Use Vmware workstation 6.x image in Vmware server 1.09

Vmware workstation is a great product, you can capture the movie, which is very good for training, and you can setup multiple snapshots. I have a crack version of Vmware workstation 6.5.2 in my home computer (Forgive me, I don’t have much money in my pocket), however, you don’t want to run a crack software in your office’s computer, fortunately, Vmware server is free. I tried the Vmware server 2.0.1, to be honest, it sucks, I don’t like the web console, and the performance is really bad. The version 1.0.9 is good, it is neat and clean.

Now here is the problem: When I try to open the images that I created in my home computer using Vmware workstation 6.5.2, I get an error message: “Configuration file was created by a Vmware product with more features than this version”. Can we just modify the .vmx configuration file? I tried, but it didn’t work well, I got some error messages like: “Pipe connection has been broken.”

Ok, the answer is here, VMware vCenter Converter Standalone 4.0.1, you can download it from https://www.vmware.com/tryvmware/?p=converter, and it is free.

The functions of Vmware converter are very straight forward. You click the “Convert Machine” on the toolbar; select the source type, in my case, it is “Vmware workstation or other Vmware virtual machine”; select destination type “Vmware workstation or other Vmware virtual machine”, the product is “Vmware Server 1.x”; give a name and choose a location. You’re ready to go.

Windows 2003 server shutdown prompt

I have some Windows 2003 server virtual machines, I was tired by them keep asking me for a reason when I reboot them, I decide to disable this “shutdown event tracker”. However, you shouldn’t turn it off in production environment, since it is an important audit log.

1) Open “Group Police Object Editor”: Click “start”-> “Run...” enter “gpedit.msc”, click “ok”.

2) Expand “Computer Configuration” -> “Administrative Templates” -> “System”

3) Double click “Display Shutdown Event Tracker”, and disable it.

Now you can quickly shutdown or reboot your windows 2003 server.

Create a big size empty file

I was working with a MFT (Managed File Transfer) system recently. I need a big size file to test the transfer rate, and it would be good to create a file with specific sizes. After google it, I found a useful command in WinXp: fsutil – file system utility. The format of creating a specific size file is: fsutil file createnew .

Open a command line window: Click “start”-> “Run...” enter “cmd”, click “ok”.

I need a 3GB file, 3GB=3*1024 MB =3072*1024 KB =3145728 * 1024 BYTE=3221225472 BYTE

So the command is: fsutil file createnew test3g.txt 3221225472

Now you get a 3GB file in the current directory. The only thing I concern is, if you compress this file, it is only 200 Bytes, some transfer protocol may compress the file before the transfer, so it may affect the transfer rate. However, it is still a good practice.

Outlook 2003: Email attachment appears in the main body

After our Email server upgrade to Exchange 2007, I suddenly found my email attachment show up in the main body as an icon when I use outlook 2003. It used to appear in the attachment line under the subject line. It annoys me a little bit, yep, I agree, this format is useful in some cases, but I don't like it, I prefer the attachment is in its place and not mess up the layout. I look at the email, and find the Email format has been changed to "Rich Text", I remember it was "HTML". The setting should be in somewhere.

Yeap, I find it. Click menu "tools"->"options", click "Mail Format", in "Message format" section, select "HTML", apply it. now everything goes back.

PT5.1 for CCNA simulation lab

I was preparing CCNA exam, to practice the lab simulation questions, I used Packet Tracer 5.1 to simulate the questions. I integrated the questions, answers, and the explanation into a single pka file. With these pka files, you can practice the lab questions, verify your answers in real time, and check the explanation. I believe you’ll be more confident in your CCNA exam after practicing these labs.

