CSC474 Lab

VPN Exercise on Cisco PIX firewalls

 Note: Please finish the NMAP exercise first, before proceeding with VPN configuration, because the VPN exercise may affect the Nmap output.

1.     Goal of this Lab Exercise


After this lab exercise the students should be able to configure Cisco PIX firewall to establish a VPN between two subnets. It is intended towards helping the students get a hands on experience in configuring VPN on PIX boxes.


2.     Introduction


A firewall is a tool used to prevent unauthorized access between two or more networks. A typical use for a VPN is to transparently secure communication between two networks in different geographical locations.  For example, a corporation with more than one office may wish to link their offices together with a VPN.  Computers at both offices can communicate as if they were in the same building.  Plus, that commuication is encrypted and is therefore much more difficult for intermediate parties to intercept. PIX is the Cisco firewall, that uses a proprietary operating system called Cisco PIX OS.


KNOPPIX is a bootable CD with a collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals. KNOPPIX can be used as a Linux demo, educational CD, rescue system, or adapted and used as a platform for commercial software product demos. It is not necessary to install anything on a hard disk. All the hosts are booted with Knoppix OS using a CD-ROM, so DO NOT EJECT THE CD-ROM while working on your lab exercise. On knoppix if you need root privileges then use "su -" at the knoppix prompt.


3.     Topology of Virtual LAN



Each team is assigned a pod (a set of 3 hosts interconnected using a hub). The three pod components we will use are 3 hosts, Pix and a switch. In the lab exercise the students are required to establish an IPSec VPN between two hosts (H1 & H2). Each host is connected to a PIX box which in turn is connected to a common hub. The topology consists of a third host (R), connected to the hub, that acts as a sniffer to test the VPN configuration. Make sure you clearly understand the topology of this virtual LAN by identifying each of the hosts and the pix boxes. However do not unplug any of the cables used to interconnect this LAN. You should be using the KVM (the box with numbers 1, 2, 3 & 4 marked and a green light on a number indicates the current display) for switching between H1, H2 and R displays.


When you start the exercise Network Address Translation (NAT), reflecting the above topology, would have already been configured on all the hosts and the PIX boxes.


4.     Phase 1: Check the NAT configuration



Question (5 points): If you start an Apache server on H2 and try to connect to it from H1 (using then what is the output you get? Will you be able to establish a HTTP connection? If No, why?


5.     Phase 2: VPN Configuration


    (Please note: The IP addresses used in the figures listed below is for a different VPN topology, so make sure to use the IP

     address and other configuration details as indicated in the description above each figure)










        Hurray! you have setup a VPN tunnel between H1 and H2 now. Lets do some testing...

    1. Start Ethereal sniffer (refer above how to start Ethreal) on R and then select “Start” on “Capture” menu
    2. Start an Apache server (right click and then select Server à Apache à Start) on both H1 and H2. 
    3. You should now be able to connect to H1 from H2 (by trying on H2’s browser) and connect to H2 from H1 (by trying on H1’s browser).
    4. Sniffing at any point between the sites should yield only encrypted traffic (essentially some junk Hex data). This can be observed in the Ethereal window on the sniffer. Now stop packet capture (select Capture à Stop) and then save this into a file called “TeamNumber_Encrypted.txt”. This is also required as a deliverable out of this lab exercise.

      Question (5 points): Why is R able to capture encrypted packets flowing in the VPN tunnel between H1 and H2? What happens if you try        
      opening a HTTP connection between H1 à R or H2 à R after establishing the VPN between H1 and H2?

6. Submission Requirement


Since student teams can work in the networking lab at any time in the allotted week, TA may not be available to grade the result directly. To prove that you successfully completed the exercise, you are required to submit the following three files through wolfware submit locker (


1)      TeamNumber_Unencrypted.txt (10 points)

2)      TeamNumber_Encrypted.txt (10 points)

3)   A MS Word or text file with brief explanations to the above two questions (5 points each)


You will not be able to access Internet from your pod hosts, so you need to take a floppy disk with you to the networking lab, and you can copy the files into a floppy disk using the following commands (Do not try using USB memory sticks or any other storage device):


$ mcopy TeamNumber_Unencrypted.txt a:

$ mcopy TeamNumber_Encrypted.txt a:


Good Luck!


Thanks to Chris Bookholt and Mahrn Fullmer for helping the course TA setup this lab exercise