Answered You can hire a professional tutor to get the answer.
Using a series of Cisco routers and hosts within PacketTracer, complete the tasks below and provide the requested outputs for your submission.
Using a series of Cisco routers and hosts within PacketTracer, complete the tasks below and provide the
requested outputs for your submission. You may use reference materials obtained from Cisco Systems
website, books from Cisco Press, or material obtained from 3rd party training institutions. Additionally,
you may team up with two other students for this lab!
Lab Topology:
10.8.49.0/24
10.241.12.0/27
Laptop-2
DHCP
.1
10.255.0.0/29
TRUNK
10,20,30,40
172.16.0.0/30
SW-1
CIS 467
VPN Lab
Topology
R2
R1
WWW AD HR TS MGT
SW-2
.1
.2
.2
.1
.3
R3
R4
Laptop-1
DHCP
.1
VLAN 10: 192.168.18.0/24
VLAN 20: 192.168.234.0/24
VLAN 30: 192.168.57.128/28
VLAN 40: 192.168.5.224/27
Gateway is first address.
WWW: 192.168.18.38
AD: 192.168.234.227
HR: 192.168.57.133
TS MGT: 192.168.5.252
Lab Tasks:
1. Configure all devices and servers with the IP addressing and VLAN's listed in the topology.
Note that the servers will not perform real functions. The "Generic Server" entity in PT is adequate to complete the lab.
Any router that supports VPN functionality may be used.
SW-1 only contains enough configuration to provide connectivity between the routers as you see fit.
SW-2 only contains enough configuration to provide the listed segmented connectivity for the servers to R2.
2. Configure static default routes per the list below. Note that the destination may not exist:
R1: 10.255.0.5
R2: 172.16.0.1
R3: 10.255.0.5
R4: 10.255.0.5
3. Configure the following static routes on R1:
192.168.18.0/24 to 172.16.0.2
192.168.5.224/27 to 172.16.0.2
192.168.57.128/28 to 172.16.0.2
192.168.234.0/24 to 172.16.0.2
4. Configure appropriate DHCP scopes for the two laptops and ensure that the laptops receive a dynamic IP address and default route.
5. Perform the following verification steps:
Verify R1, R3, and R4 can ping each other on the 10.255.0.0/29 network.
Verify that R1 and R2 can ping each other.
Verify that all servers can ping R1.
Verify Laptop-1 can ping R3.
Verify Laptop-2 can ping R4.
Verify that none of the servers can ping Laptop-1 or Laptop-2.
Verify that the laptops cannot ping any router other than the one to which they are directly attached.
Verify that R2 cannot ping R3 and R4.
6. If necessary, enable the trial license for the IP Security K9 bundle on your router.
Router(config)# license boot module c1900 technology-package securityk9
i. Note that you may need to run this command twice in order to show the EULA and accept it. The license will not activate until the EULA is accepted.
Once the EULA is accepted, save your configuration using the write command, and reboot your router.
Use the show license feature command to verify that the Security K9 bundle is installed and activated.
See the troubleshooting steps at the end of this lab for more details.
7. Configure a VPN tunnel from R1 to R3 for a remote HR employee:
Pre-Shared Key: secrethrtunnel
Phase 1:
i. Auth: Pre-Shared Key
ii. Encryption: 3DES
iii. Hash: MD5
iv. DH Group 1
v. Lifetime: 28800 seconds
Phase 2:
i. Encryption: 3DES
ii. HMAC: MD5
iii. DH Group 1
iv. R1 Local Subnets: VLAN 20,30
v. R3 Local Subnets: 10.8.49.0/24
vi. SA Lifetime: 86400 seconds
8. Configure a VPN tunnel from R1 to R4 for a remote adminstrator:
Pre-Shared Key: secretadmintunnel
Phase 1:
i. Auth: Pre-Shared Key
ii. Encryption: AES128
iii. Hash: SHA
iv. DH Group 2
v. Lifetime: 28800 seconds
Phase 2:
i. Encryption: AES128
ii. HMAC: SHA
iii. DH Group 2
iv. R1 Local Subnets: VLAN 10,20,30,40
v. R4 Local Subnets: 10.241.12.0/27
vi. SA Lifetime: 86400 seconds
9. Verify the following:
Laptop-1 can ping the following:
i. HR and AD server.
ii. The gateway addresses for VLAN's 20 and 30.
Laptop-1 cannot ping the following:
i. WWW and TS MGT.
Laptop-2 can ping the following:
i. All 4 servers.
ii. The gateway addresses for all 4 VLAN's behind R2.
10. Verify that traffic is being encrypted and decrypted on each router using the command show crypto ipsec sa. The counters for encrypted packets should be incrementing as traffic flows.
11. Write and apply an access-list that denies ping requests from any admin host connected to R3 to the HR server, and logs those attempts. Allow all other requests.
