LAB MANUAL

COMPUTER
NETWORK SYSTEMS

Department of Information and Computer Science

College of Computer Science and Engineering
King Fahd University of Petroleum and Minerals
2005

TABLE OF CONTENTS

LAB 3 .................................................................................................................................... 1
Remote Access System and vpn ....................................................................................... 1
3.
Objectives ............................................................................................................... 1
3.1
Installing and configuring RAS server .............................................................. 1
3.1.1 Installing RAS Server .................................................................................... 1
3.1.2 Configuring a direct serial connection ....................................................... 4
3.1.3 Installing and Configuring RAS client ....................................................... 5
3.1.4 Dialup to the server ....................................................................................... 6
3.1.5 Testing the RAS Installation ........................................................................ 7
3.2
Virtual Private Networks ............................................................................ 10
3.3
Experimental Setup ..................................................................................... 10
3.3.1 Configuring VPN Server ............................................................................ 11
3.3.2 Configuring VPN Client............................................................................. 14
3.4
Firewalls and VPN .............................................................................................. 19
3.4.1 Create a New Project .................................................................................. 19
3.4.2 Create and Configure the Network .......................................................... 19
3.4.3 Configure the Nodes ................................................................................... 20
3.4.4 Choose the Statistics.................................................................................... 21
3.5
The Firewall Scenario ......................................................................................... 22
3.6
The Firewall VPN Scenario .............................................................................. 23
3.6.1 Configuring the VPN .................................................................................. 24
3.6.2 Run the Simulation ...................................................................................... 25
3.6.3 View Results.................................................................................................. 26
3.7
References ............................................................................................................ 29

LAB 3
REMOTE ACCESS SYSTEM AND VPN
3. Objectives
Learn about Remote Access System
Configure RAS server and clients using Windows 2003
Learn about Virtual Private Networks
Configure VPN server and clients using Windows 2003
Configure a network which includes VPN with RAS
3.1

Installing and configuring RAS server

3.1.1

Installing RAS Server

1. Click StartAdministrative Tools Routing and Remote Access
2. Right-click on Server Status and select Add Server
3. Select This Computer and Click OK.

4. Select the name of the computer you are working on, which will appear under the Server
Status. Right-click and select Configure and enable Routing and Remote access
5. Routing and Remote access server setup wizard will appear. Click Next.
6. Configuration window will appear. Select Remote Access [Dialup or VPN]. Click
Next.
7. Select Dialup. Click Next.

8. Select any network card in Network Selection. Click Next. IP address assignment
window will appear.
9. Select From a specified range of addresses. Click Next.
10. Address range assignment window will appear. Click New.

11. Provide the address range as instructed by the instructor. Make sure this IP range doesnt
have the already assigned IP addresses of our lab like 192.168.243.1 to 192.168.243.10.
2

12. Click OK. Click Next.

13. Managing multiple remote access servers window will appear. Click No, use routing
and remote access to authenticate connection requests.
14. Click Next. Click Finish.

15. Click OK.

3.1.2

Configuring a direct serial connection

Open Control Panel.

Double-click Phone and Modem Options, click the Modems tab, and then click New.

In the Install New Modem wizard, select the Don't detect my modem; I will select it
from a list check box, and then click Next.

In Manufacturer, click Standard Modem Types.

In Models, click Communications cable between two computers, and then click Next.


3.1.3

Follow the remaining instructions in the Install New Modem wizard.

Installing and Configuring RAS client

1. Click StartControl PanelNetwork ConnectionsNew Connection Wizard.

2. Click Next.
3. Network Connection Type window appears.
4. Click on Set up an advanced connection. Click Next.
5. Advanced connection options window will appear. Select Connect directly to another
computer. Click Next.

6. Select Guest [which indicates client]. Click Next.

7. Connection Name window appears. Type the server computer name in the computer
name text box. Click Next.
5

8. Select a device window appears. Select Communication cable between two

computers [COM1]. Click Next.
9. Connection availability window appears. Select Anyones Use. Click Next.

10. Click Finish.

3.1.4

Dialup to the server

1. The server and the client should be connected through COM1 port. This connection is
made using roll-over cable with DB9-to-RJ45 convertor.
2. Click StartControl PanelNetwork Connections.
3. An option appears in the name of the dialup server. Click this option.
4. Connect window appears. Enter the username and password for the server PC.

5. Click Connect.
6. Now that you are connected to the server.
3.1.5

Testing the RAS Installation

1. After the client is connected to the server, the following entry appears in the server.

2. Type the ipconfig /all command on both the RAS server and the RAS client to find
out:
At the Server:

1. From where does the PPP adapter get its own IP address?
2. Why is it that the subnet mask of the PPP is 255.255.255.255?
At the Client:
IP address is assigned by the RAS server to the RAS client.

