dxbdxb2009
asked on
Replacing Cisco 1603 with 1841 router.
Hi EEs,
greetings,
i have one cisco router 1603 which got one 10B/T & one serial interface, for my lease line connection,
since my ISP is laying down fiber network they placed one box called HUAWEI's in which 100BaseT port no 1 will be used for WAN access.
(pls refer to my previous question for more info)
I need to replace my 1603 router with new 1841 router(2 ethernet ports), coz 1603 does not have ethernet port,
I am using pix firewall with this router,
I am attaching the sh run of both my current configuration of 1603 & pix firewall, here with,
Now Kindly advice what would be the correct configuration for my new 1841 router, which should work well as 1603 after replacement,
many thanks in advance..
greetings,
i have one cisco router 1603 which got one 10B/T & one serial interface, for my lease line connection,
since my ISP is laying down fiber network they placed one box called HUAWEI's in which 100BaseT port no 1 will be used for WAN access.
(pls refer to my previous question for more info)
I need to replace my 1603 router with new 1841 router(2 ethernet ports), coz 1603 does not have ethernet port,
I am using pix firewall with this router,
I am attaching the sh run of both my current configuration of 1603 & pix firewall, here with,
Now Kindly advice what would be the correct configuration for my new 1841 router, which should work well as 1603 after replacement,
many thanks in advance..
Building configuration...
Current configuration : 1698 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname MYROUTER-1603
!
enable secret 5 $1$qEXj$g8WeN.qS4OmG/W5yxkyLu1
enable password 7 03175E08140A350C5E061D04131F0202
!
ip subnet-zero
ip domain-name MYROUTER.CO.COM
ip name-server XX.XX.20.20
ip name-server XX.XX.241.222
!
isdn switch-type basic-net3
!
!
!
interface Ethernet0
ip address XX.XX.43.41 255.255.255.248
ip policy route-map abc
!
interface Serial0
ip address XX.XX.36.26 255.255.255.252
!
interface BRI0
no ip address
encapsulation hdlc
no keepalive
shutdown
isdn switch-type basic-net3
no fair-queue
!
ip classless
ip default-network XX.XX.36.0
ip route 0.0.0.0 0.0.0.0 Serial0
ip route XX.XX.36.0 255.255.255.0 XX.XX.36.25
ip route XX.XX.43.42 255.255.255.255 XX.XX.43.43
ip route XX.XX.43.45 255.255.255.255 XX.XX.43.43
ip route XX.XX.43.46 255.255.255.255 XX.XX.43.43
ip http server
!
access-list 101 permit ip any any
access-list 110 permit udp any any eq domain
access-list 110 permit tcp host XX.XX.43.45 any eq www
access-list 110 permit tcp host XX.XX.43.45 any eq 8080
access-list 110 permit udp host XX.XX.43.45 any eq domain
access-list 110 permit tcp host XX.XX.43.45 any eq ftp-data
access-list 110 permit tcp host XX.XX.43.45 any eq ftp
access-list 160 permit ip any any
access-list 160 permit ip host XX.XX.43.42 any
access-list 160 permit ip host XX.XX.43.46 any
route-map abc permit 10
match ip address 110
set ip default next-hop XX.XX.43.44
!
route-map abc permit 30
match ip address 160
set default interface Serial0
!
!
line con 0
password 7 00141C02055F060F01
login
line vty 0 4
password 7 131518160A08092325
login
!