12. Write one or more access-lists that denies all traffic from WWW to HR, and also from HR to WWW. Log these requests. Allow all other traffic.
Submission to Blackboard:
Run the following commands on R1, R3 and R4 after the steps above are completed and everything functions correctly. Copy and paste the CLI output to a text file and name the file something like cis467-vpn-lab-<router>-<last name>.txt:
show crypto isakmp policy
show crypto map
show crypto isakmp sa
show crypto ipsec sa
Save the text file generated above and submit it along with your PacketTracer file to the assignment module in Blackboard.
Troubleshooting:
VPN's can be difficult to troubleshoot. The logs from the routers often do not provide clear insight to the actual problem. Here are ways to narrow down the potential issue:
The VPN-related crypto configuration commands are not available on the router:
o Some routers within PacketTracer do not enable the securityk9license by default. In the real world, this license would need to be purchased from Cisco. A trial license can be activated within PacketTracer.
o To activate the license, run the following command on each router:
o Router(config)# license boot module c1900 technology-package securityk9
Note that the exact license command may differ slightly based on the model of router you are using.
o License activation in PT can be a bit buggy.
o If the router does not return any output after running the command, try running the same command a second time. The license will not activate until the EULA is displayed and you accept the EULA.
o If the EULA still does not show, run the following commands:
o ! Show that the current securityk9 license is disabled (last column) Router#show license feature Feature name Enforcement Evaluation Subscription Enabled
ipbasek9 no no no yes
securityk9 yes yes no no
datak9 yes no no no
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
! Remove the disable command first.
Router(config)#no license boot module c1900 technology-package securityk9 disable
% use 'write' command to make license boot config take effect on next boot
! Enable the license.
Router(config)#license boot module c1900 technology-package securityk9
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR
LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH
<snipped for brevity>
Activation of the software command line interface will be evidence of
your acceptance of this agreement.
! Be sure to accept by typing yes
ACCEPT? [yes/no]: yes
% use 'write' command to make license boot config take effect on next boot
%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C1900 Next reboot level = securityk9 and License = securityk9
Router(config)#exit
Router#
! Make sure your write your configuration to memory to make the license activate
Router#write
Building configuration...
[OK]
Router#reload
Proceed with reload? [confirm]
System Bootstrap, Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
<snipped router rebooting for brevity>
Press RETURN to get started!
Router>
Router>en
Router#show license feature
Feature name Enforcement Evaluation Subscription Enabled
ipbasek9 no no no yes
securityk9 yes yes no yes
datak9 yes no no no
o Your crypto VPN commands should now be available on the router when the license shows yes.
VPN doesn't appear to even try to connect.
o Ensure that your access-list lists are correct for identifying interesting traffic specific to the VPN. The show crypto map command is an excellent way to ensure that the ACL your crypto map refers to covers your interesting traffic. Your ACL should list local
networks (connected to that router) first, and remote networks as the destination. The other router would have the entries reversed. Keep in mind that ACL's use wildcard masks and not subnet masks in their definitions. Router#show crypto map Crypto Map VPN-MAP 100 ipsec-isakmp
Peer = 172.26.18.9
Extended IP access list VPN-TRAFFIC
access-list VPN-TRAFFIC permit ip 192.168.1.0 0.0.0.255 10.14.2.0 0.0.0.255
Current peer: 172.26.18.9
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): N
Transform sets={
TRANSPORT,
}
Interfaces using crypto map VPN-MAP:
o Ensure that your hosts are attempting to communicate with each other in a way that matches your access-lists for interesting traffic to the VPN. A generic host running ping -t <remote-ip> should be sufficient to send a constant amount of traffic through the VPN.
o Ensure that your crypto map is applied to the right (outside) interface. It should be listed at the bottom of the show crypto map command, or you can see it configured within the interface configuration.
The VPN attempts to connect, but does not succeed.
o Make sure that the two routers can ping each other.
o Ensure that the encryption, hashing, and authentication methods are exactly the same on both routers.
o Ensure the pre-shared-key matches on both routers, and that the address is for the outside IP of the peer router. (show run | include crypto isakmp key)
o Determine if the problem is with Phase 1 or Phase 2 of the VPN connection.
Run show crypto isakmp sa. Is the connection status set to QM_IDLE? If not, the issue is with the Phase 1 settings (crypto isakmp commands). See the first few bullets. If the status is QM_IDLE, then the problem is likely with the Phase 2 settings (crypto ipsec or crypto map commands).
Run show crypto ipsec sa and watch the #pkts encaps and #pkts encrypt counts to ensure they are rising while a ping is being sent between the hosts. If the #send errors counter is rising, there is likely an encryption setting mismatch.
o When all else fails, debugging processes on the router can sometimes yield results. You can use the following debug commands to watch the VPN negotiation:
debug crypto isakmp
debug crypto ipsec
When all else fails, please send your PKA file to the instructor and a description of the problem for further review.