 Why the subnet mask is 255.255.255.255?

Why is that the default gateway and the IP address be the same?
3. Ping from any network computer to the RAS client using:
Its static IP address.
The IP address assigned to it by the RAS server.
Its host name.
4. What responses do you obtain in each case?
5. From a RAS client, use the Internet Explorer to view the default Web page on a Web
server in the network
6. What do you notice concerning the downloading speed between the networked Web
server and the RAS client?
7. From any computer on the network, use Internet Explorer to access the Web site of a
RAS client.
8. What RAS client address did you use? And what do you notice concerning the
downloading speed between the RAS client and the networked client?
9

 Hint: http://static_IP_address
http://hostname
http://RAS_client_IP_address
9. If two or more RAS clients are available during this lab experiment; use Internet
Explorer on one of the RAS clients to access the Web server on another RAS client.
10. What do you notice concerning the downloading speed between the two RAS clients?

3.2

Virtual Private Networks

A VPN utilizes public telecommunications networks to conduct private data

communications. Most VPN implementations use the Internet as the public infrastructure and
a variety of specialized protocols to support private communications through the Internet.
VPN follows a client and server approach. VPN clients authenticate users, encrypt data, and
otherwise manage sessions with VPN servers utilizing a technique called tunneling.
VPN clients and VPN servers are typically used in these three scenarios:
1. Remote access client connections: to support remote access to an intranet,
2. LAN-to-LAN internetworking: to support connections between multiple intranets
within the same organization, and
3. Controlled access within an intranet: to join networks between two organizations,
forming an extranet.
The main benefit of a VPN is the lower cost needed to support this technology
compared to alternatives like traditional leased lines or remote access servers. VPN servers can
also connect directly to other VPN servers. A VPN server-to-server connection extends the
intranet or extranet to span multiple networks.

3.3

Experimental Setup
In this experiment, we are going to setup a network using three PCs. One PC (PC1) is

a RAS client, which dials to the RAS server (PC2). PC1 and PC2 are connected only using
COM1. PC3 is a VPN server that is connected to PC2 using the connection the switch. The
remote node (RAS client) wanting to log into the VPN site, calls into a local RAS server
connected to the public network. The VPN client establishes a connection to the VPN server
maintained at the other site. Once the connection has been established, the remote client can
10

communicate with the VPN site network just as securely over the public network as if it
resided on the internal LAN itself.

Note: For setting up RAS client and server, see the first part of the lab.
3.3.1

Configuring VPN Server

In Windows 2003, this can be setup from the RRAS (Routing and Remote Access

Server) Administrative Tool.

1. Click StartAdministrative Tools Routing and Remote Access
2. Right-click on Server Status and select Add Server
3. Select This Computer and Click OK.

11

4. Select the name of the computer you are working on, which will appear under the
Server Status. Right-click and select Configure and enable Routing and Remote
access
5. Routing and Remote access server setup wizard will appear. Click Next.
6. Configuration window will appear. Select Remote Access [VPN]. Click Next.
7. Select Dialup. Click Next.

8. Select any network card in Network Selection. Click Next. IP address assignment
window will appear.
9. Select From a specified range of addresses. Click Next.
10. Address range assignment window will appear. Click New.

12

11. Provide the address range as instructed by the instructor. Make sure this IP range
doesnt have the already assigned IP addresses of our lab like 192.168.243.1 to
192.168.243.10.
12. Click OK. Click Next.
13. Managing multiple remote access servers window will appear. Click No, use routing
and remote access to authenticate connection requests.
14. Click Next. Click Finish.

15. Click OK.

13

16. The output of the ipconfig command should appear like the following.

17. Is it necessary to have more than one network card for VPN server? Justify.
18. If VPN server has two network cards, is it necessary that they both should belong to
different networks? Justify.
3.3.2

Configuring VPN Client

1. Right click the My Network Places icon and select Properties. This will bring you to the
Network Connections window that displays a list of your current network connections.
14

2. Double click the New Connection Wizard icon. You are faced with three options choose the second one, "Connect to the network at my workplace" and click Next.
Now choose the second option, "Virtual Private Network connection" and click Next.

3. Enter the name of the company or server you will be connecting to. Click Next.
4. Enter the host name or IP address of the VPN server. Hint: Entering the IP address is
recommended.

15

5. "Connection Availability" windows appear. "Anyone's use" will permit anyone who logs
onto the system to use the connection, whereas "My use only" will limit it's use to you
only. Choose My use only.

