Please believe me when I say I've performed countless hours of research for several days on the subject and have not been able to derive a detailed and complete explanation on how to setup and configure the following scenario. With that said, I humbly and respectfully request input from the community to assist me with this scenario.
I have recently attained CCNA certification that stemmed from training from a Cisco Academy. This training comprised of Cisco Exploration classes of Cisco I through Cisco IV. In this training I have not seen or read anything that helps a learner understand how to configure a firewall (with the exception of firewall behaving ACLs on regular routers) or the deployment of VPN technology.
To further enhance my knowledge of networking concepts and to pursue advanced Cisco and other certifications, I have decided to build a home lab. I've purchased quite a number of routers and switches which are all rack mounted and I'm confident configuring them; however, there are three devices in particular that I wish to receive help with- the AS2511-RJ, the PIX 515, and the VPN 300 Concentrator (and possibly my home Linksys Wireless Router if need be).
To put it simply, I would like to know how to securely configure remote access to my home lab that would not interfere with nor jeopardize the integrity of my existing home network. In my research, I've come across a concept known as port-forwarding for SSH and VPN. In my studies at the Cisco Academy, I've always read that SSH is more secure than Telnet; however, users from all sorts of online forums recommend against using port-forwarding on (in my case) the Linksys Wireless Router. If it is truly the case that this scenario is not secure (and I request that someone please educate me as to why it is or is not), then that leaves me with the option of using a VPN connection into my home network.
My existing infrastructure is as follows: Comcast ISP --> Broadband Cable Modem --> Linksys WRT300N --> My home computers via wired and wireless connections.
My goal is to integrate my home lab into this infrastructure, but not impede or otherwise create any vulnerabilities to the existing devices in my home network (my wife would absolutely kill me).
With that said, I've configured the 2511 as a Terminal Access Server (TAS) and can successfully reverse telnet into all of my networking devices - no problem there. As previously mentioned, I would like to be able to access this home lab remotely. So far, I've already created an account with DynDNS and have also configured that information on my Linksys Wireless Router. As I understand it, this step should mitigate any problems with my dynamically assigned IP address that I receive from my ISP in the event it changes to something else.
Now, here are my questions: how should I integrate either the PIX and/or the VPN Concentrator so that #1 it can accept a secure connection from the Internet via the Linksys Wireless Router, #1a I continue to use the Linksys Wireless Router as the gateway device with the reason being that I don't always want to have the home lab powered up and running - I only want to use it occasionally; therefore, the existing home network does not get impacted whenever I bring the home lab up or down and #2 the home devices and home lab are on different networks.
To further clarify question 1a, I don't want my home network to be dependent on the presence of any of the physical networking devices from my home lab equipment.Furthermore, understanding that virtualization solutions may solve or address some of these issues, I am not able to implement any of that technology given the existing [older] equipment I'm currently using from a PC standpoint.
I've already confirmed that the WRT300N can allow VPN pass-through (PPTP, IPSec, L2TP), and if I'm not mistaken it would appear I am able to segment the home network from the lab network with a feature called Static Routing.To confirm, dispute, or deny any of these assumptions, I've attached the owner's manual to this particular device for review if necessary.
Furthermore, since I know virtually nothing about VPN from an infrastructure standpoint, if VPN client software is required on the remote computer which resides outside the private network, where would I go to provision such software and what would I need to do to get it properly configured to establish that secure tunnel between private - public - private network? I've heard of IPSec clients, and SSL which is web-based, but do not have the faintest clue as to where to begin with either of these possible solutions.
In closing, aside from indicating what the best-case scenario would be with the existing equipment I have, detailed explanation and configs of the aforementioned specific devices would be extremely helpful to me (and others, I'm sure, who are in the same situation as me). If knowledge of the specific IOS version I'm running on these devices is required, I will provide that on a subsequent post, as I am not where the equipment is to provide that information at the moment.
Thank you very kindly for taking the time to read and respond to my post. I sincerely and wholeheartedly appreciate any and all assistance.
P.S. - The proposed remote acces to my home lab, as written, assumes direct connection to the TAS. I do have five lab computers as well, one of which runs a server OS. They all have connectivity to the patch panel which is connected to a switch, which is connected to a router. If remote connectivity to the server is preferred, which subsequently Telnets into the TAS (which then reverse Telnets into all other networking devices), I'm fine with that method as well. In fact, this method would appear more productive because remotely accessing the home lab via this method would also provide access to the server and remaining PCs via RDP as well, wouldn't you agree?