This shows you the differences between two versions of the page.
sred:setup_lab [2019/11/02 23:17] horia.stoenescu modified setup |
sred:setup_lab [2020/11/14 21:57] (current) horia.stoenescu |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ==== Setup lab Cisco ===== | + | ==== Setup lab Cisco (OLD - GNS3 - 2019) ===== |
See [[https://acs.curs.pub.ro/2019/mod/folder/view.php?id=5985|here]] the required files for creating on your machines the topologies found in labs (you need to be enrolled on course for accessing them). | See [[https://acs.curs.pub.ro/2019/mod/folder/view.php?id=5985|here]] the required files for creating on your machines the topologies found in labs (you need to be enrolled on course for accessing them). | ||
Folder **Tools** contains: | Folder **Tools** contains: | ||
* **GNS3 installer** (version 2.2.0). After installation, access the application and choose for setup wizard: '//Run appliances on my local computer//' and leave for default configuration for server path, IP (//localhost//) and TCP port (//3080//). For configuring your profile, add new machines etc., access Preferences from Edit or simpler by pressing **Ctrl + Shift + P**. | * **GNS3 installer** (version 2.2.0). After installation, access the application and choose for setup wizard: '//Run appliances on my local computer//' and leave for default configuration for server path, IP (//localhost//) and TCP port (//3080//). For configuring your profile, add new machines etc., access Preferences from Edit or simpler by pressing **Ctrl + Shift + P**. | ||
- | * **Solar-putty** for accessing console application to machines using telnet. Configure it by going to Preferences in GNS3 > General > Console Applications > Console application command for telnet, where you need to add: | + | * **Solar-PuTTY** for accessing console application to machines using telnet. Configure it by going to Preferences in GNS3 > General > Console Applications > Console application command for telnet, where you need to add: |
<code> | <code> | ||
"$path_to_solar_putty_exe" --telnet --hostname %h --port %p --name %d | "$path_to_solar_putty_exe" --telnet --hostname %h --port %p --name %d | ||
Line 10: | Line 10: | ||
(tutorial on this [[https://www.youtube.com/watch?v=iuev1Hyc-f4|link]]) | (tutorial on this [[https://www.youtube.com/watch?v=iuev1Hyc-f4|link]]) | ||
- | Note that for Linux device, gnome-terminal is added by default and can be used without solar putty. | + | <note warning> |
+ | To use the **NAT** cloud from GNS3, you will need also to install VMware Workstation (download [[https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html|here]]). Only for that component the VMware in necessary, in rest only VirtualBox. | ||
- | === Linux machines (UbuntuVM, KaliVM and InternetVM) === | + | After installing VMWare, there is need to add some vmnets on the machine. Go to Preferences (Ctl+shift+P) > VMWare (see the executable on tab Local settings is the correct one) > Advanced local settings tab > Add vmnets from vmnet8 to vmnet8 > Configure and wait for the process to finish. After this, try to add a NAT cloud. See more on this [[https://www.gns3.com/community/discussion/how-the-nat-node-in-gns3-works|link]] about this appliance. |
- | * Ubuntu: you can download the Ubuntu 18.04 LTE image directly from their [[http://releases.ubuntu.com/18.04/|website]], use it to create a VM in VirtualBox and import it in GNS3. | + | </note> |
- | * Kali: same as for Ubuntu (download from [[https://www.kali.org/downloads/|here]] iso) | + | |
- | * InternetVM: download the machine used in lab from [[https://drive.google.com/file/d/131Htsxcc_rcDagwfIvrk58_lKqqaAlib/view?usp=sharing|here]] (it has 2 network adapters attached to Generic Driver - one used for connection with router/FTD/WSA and the other with NAT cloud for Internet access) | + | |
- | Make sure your VMs are opened in Virtual Box. Go to Preferences, VirtualBox VMs > New and select from the list the VM > Finish and verify the configuration using Edit. Ubuntu and Kali need to have 1 network adapter (on tab Network) and InternetVM 2. | + | Note that for Linux device, gnome-terminal is added by default and can be used without Solar-PuTTY. |
+ | * **VirtualBox** installer which is the recommended hosted hypervisor for virtualization | ||
- | === Cisco routers === | + | ==== Linux machines (UbuntuVM, KaliVM and InternetVM) ==== |