16

6. Click Next and Finish.Your new connection will be visible in the Network Connections
window.
7. Right click the new connection and select properties to open the properties window.
Here, you can configure, amongst others, the network settings and general options.
8. Select the Networking tab and in the "Type of VPN" drop down list, choose PPTP
VPN [Optional].
9. In the Options tab, you are able to configure dialing and redialing options on this page.

10. If you are using the same logon at your company network as you are for the VPN
server, then select the "Include Windows logon domain" check box.
11. Go to the security tab and verify that the screen looks like the one below.
12. If you select the General tab you can change the IP or Host Name of the VPN server
and select whether or not you want another connection to be established first before
initiating the VPN connection. For our experiment, we need to enable Dial another
connection first option with the dial-up connection we have setup towards the RAS
server [Refer RAS experiment].
17

13. Press OK to close the window and return to the network connections window. If you
double click your VPN connection the logon window will appear.

14. Enter your username and password and click Connect. After the authentication process
is complete, you will be logged on to the VPN Server and two computers will appear at
the bottom right hand corner of your screen (default).
18

15. The output of the ipconfig command should appear like the following.

Why do we have two PPP adapters here?

Write about the route taken by the packet to go from the VPN client to the VPN
server.

3.4

Firewalls and VPN

In this lab you will set up a network where servers are accessed over the Internet by

customers who have different privileges. You will study how firewalls and VPNs can provide
security to the information in the servers while maintaining access for customers with the
appropriate privilege.
3.4.1

Create a New Project

Start OPNET IT Guru Academic Edition Choose New from the File menu.

Select Project and click OK Name the project <your initials>_VPN, and the
scenario NoFirewall Click OK.

Click Quit on the Startup Wizard.

To remove the world background map, select the View menu Background Set
Border Map Select NONE from the drop-down menu Click OK.

3.4.2

Create and Configure the Network

Initialize the Network

6. Open the Object Palette dialog box by clicking

. Make sure that the internet_toolbox

item is selected from the pull-down menu on the object palette.

19

7. Add the following objects, from the palette, to the project workspace (see figure below for
placement): Application Config, Profile Config, an ip32_cloud, one ppp_server, three
ethernet4_slip8_gtwy routers, and two ppp_wkstn hosts.
a. To add an object from a palette, click its icon in the object palette Move your
mouse to the workspace and click where you want to place the object Rightclick
to indicate you are done creating objects of this type.
b. Note: The ppp_server and ppp_wkstn support one underlying SLIP (Serial Line
Internet rotocol) connection at a selectable data rate. PPP DS1 connects two nodes
running IP. Its data rate is 1.544 Mbps.

8. Rename the objects you added and connect them using PPP_DS1 links, as shown below:
9. Save your project.
3.4.3

Configure the Nodes

Right-click on the Applications node Edit Attributes Assign Default to the
Application Definitions attribute Click OK.

Note: Several example application configurations are available under the Default
setting. For example, "Web Browsing (Heavy HTTP1.1)" indicates a Web browsing
application performing heavy browsing using HTTP 1.1 protocol.

Right-click on the Profiles node Edit Attributes Assign Sample Profiles to the
Profile Configuration attribute Click OK.

20

Right-click on the Server node Edit Attributes Assign All to the Application:
Supported Services attribute Click OK.

Right-click on the Sales A node Select Similar Nodes (make sure that both Sales
A and Sales B are selected).

Right-click on the Sales A node Edit Attributes Check the Apply Changes to
Selected Objects check-box.

Expand the Application: Supported Profiles attribute Set rows to 1 Expand

the row 0 hierarchy Profile Name = Sales Person (this is one of the sample
profiles we configured in the Profiles node).

Click OK.

Save your project.

3.4.4

Choose the Statistics

Right-click anywhere in the project workspace and select Choose Individual Statistics

from the pop-up menu.

In the Choose Results dialog, check the following statistics:
Global Statistics DB Query Response Time (sec).
Global Statistics HTTP Page Response Time (seconds).
Note: DQ Query Response Time is measured from the time when the database query
application sends a request to the server to the time it receives a response packet.
HTTP Page Response Time specifies the time required to retrieve the entire page
with all the contained inline objects.
Click OK.
Right-click on the Sales A node and select Choose Individual Statistics from the pop-up
menu.
In the Choose Results dialog, check the following statistics:
Client DB Traffic Received (bytes/sec).
Client Http Traffic Received (bytes/sec).
Click OK.

21

Right-click on the Sales B node and select Choose Individual Statistics from the pop-up
menu.
In the Choose Results dialog, check the following statistics:
Client DB Traffic Received (bytes/sec).
Client Http Traffic Received (bytes/sec).
Click OK and then save your project.