end
command completed.PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password TGDxcJFs/Ioafayp encrypted
passwd TGDxcJFs/Ioafayp encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol http 8080
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 110 permit tcp any host xx.xx..43.42 eq www
access-list 110 permit tcp any host xx.xx..43.42 eq smtp
access-list 120 permit tcp 192.168.100.0 255.255.255.0 any eq www
access-list 120 permit tcp 192.168.100.0 255.255.255.0 any eq ftp
access-list 120 permit tcp 192.168.100.0 255.255.255.0 any eq ftp-data
access-list 120 permit tcp 192.168.100.0 255.255.255.0 any eq 8080
access-list 120 permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list 120 permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list 120 permit udp host 192.168.100.11 any eq domain
access-list 120 permit tcp host 192.168.100.16 any eq smtp
access-list 120 permit tcp host 192.168.100.11 any eq smtp
access-list 120 permit udp 192.168.100.0 255.255.255.0 any eq domain
access-list 120 permit tcp 192.168.100.0 255.255.255.0 host xx.xx.43.41 eq telnet
access-list 120 permit tcp 192.168.100.0 255.255.255.0 host xx.xx.43.44 eq telnet
access-list 120 permit tcp 192.168.100.0 255.255.255.0 any eq 5050
access-list 120 permit tcp 192.168.100.0 255.255.255.0 any eq 1863
access-list 120 permit tcp 192.168.100.0 255.255.255.0 any eq pop3
access-list 120 permit tcp 192.168.100.0 255.255.255.0 any eq smtp
access-list 120 permit tcp host 192.168.100.70 any eq smtp
access-list 120 permit tcp host 192.168.100.70 any eq pop3
access-list 120 permit tcp host 192.168.100.70 any eq 465
access-list 120 permit tcp host 192.168.100.70 any eq 995
access-list 120 permit ip host 192.168.100.170 host xx.xx.103.13
access-list 120 permit ip host 192.168.100.170 host xx.xx.103.30
access-list 120 permit tcp 192.168.1.0 255.255.255.0 any eq 8080
access-list 120 permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list 120 permit ip host 192.168.100.99 host xx.xx.149.185
access-list 120 permit ip host 192.168.100.100 host xx.xx.149.185
access-list 120 permit tcp host 192.168.1.87 any eq www
access-list 120 permit tcp host 192.168.1.87 any eq 8080
access-list 120 permit tcp host 192.168.100.59 any eq 3389
access-list 120 permit tcp 192.168.100.0 255.255.255.0 any eq 27705
access-list webfilter deny tcp host 192.168.100.173 any eq 8080
access-list webfilter deny tcp host 192.168.100.173 any eq www
access-list webfilter deny tcp host 192.168.100.172 any eq www
access-list webfilter deny tcp host 192.168.100.172 any eq 8080
access-list webfilter deny tcp host 192.168.100.171 any eq 8080
access-list webfilter deny tcp host 192.168.100.171 any eq www
access-list webfilter deny tcp host 192.168.100.170 any eq www
access-list webfilter deny tcp host 192.168.100.170 any eq 8080
access-list webfilter deny tcp host 192.168.100.80 any eq www
access-list webfilter deny tcp host 192.168.100.80 any eq 8080
access-list webfilter deny tcp host 192.168.100.198 any eq www
access-list webfilter deny tcp host 192.168.100.16 any eq 8080
access-list webfilter deny tcp host 192.168.100.16 any eq www
access-list webfilter deny tcp host 192.168.100.14 any eq www
access-list webfilter deny tcp host 192.168.100.14 any eq 8080
access-list webfilter deny tcp host 192.168.100.198 any eq 8080
access-list webfilter deny tcp host 192.168.100.3 any eq 8080
access-list webfilter deny tcp host 192.168.100.3 any eq www
access-list webfilter deny tcp host 192.168.100.137 any eq www
access-list webfilter deny tcp host 192.168.100.137 any eq 8080
access-list webfilter deny tcp host 192.168.100.210 any eq 8080
access-list webfilter deny tcp host 192.168.100.210 any eq www
access-list webfilter permit tcp 192.168.100.0 255.255.255.0 any eq 8080
access-list webfilter permit tcp 192.168.100.0 255.255.255.0 any eq www
access-list webfilter permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list webfilter permit tcp 192.168.1.0 255.255.255.0 any eq 8080
pager lines 24
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.43.43 255.255.255.248
ip address inside 192.168.100.7 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.43.45
global (outside) 2 xx.xx.43.42
nat (inside) 2 192.168.100.16 255.255.255.255 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
static (inside,outside) tcp xx.xx.43.42 smtp 192.168.100.16 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.43.42 www 192.168.100.14 www netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.43.46 192.168.100.80 netmask 255.255.255.255 0 0
access-group 110 in interface outside
access-group 120 in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.43.41 1
route inside 192.168.1.0 255.255.255.0 192.168.100.110 1
route inside xx.xx.43.45 255.255.255.255 192.168.100.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:30:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication match webfilter inside LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username user1 password d6UoQV9cVjC6Ew.l encrypted privilege 2
username user2 password CjFGMLiW7rJhEPED encrypted privilege 2
username webuser1 password G02aixF21Jt2mDwh encrypted privilege 2
username user101 password 4qLIDg89DSmXpHW. encrypted privilege 2
username user102 password Iur/y9WBlk/35BZ3 encrypted privilege 2
username user05 password MFVBN7APfBUc2GEw encrypted privilege 2
username user06 password WxdCUCSwox/ll2Y9 encrypted privilege 2
terminal width 80
Cryptochecksum:244d1c58d74b58153a266abbc808a9c8
: end
pixfirewall#
Ernie Beek
Do you really need the router? I would think you can connect the pix directly to the huawei.
