Lab in a Box

If you are on a budget, but you have a Cisco PIX 515, Cisco layer-3 switch (I’m using a 3550) and a HP DL/ML 3-series server, you can create an entire lab with just these three devices. Obviously, it doesn’t have to be Cisco or HP… but as long as the Firewall supports trunking and VLAN subinterfaces, the switch supports VRF routing and the server supports trunking/vlans, then you should be able to modify this to work for any setup accordingly.

Lets start with the core switch, here is relevant config from the 3550 I’m using:

ip vrf INET
rd 2600:2
route-target export 2600:2
ip vrf NET1
rd 2600:3
route-target export 2600:3
ip vrf NET2
rd 2600:4
route-target export 2600:4

interface FastEthernet0/1
description Trunk to HP Server
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4
switchport mode trunk
no ip address
spanning-tree portfast

interface FastEthernet0/10
description Uplink to PIX Outside
switchport access vlan 2
switchport mode access
no ip address
spanning-tree portfast

interface FastEthernet0/11
description Trunk to PIX Inside
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3-5
switchport mode trunk
no ip address
spanning-tree portfast

interface Vlan2
description LAB-INET
ip vrf forwarding INET
ip address 1.1.1.1 255.255.255.0

interface Vlan3
description LAB-NET1
ip vrf forwarding NET1
ip address 192.168.10.254 255.255.255.0

interface Vlan4 description LAB-NET2
ip vrf forwarding NET2
ip address 192.168.20.254 255.255.255.0

ip route vrf NET1 0.0.0.0 0.0.0.0 192.168.10.1
ip route vrf NET2 0.0.0.0 0.0.0.0 192.168.20.1

Here is the relevant config on the Cisco PIX:

interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0

interface Ethernet1
no nameif
security-level 100
no ip address

interface Ethernet1.10
vlan 3
nameif inside-net1
security-level 100
ip address 192.168.10.1 255.255.255.0

interface Ethernet1.20
vlan 4
nameif inside-net2
security-level 100
ip address 192.168.20.1 255.255.255.0

access-list OUTSIDE_IN extended permit ip any any

global (outside) 6 1.1.1.4
global (outside) 7 1.1.1.5

nat (inside-net1) 6 192.168.10.0 255.255.255.0
nat (inside-net2) 7 192.168.20.0 255.255.255.0

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

On the HP server, configure the trunk interface to have vlan 1, vlan 2, vlan 3 and vlan 4 (name the interfaces appropriately, assign them IP addresses). I used the following IPs:

vlan 1 (n/a)

vlan 2 1.1.1.3

vlan 3 192.168.10.2

vlan 4 192.168.20.2

Then, on the HP server install VMWare Server (free). Configure the VM networks to be bridged to vlan 2, 3 and 4.

Provision a virtual server on each interface and assign a corresponding bridged network.

You now have an “internet” server and two “private” servers behind NAT. On the “internet” server, setup DNS and assign the other servers to use it for DNS.

To test that I had NAT and firewall working properly, I installed IIS on each server and configured a host header and the appropriate DNS A records on the “internet” server.

I set each website to use index.asp (enabled ASP first) and used the following code:

<html>
<head>
<title>Teh Interwebs</title>
</head>
<body>
Welcome to teh interwebs.
Your IP Address = <%=Request.ServerVariables("REMOTE_ADDR")%>
</body>
</html>

You should be able to hit each website and have the correct “WAN” IP address display on each website. If you can successfully hit the “internet” from each server, and each server from the “internet” then you have a working setup. You can now dcpromo, install Exchange… do whatever it is that you want to test. Modify my setup slightly, and you can test DMZ configurations, among other things.

Configuring internet failover on Cisco PIX or ASA running 8.0+

Here is how to do redundant ISP links on Cisco ASA 8.x:


sla monitor 111
type echo protocol ipIcmpEcho interface outside
num-packets 4
frequency 10

sla monitor 112
type echo protocol ipIcmpEcho interface backup
num-packets 4
frequency 10

sla monitor schedule 111 life forever start-time now
sla monitor schedule 112 life forever start-time now

track 1 rtr 111 reachability
track 2 rtr 112 reachability

route outside 0.0.0.0 0.0.0.0 1 track 1
route outside 0.0.0.0 0.0.0.0 10 track 2

Example NAT configuration:

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Configuring internet failover on a Cisco 2800 series router

This is, in my opinion, the best way to do a failover configuration for 2 ISP links:

track 100 ip sla 100 reachability
delay down 10 up 20

track 101 ip sla 101 reachability
delay down 10 up 20

ip local policy route-map LocalPolicy

ip nat inside source route-map DYN_NAT interface <WAN1 Interface> overload
ip nat inside source route-map FAILOVER_NAT interface <WAN2 Interface> overload

ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> track 100
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 10 track 101
ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> 250
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 251

ip access-list extended PingISP_A
permit icmp host <WAN1 Interface IP> host 8.8.8.8

ip access-list extended PingISP_B
permit icmp host <WAN2 Interface IP> host 8.8.8.8

ip sla 100
icmp-echo 8.8.8.8 source-interface <WAN1 Interface>
ip sla schedule 100 life forever start-time now

ip sla 101
icmp-echo 8.8.8.8 source-interface <WAN2 Interface>
ip sla schedule 101 life forever start-time now

access-list 107 permit ip <LAN subnet> <LAN inverse mask> any
access-list 108 permit ip <LAN subnet> <LAN inverse mask> any

route-map FAILOVER_NAT permit 10
match ip address 107
match interface <WAN2 Interface>

route-map DYN_NAT permit 10
match ip address 108
match interface <WAN1 Interface>

route-map LocalPolicy permit 10
match ip address PingISP_A
set ip next-hop <ISP1 Gateway>
set interface <WAN1 Interface>

route-map LocalPolicy permit 20
match ip address PingISP_B
set ip next-hop <ISP2 Gateway>
set interface <WAN2 Interface>

If you need to do static NAT you would do basically the same thing:

route-map STAT_NAT permit 10
match ip address 109
match interface <WAN1 Interface>

route-map FAILOVER_SNAT permit 10
match ip address 110
match interface <WAN2 Interface>