3.5

The Firewall Scenario

In the network we just created, the Sales Person profile allows both sales sites to

access applications such as Database Access, Email, and Web Browsing from the server (check
the Profile Configuration of the Profiles node). Assume that we need to protect the database
in the server from external access, including the sales people. One way to do that is to replace
Router C with a firewall as follows:
Select Duplicate Scenario from the Scenarios menu and name it Firewall Click OK.
In the new scenario, right-click on Router C Edit Attributes.
Assign ethernet2_slip8_firewall to the model attribute.
Expand the hierarchy of the Proxy Server Information attribute Expand the row 1,
which is for the Database application, hierarchy Assign No to the Proxy Server
Deployed attribute as shown:
Note: Proxy Server Information is a table defining the configuration of the proxy servers
on the firewall. Each row indicates whether a proxy server exists for a certain application
and the amount of additional delay that will be introduced to each forwarded packet of that
application by the proxy server.

22

5. Click OK and then save your project.

Our Firewall configuration does not allow database-related traffic to pass through the firewall
(it filters such packets out). This way, the databases in the server are protected from external
access. Your Firewall scenario should look like the following figure.

3.6

The Firewall VPN Scenario

In the Firewall scenario, we protected the databases in the server from any external

access using a firewall router. Assume that we want to allow the people in the Sales A site to
have access to the databases in the server. Since the firewall filters all database-related traffic
regardless of the source of the traffic, we need to consider the VPN solution. A virtual tunnel
23

can be used by Sales A to send database requests to the server. The firewall will not filter the
traffic created by Sales A because the IP packets in the tunnel will be encapsulated inside an IP
datagram.
While you are in the Firewall scenario, select Duplicate Scenario from the Scenarios
menu and give it the name Firewall_VPN Click OK.
Remove the link between Router C and the Server.
Open the Object Palette dialog box by clicking

. Make sure that the opened palette is the

one called internet_toolbox.

Add to the project workspace one ethernet4_slip8_gtwy and one IP VPN Config
(see the figure below for placement).
From the Object Palette, use two PPP_DS1 links to connect the new router to
Router C (the firewall) and to the Server, as shown below.
Close the Object Palette dialog box.
Rename the IP VPN Config object to VPN.
Rename the new router to Router D as shown:

3.6.1

Configuring the VPN

Right-click on the VPN node Edit Attributes.

Expand the VPN Configuration hierarchy Set rows to 1 Expand row 0 hierarchy
Edit the value of Tunnel Source Name and write down Router A Edit the value of
Tunnel Destination Name and write down Router D.
24

Expand the Remote Client List hierarchy Set rows to 1 Expand row 0 hierarchy
Edit the value of Client Node Name and write down Sales A.
Click OK and then save your project.

3.6.2

Run the Simulation

To run the simulation for the three scenarios simultaneously:

Go to the Scenarios menu Select Manage Scenarios.

Change the values under the Results column to <collect> (or <recollect>) for the three
scenarios. Keep the default value of the Sim Duration (1 hour). Compare to the following
figure.

Click OK to run the three simulations. Depending on the speed of your processor, this may
take several minutes to complete.
After the three simulation runs complete, one for each scenario, click Close Save your
project.
25

3.6.3

View Results
To view and analyze the results:

Select Compare Results from the Results menu.

Expand the Sales A hierarchy Expand the Client DB hierarchy Select the Traffic
Received statistic.
Change the drop-down menu in the middle-lower part of the Compare Results dialog box
from As Is to time_average as shown.

Press Show and the resulting graph should resemble the following one:

Create a graph similar to the previous one, but for Sales B:

26

Create two graphs similar to the previous ones to depict the Traffic Received by the Client
Http for Sales A and Sales B.

27

Note: Results may vary slightly due to different node placement.

Questions
From the obtained graphs, explain the effect of the firewall, as well as the configured VPN, on
the database traffic requested by Sales A and Sales B.
Compare the graphs that show the received HTTP traffic with those that show the received
database traffic.
Generate and analyze the graph(s) that show the effect of the firewall, as well as the configured
VPN, on the response time (delay) of the HTTP pages and database queries.
In the Firewall_VPN scenario we configured the VPN node so that no traffic from Sales A is
blocked by the firewall. Create a duplicate of the Firewall_VPN scenario and name the new
scenario Q4_DB_Web. In the Q4_DB_Web scenario we want to configure the network so
that:
The databases in the server can be accessed only by the people in the Sales A site.
The web sites in the server can be accessed only by the people in the Sales B site.
28

3.7

References

Errors with modem

http://www.modemhelp.net/dunerror/error_777.shtml
VPN
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx
http://www.windowsnetworking.com/articles_tutorials/Client_Based_VPN_via_PPTP.html
GRE & PPTP
http://www.networksorcery.com/enp/protocol/gre.htm

29