+ | * **Ubuntu**: you can download the Ubuntu 18.04 LTE image directly from their [[http://releases.ubuntu.com/18.04/|website]], use it to create a VM in VirtualBox and import it in GNS3. | ||
+ | * **Kali**: same as for Ubuntu (download from [[https://www.kali.org/downloads/|here]] iso) | ||
+ | * **InternetVM**: download the machine used in lab from [[https://drive.google.com/file/d/131Htsxcc_rcDagwfIvrk58_lKqqaAlib/view?usp=sharing|here]] (it has 2 network adapters attached to Generic Driver - one used for connection with router/FTD/WSA and the other with NAT cloud for Internet access) | ||
+ | |||
+ | Make sure your VMs are opened in Virtual Box. Go to Preferences, VirtualBox VMs > New and select from the list the VM > Finish and verify the configuration using Edit. Ubuntu and Kali need to have 1 network adapter (on tab Network) and InternetVM 2. All adapters need to be "Generic driver" to be recognised by GNS3. | ||
+ | |||
+ | In case of Linux devices, utilities from [[https://en.wikipedia.org/wiki/Iproute2|iproute2]] are detailed for configuring. | ||
+ | == Reminder ip address Linux == | ||
+ | <code> | ||
+ | user@LinuxMachine ~ $ sudo ip a a 10.10.10.2/24 dev enp0s3 | ||
+ | user@LinuxMachine ~ $ ifconfig enp0s3 | ||
+ | eth1 Link encap:Ethernet HWaddr [...] | ||
+ | inet addr:10.10.10.2 Bcast:0.0.0.0 Mask:255.255.255.0 | ||
+ | BROADCAST MULTICAST MTU:1500 Metric:1 | ||
+ | [...] | ||
+ | # ip a a stands for: ip address add. Try to use shortcuts for configurations | ||
+ | </code> | ||
+ | |||
+ | == Reminder ip route Linux == | ||
+ | <code> | ||
+ | user@LinuxMachine ~ $ sudo ip r a default via 10.20.20.2 dev enp0s3 | ||
+ | user@LinuxMachine ~ $ ip r s | ||
+ | default via 10.20.20.2 dev enp0s3 | ||
+ | [...] | ||
+ | # ip r s stands for: ip route show | ||
+ | |||
+ | </code> | ||
+ | |||
+ | <note tip> | ||
+ | Try to use shortcuts as much as possible | ||
+ | </note> | ||
+ | |||
+ | ==== Cisco routers ==== | ||
On the course link, there exist 2 images for Cisco 3640 (used in lab1) and Cisco 7200 (can be used for both 1 and 2) that need to be imported in GNS3 in a form of **appliance**. Go to File > New template (a plus sign on left) > Install an appliance from the GNS3 server > on filter add 3640/7200 and select > Click Install > Install the appliance on your local computer > Check allow custom files (click Yes to dialog box) and click Import > Add here the .bin file downloaded > Accept the warning about integrity check > Select the appliance (it needs to have the status: Ready to install > Next and Finish. | On the course link, there exist 2 images for Cisco 3640 (used in lab1) and Cisco 7200 (can be used for both 1 and 2) that need to be imported in GNS3 in a form of **appliance**. Go to File > New template (a plus sign on left) > Install an appliance from the GNS3 server > on filter add 3640/7200 and select > Click Install > Install the appliance on your local computer > Check allow custom files (click Yes to dialog box) and click Import > Add here the .bin file downloaded > Accept the warning about integrity check > Select the appliance (it needs to have the status: Ready to install > Next and Finish. | ||
After this, from the left side, select Browse all devices, then right click on the newly added appliance and click on configure template. Add a new network slot (Slots - third tab) - PA-4E for 7200 and NM-4E for 3540. After this, you drag and drop the virtual router in your project. | After this, from the left side, select Browse all devices, then right click on the newly added appliance and click on configure template. Add a new network slot (Slots - third tab) - PA-4E for 7200 and NM-4E for 3540. After this, you drag and drop the virtual router in your project. | ||
+ | |||
+ | == Reminder ip addresses Cisco == | ||
+ | Let's say I want to add the IP address: 10.10.10.1/24 to interface FastEthernet0/0: | ||
+ | <code> | ||
+ | CISCO_7200(config)#interface FastEthernet 0/0 | ||
+ | CISCO_7200(config-if)#no shutdown | ||
+ | %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up | ||
+ | |||
+ | %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up | ||
+ | |||
+ | CISCO_7200(config-if)#ip address 10.10.10.1 255.255.255.0 | ||
+ | </code> | ||
+ | |||
+ | == Reminder ip route Cisco == | ||
