https-enabled web servers on the internal network. This technology is available on ASA 5505 firewall and has been implemented in Packet Tracer 8.2 network simulator.

Firewall configuration to apply in this lab:

• Outside IP : 192.168.1.1/24
• Inside IP : 192.168.2.1/24
• User login : test
• User password : test.test
• Website IP : site 1

Network diagram

In this lab, the AutoNAT feature of ASA 5506-X firewall is used to configure the NAT rules that allow the hosts on the LAN segments to connect to the Internet. Network Address Translation is needed because these internal hosts use private IP addresses which are not routable on the Internet. Network Address Translation makes the addresses so that they look like the ASA's outside interface IP address. AutoNAT suits best if the ASA external IP changes frequently (DHCP).

Lab instructions

1. Configure NAT to allow LAN users to access the INTERNET

2. Configure NAT to allow DMZ servers to access the INTERNET

3. Configure inbound NAT rule to allow access to the 172.16.1.10 DMZ webserver from the Internet with 148.12.56.68 public IP address.

4. Configure ICMP rules to allow laptop1 to ping 148.12.56.1 internet router and any internet resource. An access-list, named OUTSIDE, will be configured to allow incoming echo-reply and unreachable ICMP replies

5.Configure the required access-lists on the internet facing interface to allow incoming trafic to the DMZ webserver

6.Test HTTP connectivity from the Public laptop to the DMZ webserver (http://148.12.56.68)