How to Setup & Configure Remote Access to Home Lab

Unanswered Question
Oct 29th, 2010

Greetings,

Please believe me when I say I've performed countless hours of research for several days on the subject and have not been able to derive a detailed and complete explanation on how to setup and configure the following scenario. With that said, I humbly and respectfully request input from the community to assist me with this scenario.

I have recently attained CCNA certification that stemmed from training from a Cisco Academy. This training comprised of Cisco Exploration classes of Cisco I through Cisco IV. In this training I have not seen or read anything that helps a learner understand how to configure a firewall (with the exception of firewall behaving ACLs on regular routers) or the deployment of VPN technology.

To further enhance my knowledge of networking concepts and to pursue advanced Cisco and other certifications, I have decided to build a home lab. I've purchased quite a number of routers and switches which are all rack mounted and I'm confident configuring them; however, there are three devices in particular that I wish to receive help with- the AS2511-RJ, the PIX 515, and the VPN 300 Concentrator (and possibly my home Linksys Wireless Router if need be).

To put it simply, I would like to know how to securely configure remote access to my home lab that would not interfere with nor jeopardize the integrity of my existing home network. In my research, I've come across a concept known as port-forwarding for SSH and VPN. In my studies at the Cisco Academy, I've always read that SSH is more secure than Telnet; however, users from all sorts of online forums recommend against using port-forwarding on (in my case) the Linksys Wireless Router. If it is truly the case that this scenario is not secure (and I request that someone please educate me as to why it is or is not), then that leaves me with the option of using a VPN connection into my home network.

My existing infrastructure is as follows: Comcast ISP --> Broadband Cable Modem --> Linksys WRT300N --> My home computers via wired and wireless connections.

My goal is to integrate my home lab into this infrastructure, but not impede or otherwise create any vulnerabilities to the existing devices in my home network (my wife would absolutely kill me).

With that said, I've configured the 2511 as a Terminal Access Server (TAS) and can successfully reverse telnet into all of my networking devices - no problem there. As previously mentioned, I would like to be able to access this home lab remotely. So far, I've already created an account with DynDNS and have also configured that information on my Linksys Wireless Router. As I understand it, this step should mitigate any problems with my dynamically assigned IP address that I receive from my ISP in the event it changes to something else.

Now, here are my questions: how should I integrate either the PIX and/or the VPN Concentrator so that #1 it can accept a secure connection from the Internet via the Linksys Wireless Router, #1a I continue to use the Linksys Wireless Router as the gateway device with the reason being that I don't always want to have the home lab powered up and running - I only want to use it occasionally; therefore, the existing home network does not get impacted whenever I bring the home lab up or down and #2 the home devices and home lab are on different networks.

To further clarify question 1a, I don't want my home network to be dependent on the presence of any of the physical networking devices from my home lab equipment.Furthermore, understanding that virtualization solutions may solve or address some of these issues, I am not able to implement any of that technology given the existing [older] equipment I'm currently using from a PC standpoint.

I've already confirmed that the WRT300N can allow VPN pass-through (PPTP, IPSec, L2TP), and if I'm not mistaken it would appear I am able to segment the home network from the lab network with a feature called Static Routing.To confirm, dispute, or deny any of these assumptions, I've attached the owner's manual to this particular device for review if necessary.

Furthermore, since I know virtually nothing about VPN from an  infrastructure standpoint, if VPN client software is required on the  remote computer which resides outside the private network, where would I  go to provision such software and what would I need to do to get it  properly configured to establish that secure tunnel between private -  public - private network? I've heard of IPSec clients, and SSL which is web-based, but do not have the faintest clue as to where to begin with either of these possible solutions.

In closing, aside from indicating what the best-case scenario would be with the existing equipment I have, detailed explanation and configs of the aforementioned specific devices would be extremely helpful to me (and others, I'm sure, who are in the same situation as me). If knowledge of the specific IOS version I'm running on these devices is required, I will provide that on a subsequent post, as I am not where the equipment is to provide that information at the moment.

Thank you very kindly for taking the time to read and respond to my post. I sincerely and wholeheartedly appreciate any and all assistance.