ASKER
thanks erniebeek for your reply,
how it is possible without router?
anyway...i need router as well,
pls advice the appropriate configs as per the attached code..
awaiting for your valuable reply,
many thanks in advance ...
how it is possible without router?
anyway...i need router as well,
pls advice the appropriate configs as per the attached code..
awaiting for your valuable reply,
many thanks in advance ...
Ah It's you :)
Thought it was somebody else.
Yeah, knowing about your previous setup you might need the router.
First I would like to know a bit more about the huawei. Did you get any info from your ISP regarding Ip ranges, gateways, etc?
Thought it was somebody else.
Yeah, knowing about your previous setup you might need the router.
First I would like to know a bit more about the huawei. Did you get any info from your ISP regarding Ip ranges, gateways, etc?
ASKER
we need to keep the same ip, gateway...etc..whatever the current(1603) has..
abt encapsulation ISP says no encap required for ethernet...this is all what i get from isp..
pls use the same ip addresses(used in 1603) for configuring new(1841)one,
hope to get favorable & quick reply soon.
abt encapsulation ISP says no encap required for ethernet...this is all what i get from isp..
pls use the same ip addresses(used in 1603) for configuring new(1841)one,
hope to get favorable & quick reply soon.
ASKER
erniebeek: if you are really too busy too reply...pls let me know so i should stop waiting n find some other way to get it done...
pls reply to clarify..
thanks in advance
pls reply to clarify..
thanks in advance
ASKER
Anyone pls help n reply me...
--------------------------
Admin: Kindly advice why i am not able to get answer of my question.... do i need to change the zone...of what? pls help?
thanks ..
--------------------------
Admin: Kindly advice why i am not able to get answer of my question.... do i need to change the zone...of what? pls help?
thanks ..
ASKER
Any updates plssssssssssssssssssssssss
I was indeed a bit busy, should have let you know. Sorry about that.
I'll have a look shortly and post back.
I'll have a look shortly and post back.
ASKER
thanks for your reply...
awaiting for your valuable reply...........
awaiting for your valuable reply...........
Ok, let's try this for starters:
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname MYROUTER-1841
!
ip subnet-zero
ip domain-name MYROUTER1841.CO.COM
ip name-server XX.XX.20.20
ip name-server XX.XX.241.222
!
interface FastEthernet0/0
ip address XX.XX.36.26 255.255.255.252
!
interface FastEthernet0/1
ip address XX.XX.43.41 255.255.255.248
ip policy route-map abc
!
ip classless
ip default-network XX.XX.36.0
ip route 0.0.0.0 0.0.0.0 interface XX.XX.36.25
ip route XX.XX.43.42 255.255.255.255 XX.XX.43.43
ip route XX.XX.43.45 255.255.255.255 XX.XX.43.43
ip route XX.XX.43.46 255.255.255.255 XX.XX.43.43
ip http server
!
access-list 101 permit ip any any
access-list 110 permit udp any any eq domain
access-list 110 permit tcp host XX.XX.43.45 any eq www
access-list 110 permit tcp host XX.XX.43.45 any eq 8080
access-list 110 permit udp host XX.XX.43.45 any eq domain
access-list 110 permit tcp host XX.XX.43.45 any eq ftp-data
access-list 110 permit tcp host XX.XX.43.45 any eq ftp
access-list 160 permit ip any any
access-list 160 permit ip host XX.XX.43.42 any
access-list 160 permit ip host XX.XX.43.46 any
route-map abc permit 10
match ip address 110
set ip default next-hop XX.XX.43.44
!
route-map abc permit 30
match ip address 160
set default interface Serial0
That should get you going. Rplace the XX's with the correct numbers of course :)
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname MYROUTER-1841
!
ip subnet-zero
ip domain-name MYROUTER1841.CO.COM
ip name-server XX.XX.20.20
ip name-server XX.XX.241.222
!
interface FastEthernet0/0
ip address XX.XX.36.26 255.255.255.252
!
interface FastEthernet0/1
ip address XX.XX.43.41 255.255.255.248
ip policy route-map abc
!
