Lab in a Box

If you are on a budget, but you have a Cisco PIX 515, Cisco layer-3 switch (I’m using a 3550) and a HP DL/ML 3-series server, you can create an entire lab with just these three devices. Obviously, it doesn’t have to be Cisco or HP… but as long as the Firewall supports trunking and VLAN subinterfaces, the switch supports VRF routing and the server supports trunking/vlans, then you should be able to modify this to work for any setup accordingly.

Lets start with the core switch, here is relevant config from the 3550 I’m using:

ip vrf INET
rd 2600:2
route-target export 2600:2
ip vrf NET1
rd 2600:3
route-target export 2600:3
ip vrf NET2
rd 2600:4
route-target export 2600:4

interface FastEthernet0/1
description Trunk to HP Server
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4
switchport mode trunk
no ip address
spanning-tree portfast

interface FastEthernet0/10
description Uplink to PIX Outside
switchport access vlan 2
switchport mode access
no ip address
spanning-tree portfast

interface FastEthernet0/11
description Trunk to PIX Inside
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3-5
switchport mode trunk
no ip address
spanning-tree portfast

interface Vlan2
description LAB-INET
ip vrf forwarding INET
ip address 1.1.1.1 255.255.255.0

interface Vlan3
description LAB-NET1
ip vrf forwarding NET1
ip address 192.168.10.254 255.255.255.0

interface Vlan4 description LAB-NET2
ip vrf forwarding NET2
ip address 192.168.20.254 255.255.255.0

ip route vrf NET1 0.0.0.0 0.0.0.0 192.168.10.1
ip route vrf NET2 0.0.0.0 0.0.0.0 192.168.20.1

Here is the relevant config on the Cisco PIX:

interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0

interface Ethernet1
no nameif
security-level 100
no ip address

interface Ethernet1.10
vlan 3
nameif inside-net1
security-level 100
ip address 192.168.10.1 255.255.255.0

interface Ethernet1.20
vlan 4
nameif inside-net2
security-level 100
ip address 192.168.20.1 255.255.255.0

access-list OUTSIDE_IN extended permit ip any any

global (outside) 6 1.1.1.4
global (outside) 7 1.1.1.5

nat (inside-net1) 6 192.168.10.0 255.255.255.0
nat (inside-net2) 7 192.168.20.0 255.255.255.0

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

On the HP server, configure the trunk interface to have vlan 1, vlan 2, vlan 3 and vlan 4 (name the interfaces appropriately, assign them IP addresses). I used the following IPs:

vlan 1 (n/a)

vlan 2 1.1.1.3

vlan 3 192.168.10.2

vlan 4 192.168.20.2

Then, on the HP server install VMWare Server (free). Configure the VM networks to be bridged to vlan 2, 3 and 4.

Provision a virtual server on each interface and assign a corresponding bridged network.

You now have an “internet” server and two “private” servers behind NAT. On the “internet” server, setup DNS and assign the other servers to use it for DNS.

To test that I had NAT and firewall working properly, I installed IIS on each server and configured a host header and the appropriate DNS A records on the “internet” server.

I set each website to use index.asp (enabled ASP first) and used the following code:

<html>
<head>
<title>Teh Interwebs</title>
</head>
<body>
Welcome to teh interwebs.
Your IP Address = <%=Request.ServerVariables("REMOTE_ADDR")%>
</body>
</html>

You should be able to hit each website and have the correct “WAN” IP address display on each website. If you can successfully hit the “internet” from each server, and each server from the “internet” then you have a working setup. You can now dcpromo, install Exchange… do whatever it is that you want to test. Modify my setup slightly, and you can test DMZ configurations, among other things.

Leave a Reply

Your email address will not be published. Required fields are marked *