You can download these pka files from:

1. CCNA Access List Sim (Updated from real CCNA exam on 07-March-2009): http://www.valit.ca/lab/ccna/ccna_access_list_sim.zip

2. CCNA Implementation SIM (Updated from real CCNA exam on 19-Feb-2009): http://www.valit.ca/lab/ccna/ccna_implement_sim.zip

3. CCNA Drag and Drop SIM Question (Updated from real CCNA exam on 19-Feb-2009): http://www.valit.ca/lab/ccna/ccna_drag_drop_sim.zip

4. CCNA EIGRP LAB Question (Updated from real CCNA Exam on 19-Feb-2009): http://www.valit.ca/lab/ccna/ccna_EIGRP_sim.zip

5. CCNA VTP SIM Question (Updated from real CCNA exam on 19-Feb-2009): http://www.valit.ca/lab/ccna/ccna_vtp_sim.zip

6. CCNA RIP Configuration SIM Question (Updated from real CCNA exam on 19-Feb-2009): http://www.valit.ca/lab/ccna/ccna_Rip_sim.zip

7. CCNA NAT SIM Question: http://www.valit.ca/lab/ccna/ccna_NAT_sim1.zip

Please use Packet Tracer 5.1. I am not sure if 5.0 can open these files.

Even you are not preparing CCNA, it is still good to practice these labs in order to enhance your network knowledge.

Enjoy! And if you have any questions related to the files, comment or send me an email.

Packet Tracer file for new CCNA Access List Sim

(Updated from real CCNA exam on 07-March-2009)

I copy this sim from http://9tut.com. And I created a Packet Tracer 5.1 pka file to verify the answers, because I was confused with question 3 (I am still confused now). You can download this pka file from here: http://www.valit.ca/lab/ccna_access_list_sim.zip. I hope it can help you to understand this sim. Please use Packet Tracer 5.1, the pka file seems not woking in version 5.0.

Question:

An administrator is trying to ping and telnet from Switch to Router with the results shown below:

Switch>
Switch> ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:
.U.U.U.
Success rate is 0 percent (0/5)
Switch>
Switch> telnet 10.4.4.3
Trying 10.4.4.3 ...
% Destination unreachable; gateway or host down
Switch>

Click the console connected to Router and issue the appropriate commands to answer the questions.

Answer and Explanation:

For this question we only need to use the show running-config command to answer all the questions below

Router>enable
Router#show running-config

interface Loopback1

 ip address 172.16.4.1 255.255.255.0

 no shutdown

!

interface Loopback2

 ip address 10.145.145.1 255.255.255.0

 ipv6 address 2001:410:2:3::/64 eui-64

 no shutdown

!

interface FastEthernet0/0

 ip address 10.4.4.3 255.255.255.0

 ip access-group 106 in

 duplex auto

 speed auto

 no shutdown

!

interface Serial0/0/0

 bandwidth 64

 no ip address

 ip access-group 102 out

 encapsulation frame-relay

 ip ospf authentication

 ip ospf authentication-key san-fran

 no shutdown

!

interface Serial0/0/0.1 point-to-point

 ip address 10.140.3.2 255.255.255.0

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 icndchain

 frame-relay interface-dlci 120

!

interface Serial0/0/1

 bandwidth 64

 ip address 10.45.45.1 255.255.255.0

 ip access-group 102 in

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 icndchain

 ip ospf authentication

 ip ospf authentication-key san-fran

 ipv6 address 2001:410:2:10::/64 eui-64

 no shutdown

!

router eigrp 100

 network 10.0.0.0

 network 172.16.0.0

 network 192.168.2.0

 no auto-summary

!

router ospf 100

 log-adjacency-changes

 network 10.4.4.3 0.0.0.0 area 0

 network 10.45.45.1 0.0.0.0 area 0

 network 10.140.3.2 0.0.0.0 area 0

 network 192.168.2.62 0.0.0.0 area 0

!

router rip

 version 2

 network 10.0.0.0

 network 172.16.0.0

!

ip default-gateway 10.1.1.2

!

!

ip http server

no ip http secure-server

!

