VPN Exercise on Cisco PIX firewalls
Note: Please finish the NMAP exercise first,
before proceeding with VPN configuration, because the VPN exercise may affect the Nmap
this Lab Exercise
After this lab exercise the students should be able to configure Cisco PIX
firewall to establish a VPN between two subnets. It is intended towards helping
the students get a hands on experience in configuring VPN on PIX boxes.
A firewall is a tool used to prevent unauthorized access between two or more
networks. A typical use for a VPN is to transparently secure communication
between two networks in different geographical locations. For example, a
corporation with more than one office may wish to link their offices together
with a VPN. Computers at both offices can communicate as if they were in the
same building. Plus, that commuication is encrypted and is therefore much more
difficult for intermediate parties to intercept. PIX is the Cisco firewall, that
uses a proprietary operating system called Cisco PIX OS.
KNOPPIX is a bootable CD with a collection of
GNU/Linux software, automatic
hardware detection, and support for many graphics cards, sound cards, SCSI and
USB devices and other peripherals. KNOPPIX can be used as a Linux demo,
educational CD, rescue system, or adapted and used as a platform for commercial
software product demos. It is not necessary to install anything on a hard disk.
All the hosts are booted with Knoppix OS using a CD-ROM, so DO NOT EJECT THE
CD-ROM while working on your lab exercise. On knoppix if you need root
privileges then use "su -" at the knoppix prompt.
Topology of Virtual LAN
Each team is assigned a pod (a set of 3 hosts interconnected using a hub). The
three pod components we will use are 3 hosts, Pix and a switch. In the lab
exercise the students are required to establish an IPSec VPN between two hosts
(H1 & H2). Each host is connected to a PIX box which in turn is connected to a
common hub. The topology consists of a third host (R), connected to the hub,
that acts as a sniffer to test the VPN configuration. Make sure you clearly
understand the topology of this virtual LAN by identifying each of the hosts and
the pix boxes. However do not unplug any of the cables used to interconnect
this LAN. You should be using the KVM (the box with numbers 1, 2, 3 & 4
marked and a green light on a number indicates the current display) for
switching between H1, H2 and R displays.
When you start the exercise Network Address Translation (NAT), reflecting the
above topology, would have already been configured on all the hosts and the PIX
1: Check the NAT configuration
Switch to H1, open a terminal window (right click and then choose ATerm
option) and try “ifconfig” at the terminal prompt to check the IP address of
Use “route” command to check 192.168.1.1 configured as the default gateway for
Repeat the above two steps on H2 also.
Now switch to R and start the Apache server (right click and then choose
servers à Apache
à Start). Try “netstat –tan” in a
terminal window (right click and then choose ATerm option) and make sure port
80 is in LISTEN mode for HTTP requests.
Start Ethereal on R (right click and then select Sniffers
à Ethereal). Ethereal is a GUI
based tool used to sniff the packets flowing in a network. In the Ethereal
tool choose “Capture” option by clicking on Start. In the window that pops up,
check both the options under “Display Options” section. Now Ethereal is ready
to capture packets.
Switch back to H1 and then open a web browser (right click and then select
Internet à Mozilla Firebird). Try
http://10.0.0.3 in the browser window and switch back to R to
notice HTTP packets sent in clear text between H1 and R.
Similarly switch back to H2 and then open a web browser and try
http://10.0.0.3. Again switch back to R and notice plain text
HTTP packets flow between H2 and R.
On R, select Stop option on Ethereal Capture window. Now save this (using File
à Save As) into a file called “TeamNumber_Unencrypted.txt”.
This is one of the deliverable to be submitted for grading.
Question (5 points): If you start an Apache server on H2 and try to
connect to it from H1 (using
http://192.168.2.2) then what is the output you get? Will you be able
to establish a HTTP connection? If No, why?
2: VPN Configuration
(Please note: The IP
addresses used in the figures listed below is for a different VPN topology, so
make sure to use the IP
address and other configuration details as
indicated in the description above each figure)
If the PIX Device Manager browser window is already open (mostly this is the
case) then skip the next step. Now do not close the Cisco PIX
browser window throughout your exercise, you will loose out all the
configuration information and it would take a couple of hours for the TA to
set it up again.
On H1 open a web browser (right click and then select Internet
à Mozilla Firebird) and type
https://192.168.1.1 (make sure it is https:// and not http://).
Your PIX is already configured to allow your router to access the PDM (PIX
Device Manager). If your browser blocks pop-ups be sure to unblock the IP
address of your router (192.168.1.1) so that it can successfully open the PDM
(unblocking can be done by clicking on a blue exclamatory symbol in the lower
left corner of the browser window).