ip classless
ip default-network XX.XX.36.0
ip route 0.0.0.0 0.0.0.0 interface XX.XX.36.25
ip route XX.XX.43.42 255.255.255.255 XX.XX.43.43
ip route XX.XX.43.45 255.255.255.255 XX.XX.43.43
ip route XX.XX.43.46 255.255.255.255 XX.XX.43.43
ip http server
!
access-list 101 permit ip any any
access-list 110 permit udp any any eq domain
access-list 110 permit tcp host XX.XX.43.45 any eq www
access-list 110 permit tcp host XX.XX.43.45 any eq 8080
access-list 110 permit udp host XX.XX.43.45 any eq domain
access-list 110 permit tcp host XX.XX.43.45 any eq ftp-data
access-list 110 permit tcp host XX.XX.43.45 any eq ftp
access-list 160 permit ip any any
access-list 160 permit ip host XX.XX.43.42 any
access-list 160 permit ip host XX.XX.43.46 any
route-map abc permit 10
match ip address 110
set ip default next-hop XX.XX.43.44
!
route-map abc permit 30
match ip address 160
set default interface Serial0
That should get you going. Rplace the XX's with the correct numbers of course :)
ASKER
thanks once again for your reply & help
here 1841 these two commands were not working:
>ip route 0.0.0.0 0.0.0.0 interface XX.XX.36.25
so instand of interface it is asking fastethernet no...so i put this command like this:
>ip route 0.0.0.0 0.0.0.0 fastethernet0/0
And >set default interface Serial0 here place of Serial0 i put Fastethernet0/0
Kindly advice these are correct or not?
Second : pls help me how can i close all unusable open incoming ports at router which are not used & how can i write a ACL for allowing outside telnet into this router?
This is not urgent ... but try to reply by tomorrow ...
thanks once again..
here 1841 these two commands were not working:
>ip route 0.0.0.0 0.0.0.0 interface XX.XX.36.25
so instand of interface it is asking fastethernet no...so i put this command like this:
>ip route 0.0.0.0 0.0.0.0 fastethernet0/0
And >set default interface Serial0 here place of Serial0 i put Fastethernet0/0
Kindly advice these are correct or not?
Second : pls help me how can i close all unusable open incoming ports at router which are not used & how can i write a ACL for allowing outside telnet into this router?
This is not urgent ... but try to reply by tomorrow ...
thanks once again..
Serial0 has been replaced by Fastethernet0/0 so that is correct.
I would advice though to use ip route 0.0.0.0 0.0.0.0 XX.XX.36.25 instead of ip route 0.0.0.0 0.0.0.0 fastethernet0/0. The 'interface' part was a typo.
I would advice though to use ip route 0.0.0.0 0.0.0.0 XX.XX.36.25 instead of ip route 0.0.0.0 0.0.0.0 fastethernet0/0. The 'interface' part was a typo.
ASKER
Okay..done as advised... put the gateway ip inplace of fastethernet0/0.
now : can you pls tell how (which all) to close all unusable open incoming ports at router which are not used & how can i write a ACL for allowing outside telnet into this router?
Pls advice...
now : can you pls tell how (which all) to close all unusable open incoming ports at router which are not used & how can i write a ACL for allowing outside telnet into this router?
Pls advice...
Why would you want to close them on the router? That's what your firewall is for. If you start blocking ports on two devices you might loose track of what is configured on which device. So I don't think that's a wise thing to do.
Enable SSH on the router and that should be OK. I see that most of the threads have already been disable looking at the config above.
1841(config)#enable secret <your secret pass>
1841(config)#username <admin name> privilege level 15 password <your password>
1841(config)#crypto key zeroize rsa --------(removes previous RSA keys)
1841(config)#crypto key generate rsa general-keys modulus 1024 -----configures SSH
1841(config)# line vty 0 15
1841(config)#transport input none
1841(config)#transport input ssh
11841(config)#password <your password>
841(config)#login local
Make sure you do not log out of the router. Stay at this prompt and log back into the router with the command:
ssh <ip address>
Once you can log in via ssh, save your config. Otherwise, reload the router or issue the config
crypto key zeroize rsa --------(removes previous RSA keys)
once you put in the "login local" command, you will have to log into the router with username and password. Telnet will not work any more.
This will make your router very secure.