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq ftp-data

access-list 102 deny tcp any any eq telnet

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

 

access-list 104 permit tcp any any eq ftp

access-list 104 permit tcp any any eq ftp-data

access-list 104 deny tcp any any eq telnet

access-list 104 permit icmp any any echo

access-list 104 deny icmp any any echo-reply

access-list 104 permit ip any any

 

access-list 106 permit tcp any any eq ftp

access-list 106 permit tcp any any eq ftp-data

access-list 106 deny tcp any any eq telnet

access-list 106 permit icmp any any echo-reply

 

access-list 110 permit udp any any eq domain

access-list 110 permit udp any eq domain any

access-list 110 permit tcp any any eq domain

access-list 110 permit tcp any eq domain any

access-list 110 permit tcp any any

 

access-list 114 permit ip 10.4.4.0 0.0.0.255 any

 

access-list 115 permit ip 0.0.0.0 255.255.255.0 any

 

access-list 122 deny tcp any any

access-list 122 deny icmp any any echo-reply

access-list 122 permit ip any any

!

 

Question 1:

Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?

A - Correctly assign an IP address to interface fa0/1
B - Change the ip access-group command on fa0/0 from "in" to "out"
C - Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D - Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E - Remove access-group 106 in from interface fa0/0 and add access-group 104 in

 

Answer: E

 

Explanation:

Let's have a look at the access list 104:

access-list 104 permit tcp any any eq ftp

access-list 104 permit tcp any any eq ftp-data

access-list 104 deny tcp any any eq telnet

access-list 104 permit icmp any any echo

access-list 104 deny icmp any any echo-reply

access-list 104 permit ip any any

 

The question does not ask about ftp traffic so we don't care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line "access-list 104 deny icmp any any echo-reply" will not affect our icmp traffic because the "echo-reply" message will be sent over the outbound direction.

Question 2:

What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?

A - Attempts to telnet to the router would fail
B - It would allow all traffic from the 10.4.4.0 network
C - IP traffic would be passed through the interface but TCP and UDP traffic would not
D - Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

 

Answer: B

Explanation:

From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network

Question 3:

What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?

A - No host could connect to Router through s0/0/1
B - Telnet and ping would work but routing updates would fail.
C - FTP, FTP-DATA, echo, and www would work but telnet would fail
D - Only traffic from the 10.4.4.0 network would pass through the interface

 

Answer: A

Explanation:

First let's see what was configured on interface S0/0/1:

interface Serial0/0/1

 bandwidth 64

 ip address 10.45.45.1 255.255.255.0

 ip access-group 102 in

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 icndchain

 ip ospf authentication

 ip ospf authentication-key san-fran

 ipv6 address 2001:410:2:10::/64 eui-64

 

Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).

B is not correct because if telnet and ping can work then routing updates can, too.

D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.

 

But here raise a question…

 

The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…

 

But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!

 

Please comment if you have any idea for this sim!

 

I am really confused with this question 3. 9tut is right, we can assign x.x.x.0 to a host, check the figure below:

 

I assigned 10.46.46.0 and 3.3.3.0 to 2 PCs, so “A - No host could connect to Router through s0/0/1” is incorrect; In PC 10.46.46.0 and 3.3.3.0, I can telnet and ping 10.45.45.1, I turn one of the routers off and then turn it on, the EIGRP routing updates seem no problem at all!

 

It seems none of the answers are correct. You can download the pka file and play around, if you find the right answer, please let me know.

Flood the MAC address table of a Switch

Lab Section: Switch

Lab Title: Flood the MAC address table of a Switch

Objective

In this lab exercise, we will complete the following tasks:

1. Use Ettercap to overflow the MAC address table of a Cisco switch 2950.

2. Use Wireshark to sniff the FTP password.

Background

Switches maintain a table of MAC addresses and associated switch port. When a switch receives a frame, the destination MAC address is checked against the table, and the corresponding port is used to route the frame out of the switch. If a switch does not know which port to route the frame, or the frame is a broadcast, then the frame is routed out all ports except the port where it originated.

Scenario

Your computer is connected to an uncontrolled switch. You want to sniff the traffic of the other computers that are connected with this switch. Because switch has a MAC address table to match the destination, you have to flood this table to force the switch broadcast every frame and work like a Hub.

