Access/Terminal server SETUP of a network for labs via the internet.

Posted on 2002-06-17
Medium Priority
Last Modified: 2010-04-17
This question is related to the design and setup of a access server using terminal asynchronous connections.

Available hardware and layout consists of a Cisco 2621 router - 1 T1 CSU/DSU module with 2 Ethernet ports.  T1 out to the internet with 16 public ip address on Ethernet 0/0 and private class B network implemented on Ethernet 0/1 using NAT to get out to the internet. Cisco 2924 switch currently configured with 2 vlans one conected to Ethernet 0/0 - public ports 1-16 and vlan 2 connected to Ethernet 0/1 the private addresses.  This layout can be changed.

The goal is to have cisco labs that can be accessed by our students via the internet.  What is the prefered method of design allowing students to access four different labs consisting of up to five devices in each lab.  Students must have access into only their own labs.  

Thought of purchasing a NM-16A: Sixteen-port Asynchronous Network Module and using the Cisco 2621 as a access server where the students can open up a reverse telnet session with the appropiate lab.  Not sure how to implement the security here and if implemented this way the students would have user access into the cisco 2621 where we have security settings etc set up - access lists and firewall.  The second option was to implement 2509 access routers per lab where the user would telnet directly into the access router using a public ip address and then open up a asynchronous terminal connection into the lab.

Your opinion on the design is greatly appreciated...
Question by:ecinelli
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 17

Expert Comment

ID: 7087775
Personally, I would put a Terminal server on the network and use the terminal web client and when they log in over the internet you can have the desktop of the terminal server locked down except for that which you would like to have available to them such as a telnet shortcut and such. This way you can log actions on the terminal server and it would only require one live IP address on the internet. Also sessions can be encrypted using SSL also. All internal equipment could have private addressing and you could put an advertisement banner as the desktop background on their terminal session of your company offerings. These other guys might have a better suggestion though.

Accepted Solution

scraig84 earned 1500 total points
ID: 7088971
It could certainly be done on a single router.  You could setup different access lists to each line, but that would be awfully messy with knowing the source addresses of your users etc.

I don't know how much "free reign" these users will be given on the lab equipment, but you could setup RADIUS or TACACS so that users can only log into the lab equipment they are allowed to touch.  This could let you focus less on the initial point of entry as the place to allow or deny access.  However, if they are allowed to wipe configs at will, then this won't work very well either.  Your best bet would probably be to go with a really cheap router per lab as the intial access point (such as the 2509 you mention) and you could base your access there.  I would still probably use RADIUS or TACACS so that you can manage usernames rather than access lists.

Expert Comment

ID: 7104380
Hi ecinelli:
Have you considered a VPN solution? You could have your students utilize Cisco VPN Client software (i.e. version 3.52), configure your 2621 router to allow Remote-User VPN connections with a dynamic crypto map. It would be best to implement a Tacacs server to do AAA (Authentication, Authorization and Accounting) for the remote-users.

The IOS for the 2621 router should have 3DES VPN and Firewall capabilities. Cisco Secure ACS version 3.0, can run on either a UNIX or Windows platform and could give you the capability to control what access the Remote-Users have through the VPN.

By using deploying different subnets and VLANs in router and switch for your labs you could properly segment the LAN via different Ethernet subinterfaces under E0/0 and would not even need all your public IP addresses.

The router can of course be configured to still use the public IP's in a true NAT pool rather than using PAT. In addition, you can configure the E0/1 so that Internet access for Internal sources is possible.

Hope this helps, Chriskohn

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question