1841(config)#enable secret <your secret pass>
1841(config)#username <admin name> privilege level 15 password <your password>
1841(config)#crypto key zeroize rsa --------(removes previous RSA keys)
1841(config)#crypto key generate rsa general-keys modulus 1024 -----configures SSH
1841(config)# line vty 0 15
1841(config)#transport input none
1841(config)#transport input ssh
11841(config)#password <your password>
841(config)#login local
Make sure you do not log out of the router. Stay at this prompt and log back into the router with the command:
ssh <ip address>
Once you can log in via ssh, save your config. Otherwise, reload the router or issue the config
crypto key zeroize rsa --------(removes previous RSA keys)
once you put in the "login local" command, you will have to log into the router with username and password. Telnet will not work any more.
This will make your router very secure.
ASKER
erniebeek: sorry for relying you late, i thought it would be nice to block all incoming unused ports/packates at gateway level..anyway...i do agree with you.. tomorrow i am going to config as per your advice.. but kindly advice abt the telnet configs from outside...
--------------------------
yawbe: I have a IOS : 1841-ipbase-mz.150-1.M4.bi
any way i will config n create the user with level 15..
i will only b able to put these config tomorrow only...
pls advice n confirm abt SSH...
many thanks in advance...
--------------------------
yawbe: I have a IOS : 1841-ipbase-mz.150-1.M4.bi
any way i will config n create the user with level 15..
i will only b able to put these config tomorrow only...
pls advice n confirm abt SSH...
many thanks in advance...
For telnet, create a user:
Router(config)# username <username> privilege 15 password 0 <password>
And the vty lines:
line vty 0 4
privilege level 15
login local
transport input telnet
Router(config)# username <username> privilege 15 password 0 <password>
And the vty lines:
line vty 0 4
privilege level 15
login local
transport input telnet
ASKER
thanks for your reply....
will add these configs tomorrow n will update you...
kindly be with me ...
thanks once again..
will add these configs tomorrow n will update you...
kindly be with me ...
thanks once again..
I will be busy tomorrow so don't expect very fast replies ;)
ASKER
thanks for your reply,
as per your advice i have entered the commands to enable telnet & now the router is ready for upgrade...thus i have requested my isp to ready for this upgrade from there end...may be tomorrow or the day after tomorrow we will do the upgrade,
one more confusion here :
Why we are not using below command in 1841:
* ip subnet-zero
* no fair-queue
* ip classless
Also i got one AUX port ... do we need to close it or is by-default comes as 'shut down'
Pls advice..
thanks once again..
as per your advice i have entered the commands to enable telnet & now the router is ready for upgrade...thus i have requested my isp to ready for this upgrade from there end...may be tomorrow or the day after tomorrow we will do the upgrade,
one more confusion here :
Why we are not using below command in 1841:
* ip subnet-zero
* no fair-queue
* ip classless
Also i got one AUX port ... do we need to close it or is by-default comes as 'shut down'
Pls advice..
thanks once again..
Well, if they are defaults they normally don't show up.
Try doing a: show startup-config all and have a look then.
Try doing a: show startup-config all and have a look then.
ASKER
thanks for your reply,
even after "show startup-config" i can see them as below:
--------------------------
>interface BRI0
no ip address
encapsulation hdlc
no keepalive
shutdown
isdn switch-type basic-net3
>no fair-queue
> ip classless
--------------------------
What to do with AUX port now?
Anyway i am going to replace the router today...as my ISP will do some configuration in FiberBox remotely & I need to replace the router here...
Can I expect your support/reply today if I have any issue after replacing router????
Hope to have favorable support as always..
many thanks once again...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks erniebeek for your reply n continues support...
replacement was done successfully w/o any issue...so far...
Well some time...i am loosing http packets...showing webpage can not be displayed but when i hit F5 1-2 times(some time 4-5 times)it works well...any work around...
Once again thanks for your support & kindly accept 500 points..
replacement was done successfully w/o any issue...so far...
Well some time...i am loosing http packets...showing webpage can not be displayed but when i hit F5 1-2 times(some time 4-5 times)it works well...any work around...
Once again thanks for your support & kindly accept 500 points..
ASKER
Dear erniebeek,
regards to the problem i have been facing after replacing the router(as addressed above); I have opened a new question...kindly have a look & advice accordingly:
https://www.experts-exchange.com/questions/27080554/How-to-get-rid-of-internet-problem-Internet-Explorer-cannot-display-the-webpage.html
regards to the problem i have been facing after replacing the router(as addressed above); I have opened a new question...kindly have a look & advice accordingly:
https://www.experts-exchange.com/questions/27080554/How-to-get-rid-of-internet-problem-Internet-Explorer-cannot-display-the-webpage.html
I'll have a look later on and let you know.