Topology

This figure illustrates the lab network environment:

Preparation

Tools and Resources

In order to complete the lab, the following is required:

1. Ettercap0.7.3: http://sourceforge.net/projects/ettercap/

2. WireShark 1.05: http://www.wireshark.org/

3. Putty or HyperTerminal

Additional Materials

Visit the following website for more information on the objectives covered in this lab:

1. http://en.wikipedia.org/wiki/ARP_poisoning

2. http://en.wikipedia.org/wiki/Ettercap_(computing)

Procedure

1. Preparation: To start the FTP server and Telnet Server in Windows 2003 server and check the connection between these PCs.

1.1 In Server 192.168.10.9, open a command line window.

1.2 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.3 Enter “ping 192.168.10.10”, check the connection of other computer.

1.4 Enter “ping 192.168.10.11”, check the connection of other computer. Make sure they are all connected.

1.5 Open “Control Panel”-> “Administrative tools”-> “Services”, find out the Telnet service and start it.

1.6 Back to the “Administrative Tools”, open “Computer Management”, click “Local Users and Groups”.

1.7 Enter the “User” window, add 2 new users, one is “telnetuser”, another is “ftpuser”, you need to setup password, and uncheck the “user must change password at next logon” option (just for convenience, you’d better not uncheck this option in the reality environment).

1.8 Setup user “telnetuser” as one of the members of “TelnetClients” Group.

1.9 Return to “Administrative Tools” window. Run “Internet Information Services(IIS) Manager” to setup FTP server.

1.10 Right click “Default FTP Site”, choose “Properties”, uncheck “Allow anonymous connections”, apply for the change.

1.11 In Sniffer PC, open a command line window.

1.12 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.13 Run Wireshark, click Menu “Capture”-> “Interface”. Click “option” to open the capture options windows.

1.14 Setup the Capture Filter, we use “IP only” here. Click “Start”.

1.15 Wireshark start to capture packets, as you can see. Only the broadcast and the local packets can be received.

1.16 In User PC, open a command line window.

1.17 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.18 Ping 192.168.10.10, Wireshark will capture the ICMP traffic because Wireshark is running in 192.168.10.10.

1.19 Telnet 192.168.10.9, Wireshark won’t get any packets because the switch forwarded the packets to 192.168.10.9 directly.

1.20 Connect the switch to the User PC with console cable.

1.21 Run Putty and open the terminal window.

Swithch>Enable

Swithch>Show mac-address-table dynamic

Ok, the test environment is settled.

Click here to watch the video1: Preparation (http://www.valit.ca/lab/lab7/lab7_1.html)

2. Flood MAC-address table.

2.1 In Sniffer PC: let’s use another capture filter in Wireshark, because we only care the traffic of the server

2.2 In Wireshark, click menu “capture”->”Interface”, click “options”, then click “capture filter”, and choose “IP address 192.168.10.9”, you may change the IP address. Click “ok” and “Start”.

2.3 Run ettercap. Click menu “Sniff”-> “Unified sniffing”, select the network interface, click “OK”.

2.4 Click menu “Plugins”-> “Manager the Plugins”, select “rand_flood”. Click menu “Start”-> “Start sniffing”.

2.5 In User PC: Inside the Putty window, enter “Show mac-address-table dynamic”, we’ll be able to see a lot of fate mac address.

2.6 Open a command line window, enter “telnet 192.168.10.9”, enter username and password, connect to the telnet server.

2.7 In Sniffer PC (192.168.10.10): we’ll be able to see the telnet traffic between 192.168.10.9(server) and 192.168.10.11(user), because the mac-address table is full, the switch has to broadcast the packets.

2.8 In User PC: Open IE Browser, enter Ftp://192.168.10.9, enter username and password. Connect to the FTP server.

2.9 In Sniffer PC (192.168.10.10): we’ll be able to see the FTP traffic between 192.168.10.9(server) and 192.168.10.11(user).

2.10 Ettercap also can sniff the telnet and ftp password, but if you want to capture and analyst other traffics, Wireshark is the better choise.

