Access/Terminal server SETUP of a network for labs via the internet.

This question is related to the design and setup of a access server using terminal asynchronous connections.

Available hardware and layout consists of a Cisco 2621 router - 1 T1 CSU/DSU module with 2 Ethernet ports.  T1 out to the internet with 16 public ip address on Ethernet 0/0 and private class B network implemented on Ethernet 0/1 using NAT to get out to the internet. Cisco 2924 switch currently configured with 2 vlans one conected to Ethernet 0/0 - public ports 1-16 and vlan 2 connected to Ethernet 0/1 the private addresses.  This layout can be changed.

The goal is to have cisco labs that can be accessed by our students via the internet.  What is the prefered method of design allowing students to access four different labs consisting of up to five devices in each lab.  Students must have access into only their own labs.  

Thought of purchasing a NM-16A: Sixteen-port Asynchronous Network Module and using the Cisco 2621 as a access server where the students can open up a reverse telnet session with the appropiate lab.  Not sure how to implement the security here and if implemented this way the students would have user access into the cisco 2621 where we have security settings etc set up - access lists and firewall.  The second option was to implement 2509 access routers per lab where the user would telnet directly into the access router using a public ip address and then open up a asynchronous terminal connection into the lab.

Your opinion on the design is greatly appreciated...
Who is Participating?

Improve company productivity with a Business Account.Sign Up

scraig84Connect With a Mentor Commented:
It could certainly be done on a single router.  You could setup different access lists to each line, but that would be awfully messy with knowing the source addresses of your users etc.

I don't know how much "free reign" these users will be given on the lab equipment, but you could setup RADIUS or TACACS so that users can only log into the lab equipment they are allowed to touch.  This could let you focus less on the initial point of entry as the place to allow or deny access.  However, if they are allowed to wipe configs at will, then this won't work very well either.  Your best bet would probably be to go with a really cheap router per lab as the intial access point (such as the 2509 you mention) and you could base your access there.  I would still probably use RADIUS or TACACS so that you can manage usernames rather than access lists.
Personally, I would put a Terminal server on the network and use the terminal web client and when they log in over the internet you can have the desktop of the terminal server locked down except for that which you would like to have available to them such as a telnet shortcut and such. This way you can log actions on the terminal server and it would only require one live IP address on the internet. Also sessions can be encrypted using SSL also. All internal equipment could have private addressing and you could put an advertisement banner as the desktop background on their terminal session of your company offerings. These other guys might have a better suggestion though.
Hi ecinelli:
Have you considered a VPN solution? You could have your students utilize Cisco VPN Client software (i.e. version 3.52), configure your 2621 router to allow Remote-User VPN connections with a dynamic crypto map. It would be best to implement a Tacacs server to do AAA (Authentication, Authorization and Accounting) for the remote-users.

The IOS for the 2621 router should have 3DES VPN and Firewall capabilities. Cisco Secure ACS version 3.0, can run on either a UNIX or Windows platform and could give you the capability to control what access the Remote-Users have through the VPN.

By using deploying different subnets and VLANs in router and switch for your labs you could properly segment the LAN via different Ethernet subinterfaces under E0/0 and would not even need all your public IP addresses.

The router can of course be configured to still use the public IP's in a true NAT pool rather than using PAT. In addition, you can configure the E0/1 so that Internet access for Internal sources is possible.

Hope this helps, Chriskohn
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.