Solved

Access/Terminal server SETUP of a network for labs via the internet.

Posted on 2002-06-17
3
181 Views
Last Modified: 2010-04-17
This question is related to the design and setup of a access server using terminal asynchronous connections.

Available hardware and layout consists of a Cisco 2621 router - 1 T1 CSU/DSU module with 2 Ethernet ports.  T1 out to the internet with 16 public ip address on Ethernet 0/0 and private class B network implemented on Ethernet 0/1 using NAT to get out to the internet. Cisco 2924 switch currently configured with 2 vlans one conected to Ethernet 0/0 - public ports 1-16 and vlan 2 connected to Ethernet 0/1 the private addresses.  This layout can be changed.

The goal is to have cisco labs that can be accessed by our students via the internet.  What is the prefered method of design allowing students to access four different labs consisting of up to five devices in each lab.  Students must have access into only their own labs.  

Thought of purchasing a NM-16A: Sixteen-port Asynchronous Network Module and using the Cisco 2621 as a access server where the students can open up a reverse telnet session with the appropiate lab.  Not sure how to implement the security here and if implemented this way the students would have user access into the cisco 2621 where we have security settings etc set up - access lists and firewall.  The second option was to implement 2509 access routers per lab where the user would telnet directly into the access router using a public ip address and then open up a asynchronous terminal connection into the lab.

Your opinion on the design is greatly appreciated...
0
Comment
Question by:ecinelli
3 Comments
 
LVL 17

Expert Comment

by:mikecr
ID: 7087775
Personally, I would put a Terminal server on the network and use the terminal web client and when they log in over the internet you can have the desktop of the terminal server locked down except for that which you would like to have available to them such as a telnet shortcut and such. This way you can log actions on the terminal server and it would only require one live IP address on the internet. Also sessions can be encrypted using SSL also. All internal equipment could have private addressing and you could put an advertisement banner as the desktop background on their terminal session of your company offerings. These other guys might have a better suggestion though.
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 500 total points
ID: 7088971
It could certainly be done on a single router.  You could setup different access lists to each line, but that would be awfully messy with knowing the source addresses of your users etc.

I don't know how much "free reign" these users will be given on the lab equipment, but you could setup RADIUS or TACACS so that users can only log into the lab equipment they are allowed to touch.  This could let you focus less on the initial point of entry as the place to allow or deny access.  However, if they are allowed to wipe configs at will, then this won't work very well either.  Your best bet would probably be to go with a really cheap router per lab as the intial access point (such as the 2509 you mention) and you could base your access there.  I would still probably use RADIUS or TACACS so that you can manage usernames rather than access lists.
0
 
LVL 1

Expert Comment

by:Chriskohn
ID: 7104380
Hi ecinelli:
Have you considered a VPN solution? You could have your students utilize Cisco VPN Client software (i.e. version 3.52), configure your 2621 router to allow Remote-User VPN connections with a dynamic crypto map. It would be best to implement a Tacacs server to do AAA (Authentication, Authorization and Accounting) for the remote-users.

The IOS for the 2621 router should have 3DES VPN and Firewall capabilities. Cisco Secure ACS version 3.0, can run on either a UNIX or Windows platform and could give you the capability to control what access the Remote-Users have through the VPN.

By using deploying different subnets and VLANs in router and switch for your labs you could properly segment the LAN via different Ethernet subinterfaces under E0/0 and would not even need all your public IP addresses.

The router can of course be configured to still use the public IP's in a true NAT pool rather than using PAT. In addition, you can configure the E0/1 so that Internet access for Internal sources is possible.

Hope this helps, Chriskohn
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now