Click here to watch the video2: overflow (http://www.valit.ca/lab/lab7/lab7_2.html)

PIX802, ASDM603 Configure Remote access VPN

Purpose:

1. Use GNS3 to simulate a Remote access VPN environment.

2. Practice to install ASDM 603 in PIX version 802

3. Install ASDM client and configure Remote access VPN.

4. Use Cisco VPN client to connect to inside network.

Tools:

1. Dynamips 0.2.8, http://www.ipflow.utc.fr/blog/

2. GNS3 V0.6, http://www.gns3.net/

3. Virtual PC Simulator 01.6a: http://wiki.freecode.com.cn/doku.php?id=wiki:vpcs

4. PuTTY 0.6: http://www.chiark.greenend.org.uk/~sgtatham/putty/

5. Battle Encoder Shirase (BES1.3.8): http://mion.faireal.net/BES/

6. PIX802.bin and ASDM603.bin.

7. Java 6 update 7 (Don’t use Java 6 update 10 or 11, it is incompatible with ASDM603. If you intent to use these versions, you have to chose higher ASDM version. Please refer to my Blog: http://jhuang8.blogspot.com/2009/01/cisco-asdm-unconnected-sockets-not.html)

Topological:

Requires:

1. Outside PCs use Cisco VPN client to connect to the Inside network.

2. Outside PCs IP range: 76.77.0.0/16.

3. Inside PCs IP range: 10.10.10.0/24

4. VPN IP Pool: 10.10.10.100 --- 10.10.10.200

5. Dns server is 208.67.222.222

6. The ranger of IP that can be distributed is 172.20.0.0/16

7. Outside network connect to e0 port of PIX firewall, Inside network connect to e1 interface. (Normally, e0 is for Outside, e1 is for Inside, and e2 is used for DMZ.)

8. We are going to use the real Pc to simulate the Outside PC, and use “Virtual PC Simulator” to simulate the Inside PC.

Procedure:

1. Install Microsoft Loopback virtual networking card. In order to install ASDM client and VPN client, we have to connect GNS3 to a real PC. It is good to install a virtual networking interface for this purpose, with this way, we don’t need to change the configuration of the real networking card which could cause some networking connection problems.

1.1 Open “control panel”-> “Add Hardware”

1.2 Follow the “Add Hardware Wizard”.

1.3 Select “Yes, I have already connected the hardware” in “Is the hardware connected” window.

1.4 In “hardware list” window, click “Add a new hardware device” on the bottom of the list.

1.5 Select “install the hardware that I manually select from a list”.

1.6 Select “ Network adapters”

1.7 Select “Microsoft Loopback Adapter”.

1.8 After some files are copied, we’ve done the installation.

1.9 Open “Network connections” window.

1.10 Change the Adapter name to “MS Loopback”

Click here to watch the video 1: Install MS Loopback adapter

2. If this is the first time that you are running GNS3, you need to do some settings:

2.1 GNS3 will open a “Setup wizard” window to guide you through the settings. Click the big “1” button, or you can click the menu “Edit”-> “Preferences” to open the same window.

2.2 In “General” window, Setup the “Terminal command”, Project directory and IOS/PIX directory.

2.3 In “Dynamips” window, setup the “working directory”, then click “test” button to check if Dynamips works.

2.4 In “Pemu” window, setup the “working directory”, the pix image location, key and serial number.

2.5 Click the big “2” button to setup the IOS images, or you can click the menu “Edit” -> “IOS images and hypervisors” to open the same window.

2.6 Setup the image file, platform, model, default RAM for each router. You can check the default RAM value from Cisco website.

2.7 Setup the router Idle value to reduce the CPU usage. Draw the router icon to the topologic panel

2.8 Right click the icon, click “start” to start the router.

2.9 Right click the icon again, and click “console”, a Putty window will open up.

2.10 Press enter until the “>” prompt appears, if there is a question:” Would you like to enter the initial configuration dialog?” answer “no”.

2.11 Right click the icon again and click “Idle PC”, and select an idle pc value from the pop up window, choose one of the values with an asterisk.

2.12 Calculate other routers’ Idle PC value.

Click here to watch the video 2: Configure GNS3

3. Create the topological graph in GNS3. In order to draw this topological graph, we need to add 3 symbols.

3.1 Run virtual PC simulator. Double click “vpcs.exe”, it will open a command line window. Wait until the “VPSC 1>” prompt appears. It is better to run vpcs before running GNS3.