Best regards,

Ricco

P.S. - The proposed remote acces to my home lab, as written, assumes direct connection to the TAS. I do have five lab computers as well, one of which runs a server OS. They all have connectivity to the patch panel which is connected to a switch, which is connected to a router. If remote connectivity to the server is preferred, which subsequently Telnets into the TAS (which then reverse Telnets into all other networking devices), I'm fine with that method as well. In fact, this method would appear more productive because remotely accessing the home lab via this method would also provide access to the server and remaining PCs via RDP as well, wouldn't you agree?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
coto.fusionet Thu, 11/04/2010 - 12:26

Dude,

I've been wanting to try to help you out with this post but I have'nt had the time to read the entire thing!

Could you respond with a brief summary of what you need?

You might get an answer faster :-)

Federico.

Joshua Wheaton Thu, 12/08/2011 - 13:41

I want to configure something similar. Did you ever get your network configured for remote access? I have SSH setup on a layer 3 switch that I added to my home network via an old Netgear wireless router. I am able to connect on the local LAN with SSH or telnet just fine but have had issues connecting remotely. I forwarded port 22 for SSH and could not connect remotely. After opening port 23 on the netgear to connect unsecurely through telnet I had a connection time out error again. I was able to connect to all the other devices behind that same router on various different ports with many different programs. Remoting to a computer connected via conole cable I was able to test the static route and ping various websites and both internal and external IP address without issue. Still unable to connect Any ideas what I could have missed?

I don't have a router with two ethernet ports so a layer 3 switch I figured would work as a way to route between the private networks my routers are on and my computers. I was going to configure an access server if I could get the first part up and running. If you are still interested in setting up your home network as you mentioned in your post I will share my findings once I get everything working correctly.

Joshua Wheaton Mon, 12/12/2011 - 03:28

I now have the home lab configured for remote access. I missed something that was not configured for the correct IP on one of the firewalls in the initial setup. I'm still using the cheap Netgear router and forwarding the ports I need to access the home lab. This way most any change I make to the cisco lab won't affect the home network. I already have a DMZ setup for something else but maybe putting the Cisco lab equipment in a DMZ would be a good configuration for you Silver?

yiuyuenyan Mon, 12/12/2011 - 07:57

hi there,

of course put the Cisco to the DMZ network will better, and not affect the network( I mean the source wan side)

NeveSSL37 Mon, 12/12/2011 - 18:26

Personally, I would recommend you separate your lab from your home network 100%.

As an example, you could DMZ and VLAN a VPN conentrator that connects only to your lab on its private side.  Setup RDP on a "main machine" that you can use to connect to everything else (from your 2511 to your other lab machines) and study on!  Full screen this "main machine" and you'll never know you're not at home, other than not being able to recable.

Brandon

Joshua Wheaton Tue, 12/13/2011 - 04:16

Brandon (NeveSSL37),

Thank you for the response. I would like to eventually setup the network using a VPN concentrator and an access server but don't have the required hardware. I use my laptop to watch videos and read books at work. I was using RDP on a computer that connected to the cisco lab but it is not fun switching back and forth between the remote session and the local content. I have an ASUS transformer and the RDP software I have doesn’t work well on it. Having SSH access to a device lets me connect with the laptop or tablet quickly. That way if I am reading a book on the tablet or watching a video on the laptop I can easily access my lab with either device without taking focus away from my study materials.

Ricco (Silver Casanova) would you recommend the 2511 access server you are using for a home lab? I would like to have my lab setup as close as possible to a live environment without interfering with my home network. With the hardware you have I like the suggestions that Brandon (NeveSSL37) gave for configuring a home lab.

NeveSSL37 Tue, 12/13/2011 - 11:35

2511s are great and all, but they're very expensive, often $200 to $250 and can only do a max of 16 devices. 

A much less expensive option that does the same thing is the Cyclades TS3000.  Its a 48-port access server that has a web interface and gives you remote access to your console ports.  I just picked one up for $69.  They are usually on eBay for somewhere between what I paid and $100.  Right now there's a 32-port version for $39.  That's a fraction of what the 2511s are going for. 

Or you can grab an Async 32a or 16a, but those are also expensive.

Brandon

Actions

Login or Register to take actions

This Discussion

Posted October 29, 2010 at 5:21 PM
Stats:
Replies:7 Avg. Rating:
Views:6631 Votes:0
Shares:0

Related Content

Discussions Leaderboard