When prompted for a username and password, leave the username blank and
password fields blank. You will be taken through a series of pop-up windows
and make sure you select “Always”, “OK” and “Next” options appropriately on these popup
windows. You would be required to hit the refresh button on the browser if you
do not see a popup window after 2-3min (be patient and wait for the popup
windows before hitting the refresh button). Now do not close the Cisco PIX
browser window throughout your exercise, you will loose out all the
configuration information if you do so. Once logged in you should see a screen similar to the following
Click on Configuration and then go to the VPN tab. Delete any rules that you
see here. If you should see any rules here, you may need to go to the Tunnel
Policy item in the tree in the left of the image and delete the policy(ies)
first. Then return to this screen
Start the VPN Wizard by clicking on the Wizards menu add the top of the
window. Now you are working with pix1 but you are required to use the
same steps to configure VPN on the other site (pix2) too. Once you have started the VPN
wizard I strongly recommend that you synchronize your steps closely with the
other pix2 that will act as the other side of your VPN tunnel. Switching to pix2 display screen can be easily done
using the KVM (the box with numbers 1, 2, 3 & 4 marked and a green light on a
number indicates the current display). If you have different settings on one side its very likely
that the VPN will not function as expected, so synchronize your steps on pix1
and pix2 by switching back and forth between the two firewalls using the KVM.
In the following screen select "Site to Site VPN" and the
outside interface, then click Next
On pix1 enter the IP address 10.0.0.2 of the outside interface of Pix at the other
"site" (on pix2 enter the IP address 10.0.0.1 as the Peer IP
address) then enter the key you will use to encrypt the traffic (pick
any simple combination of readable characters as the key and write down this
key separately and use the SAME key to setup pre-shared key on pix2). Refer to the
image at the top of this page to make sure you have the correct IP for the
other pod's Pix. Click Next
Here you will specify an IKE policy. However, due to the restricted
encryption licenses our Pix are limited to single DES encryption, so leave
these settings at their defaults. Click Next without any changes.
Here you will specify a transform set. Again our licenses are restricted, so
leave these setings at their defaults. Click Next without any changes.
Here you will tell your Pix which IP addresses at site have access to the VPN.
Select the inside interface and enter the IP address and subnet for your
network. On pix1 specify 192.168.1.0 and on pix2 specify 192.168.2.0 as
the inside interface IP address. Click on the select (>>) button to add the
entered IP address. Click
On the following page you will tell your Pix which IP addresses belong to the
other site. Select your outside interface and enter the IP address and
netmask for the inside of the other site. This would be 192.168.2.0 with
netmask 255.255.255.0 on pix1 and 192.168.1.0 and netmask 255.255.255.0 on
pix2. However, when you try to add the
network the Pix will complain that it does not know about this network. You
want to add this network, so click OK
The defaults should be fine at this step. You don't need to give a name
because one will be supplied automatically. Click Next.
At this point if you get a popup asking you to enter the Static Route
information, then make sure you select "outside" interface, with IP address =
192.168.2.2 and Gateway = 10.0.0.2 on pix1 (IP address = 192.168.1.2 and
Gateway = 10.0.0.1 on pix2) and leave the metric value to be "1".
Make sure that the newly added network appears in the "Selected" list on the
right of the window. Click Finish
Here you should see the new VPN rule that the wizard created for you. It
should resemble the image below
Hurray! you have setup a VPN tunnel between H1 and H2 now. Lets do some testing...
Start Ethereal sniffer (refer above how to start Ethreal) on R and then
select “Start” on “Capture” menu
Start an Apache server (right click and then select Server
à Start) on both H1 and H2.
You should now be able to connect to H1 from H2 (by trying
http://192.168.1.2 on H2’s browser) and connect to H2 from H1 (by
http://192.168.2.2 on H1’s browser).
Sniffing at any point between the sites should yield only encrypted traffic
(essentially some junk Hex data). This can be observed in the Ethereal
window on the sniffer. Now stop packet capture (select Capture
à Stop) and then save this into
a file called “TeamNumber_Encrypted.txt”. This is also required as a
deliverable out of this lab exercise.
Question (5 points): Why is R able to capture encrypted packets flowing in
the VPN tunnel between H1 and H2? What happens if you try
opening a HTTP connection between H1 à
R or H2 à R after establishing the VPN between H1 and H2?
6. Submission Requirement
Since student teams can work in the networking lab at any time in the allotted
week, TA may not be available to grade the result directly. To prove that you
successfully completed the exercise, you are required to submit the following
three files through wolfware submit locker (http://submit.ncsu.edu)
TeamNumber_Unencrypted.txt (10 points)
TeamNumber_Encrypted.txt (10 points)
3) A MS Word or text file with brief explanations to the above
two questions (5 points each)
You will not be able to access Internet from your pod hosts, so you need to take
a floppy disk with you to the networking lab, and you can copy the files into a
floppy disk using the following commands (Do not try using USB memory sticks or
any other storage device):
$ mcopy TeamNumber_Unencrypted.txt a:
$ mcopy TeamNumber_Encrypted.txt a:
Thanks to Chris Bookholt and Mahrn Fullmer for helping the
course TA setup this lab exercise