3.2 Run GNS3, click the menu “Edit”-> “Symbol Manager”, add 3 symbols:

Symbol	Name	Type
Computer	Computer	Cloud
Cloud	Internet	Ethernet switch
Server	Server	cloud

Click “ok” to exit “Symbol Manager”

3.3 Draw the Icons to topological panel, put notes for every icon (refer to the topologic graph).

3.4 Setup “OutsidePC” using MS loopback adapter.

3.5 Setup “InsidePC” using vpc

3.6 Connect the equipments, remember in PIX, e0 is usually for outside network, e1 for inside network.

3.7 Add notes for the connection.

3.8 Save the topologic design.

Click here to watch the video 3: Create topological graph.

4. Configure the outside and inside network:

4.1 Run “Windows Task Manager” to monitor the CPU usage.

4.2 Run BES1.3.8

4.3 Right click the Firewall Icon “FW0”, choose “start”.

4.4 Right click Icon “FW0” again, and choose “console”, a Putty window pops up.

4.5 Wait until the firewall initializing finished, the “>” prompt appears.

4.6 The CPU usage rise to 100%, we need to limit it. Open BES window, click “Target” button, choose “pemu.exe” process, click “Limit/Watch”, click “Yes” to confirm. Click “Control” button, choose a percentage. For this example, I choose -50%

4.7 Back to Putty window.

4.8 Enter commands in PIX CLI:

pixfirewall> en

Password:

pixfirewall# show version

4.9 Check the “show version” output, if the VPN-DES and VPN-3DES-AES” are disabled, “ac ” command should be run to activate this function. And because GNS3 doesn’t support “reload” command, we have to right click the FW0 icon, choose “stop” to turn off the firewall, and then right click it again, choose “start” to boot up the firewall.

4.10 Use “show version” command again, now the VPN-DES feature should be enabled.

4.11 Configure outside connection IP address and network zone.

pixfirewall# show ip address

pixfirewall# show interface ip brief

pixfirewall# conf t

pixfirewall(config)# interface e0

pixfirewall(config-if)# ip address 76.77.78.1 255.255.0.0

pixfirewall(config-if)# nameif outside

pixfirewall(config-if)# security-level 0

pixfirewall(config-if)# speed 100

pixfirewall(config-if)# duplex full

pixfirewall(config-if)# no shut

pixfirewall(config-if)# show run

4.12 Minimize the GNS3 window. Open the “Network Connections” window, Right click the MS Loopback Adapter Icon, click “Properties” to open the Adapter’s properties window; In “General” tab, select “Internet Protocol(TCP/IP), click “Properties” button. Change the IP settings: IP address: 76.77.78.79, Subnet mask: 255.255.0.0, Default gateway: 76.77.78.1. Click “ok” to exit the setting.

4.13 Click “Start” -> “Run”-> “cmd”, open a command line windows,

> ipconfig ;Verify the MS Loopback adapter IP address

> ping 76.77.78.1 ; Check the connection between the outside pc and firewall.

4.14 Return to GNS3, Putty window:

pixfirewall(config-if)# ping 76.77.78.79

;Check the connection between the outside pc and firewall.

pixfirewall(config-if)# exit

4.15 Configure the inside zone:

pixfirewall(config)# interface e1

pixfirewall(config-if)# nameif inside

pixfirewall(config-if)# security-level 100

pixfirewall(config-if)# speed 100

pixfirewall(config-if)# duplex full

pixfirewall(config-if)# no shut

pixfirewall(config-if)# ip address 10.10.10.1 255.255.255.0

pixfirewall(config-if)# show ip address

pixfirewall(config-if)# show interface ip brief

4.16 Minimize the GNS3 window, active the vpcs window,

VPCS 1>show ip address

VPCS 1> ip 10.10.10.11 10.10.10.1 24

VPCS 1> ping 10.10.10.1 ; Check the connection between the inside pc and firewall.