+ | In this case I want to add a default route to internet via 10.30.30.2 (the ip of InternetVM on interface enp0s3): | ||
+ | <code> | ||
+ | CISCO_7200(config)#ip route 0.0.0.0 0.0.0.0 10.30.30.2 | ||
+ | </code> | ||
+ | |||
+ | <note> | ||
+ | Do not forget about the question mark character that you can use for autocomplete the IOS syntax. Example: | ||
+ | <code> | ||
+ | CISCO_7200(config)#int fastEthernet 0/0 | ||
+ | CISCO_7200(config-if)#? | ||
+ | arp Set arp type (arpa, probe, snap) or timeout | ||
+ | bandwidth Set bandwidth informational parameter | ||
+ | cdp CDP interface subcommands | ||
+ | channel-group Add this interface to an Etherchannel group | ||
+ | [...] | ||
+ | </code> | ||
+ | </note> | ||
+ | |||
+ | ==== Cisco Firepower Threat Defence ==== | ||
+ | Download from [[https://drive.google.com/file/d/1wZi3h7wnMnDx0GxVye_ArfvzNHU71pxE/view?usp=sharing|here]] the zip for Cisco FTD which contains: a VDI image and 2 OVFs. After unzipping the files, you are required to open the first one (with //*-VI-6.5.0-115//) using Virtual Box and configure the appliance settings as follows: | ||
+ | * CPU: 4 (use only 4 vCPUs) | ||
+ | * RAM: 8196 MB (the minimum required value) | ||
+ | * deselect DVD | ||
+ | * keep only the first 4 network adapters (deselect the last 4 of them) | ||
+ | * modify the Base folder (if you want so) to add the VM files | ||
+ | The click Import and wait for it to complete. | ||
+ | |||
+ | <note important> | ||
+ | After importing the VM files to your machine, **keep them in the base folder location**. The configuration may not work due to this path modification. | ||
+ | </note> | ||
+ | |||
+ | <note important> | ||
+ | Another important aspect here is to **NOT open the VM** after import. Wait for GNS3 ones from below. | ||
+ | </note> | ||
+ | |||
+ | Before going to GNS3, you to modify the network adapter configuration. Go to VirtualBox > right click on the FTD VM > Settings > Network: | ||
+ | * for adapter 1, enable it, attach to **Host-only Adapter** (with name VirtualBox Host-only Adapter). Then go to Advanced and choose for adapter type **Paravirtualized Network (virtio-net)** and keep the rest as they are | ||
+ | * for adapters 2->4, enable them, attach to **Generic Driver**. The other fields are going to be populated by GNS3. | ||
+ | |||
+ | Continuing, there is need to import the FTD in GNS3. Go to GNS3 > Preferences (Ctrl+Shift+P) > VirtualBox > VirtualBox VMs > New > select the VM from the list (see the name you gave it) > then Finish. You need to also modify the configuration by going to Edit > Network > change adapters number to 4 (the default value is 1), modify name format to GigabitEthernet{0} and configure custom adapters: | ||
+ | * for Adapter 0 change adapter type to Paravirtualized Network (virtio-net) | ||
+ | * for Adapter 1->3 leave them as they are | ||
+ | |||
+ | Click Ok and Apply. | ||
+ | |||
+ | After this, you can drag and drop the newly added machine (found as //appliance// on left side). You can start the machine and wait for it to boot. To use a different terminal than the one from VBox, you can use PuTTY or Solar-PuTTY to access it on the management interface using ssh (port 22 is enabled by default). | ||
+ | |||
+ | <note tip> | ||
+ | The management interface has the following ip address: **192.168.56.102** (with default gateway 192.168.56.1). | ||
+ | </note> | ||
+ | |||
+ | After waiting for 10 minutes, from your browser access the Firepower Device Manager ([[https://www.cisco.com/c/en/us/products/security/security-management/firepower-device-manager.html|FDM]] - a web based user interface on the firewall) using the management ip from above and https protocol (no http - there is not redirect done to http over ssl). | ||
+ | |||
+ | <note> | ||
+ | **Credentials** for FTD (default ones): | ||
+ | |||
+ | user: admin | ||
+ | |||
+ | passwd: Admin123 | ||
+ | </note> | ||
+ | |||
+ | You have now to: | ||
+ | * configure the interfaces (after connecting them with links on GNS3) | ||
+ | * add a default route via the ip address with InternetVM | ||
+ | * add two zones: for inside and outside interfaces | ||
+ | * create an access control rule for allowing any traffic from inside zone to outside zone (the default action is at the end - deny any any). | ||
+ | |||
+ | Deploy at the end for changes to take effect. | ||
=== Lab 1 topology === | === Lab 1 topology === |