4.17 Return to GNS3, Putty window:

pixfirewall(config-if)# ping 10.0.1.11 ; Check the connection between the inside pc and firewall.

pixfirewall(config-if)# wr ;Save the configuration

Click here to watch the video 4: Configure ip address and network zone.

5. Upload ASDM803.bin to flash.

5.1 pixfirewall(config-if)# end

pixfirewall# show flash

If you couldn’t find “asdm-603.bin” in the flash files list, you need to upload the file from tftp server

5.2 Run SolarWinds TFTP Server, click the menu “File”-> “Configure”. In “General” tab, select the bin file directory in “Storage” section. Click “Security” tab, make sure “Send and Receive files” option is selected. Back to “General” tab, Click “Start”.

5.3 Back to Putty window.

pixfirewall# copy tftp://76.77.78.79/asdm-603.bin flash:

pixfirewall# show flash ;Check if the bin file has already been uploaded

5.4 Enable the http server

pixfirewall# conf t

pixfirewall(config)# http server enable

pixfirewall(config)# http 10.10.10.0 255.255.255.0 inside

pixfirewall(config)# http 76.77.0.0 255.255.0.0 outside

pixfirewall(config)# asdm image flash:asdm-603.bin

pixfirewall(config)# asdm history enable

pixfirewall(config)# username cisco password test1234 privilege 15

pixfirewall(config)# ping 76.77.78.79

pixfirewall(config)# end

pixfirewall# wr

Click here to watch the video: 5. Upload ASDM803.bin to flash

6. Install ASDM.

6.1 pixfirewall# show run ;Double check the settings

6.2 Run IE browser, enter the address: https://76.77.78.1

6.3 Click “Continue to this website”

6.4 Click “Install ASDM Launcher and Run ASDM

6.5 Enter username and password

6.6 Click “Run” button to install ASDM

6.7 When the ASDM Launcher window pops up, enter the ip address, username and password.

6.8 If there is a warning message: “The web site’s certificate cannot be verified. Do you want to continue?” Choose “Always trust content from this publisher.” Click “Yes” to continue.

6.9 Now you will be able to see the main window of ASDM

Click here to watch the video 6: Install ASDM

7. Use “IPsec VPN Wizard” to setup Remote access VPN

7.1 Click the menu “Wizards”-> “IPsec VPN Wizard”

7.2 Choose “Remote Access”.

7.3 Choose “Cisco VPN Client”

7.4 Enter the Pre-Shared Key and Group name

7.5 Choose “Authenticate using the local user database”

7.6 Add some username and password

7.7 Create IP Pool: start from 10.10.10.100, end with 10.10.10.200, subnet mask is 255.255.255.0

7.8 Enter default Domain name (optional)

7.9 Choose 3des and SHA as the encryption and authentication algorithm

7.10 NAT setting

7.11 Click “finish” button, return to main window

7.12 Click “save” button to save the current configuration

Click here to watch the video 7: IPsec VPN Wizard

8. Connect VPN with Cisco VPN Client

8.1 Run Cisco VPN Client.

8.2 Click “New” button to define a new VPN connection

8.3 Enter the host ip, group name, password etc.

8.4 Click “save” button.

8.5 Double click the VPN connection that you just defined

8.6 Enter username and password

8.7 In ASDM window, you could see that there is one VPN connection.

8.8 Right click the VPN icon that located on the system tray (the right down side of the screen), choose “Statistics”, you’ll be able to see the Tunnel Details and Route Details.

8.9 Open a command line window, enter “ipconfig” to check the ip address. You’ll be able to see the ip address of the VPN adapter is 10.10.10.100.

Click here to watch the video 8: Cisco VPN Client

Congratulations! You’ve done everything!

= = = = ================================================================

Video List:

1. Click here to watch the video 1: Install MS Loopback adapter

2. Click here to watch the video 2: Configure GNS3

3. Click here to watch the video 3: Create topological graph.

4. Click here to watch the video 4: Configure ip address and network zone.

5. Click here to watch the video: 5. Upload ASDM803.bin to flash

6. Click here to watch the video 6: Install ASDM

7. Click here to watch the video 7: IPsec VPN Wizard

8. Click here to watch the video 8: Cisco VPN Client