Solved

Cisco 760 Series Commands

Posted on 2002-05-07
18
353 Views
Last Modified: 2008-03-03
I am trying to allow access to external VPN servers from behind my Cisco 761. But am having difficulties. I believe that certain ports are blocked, including those required for VPN.

Would someone specify the commands needed in oreder to unblock these ports. Your help will be greatly appreciated.

Thanks Chris Jones
0
Comment
Question by:Jonsie
  • 9
  • 7
  • 2
18 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6994728
It depends on the type of VPN you are trying to use.  PPTP?  IPSEC?  Are you NATing with the Cisco?
0
 

Author Comment

by:Jonsie
ID: 6994856
Yes, the Cisco router is NATing. I would prefer to use IPSEC, but it doesn't matter greatly as it is a windows 2000 to Small Business Server link and I believe that both protocols are supported.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6994975
Geoffryn - you may want to read here:

http://www.experts-exchange.com/routerswitch/Q.20295984.html

Jonsie - Couple things here:

Like I said in your other question, routers don't block ports by default and should allow everything to pass.  I seriously doubt this is the issues.  However, you may want to just post up the config and we can take a look at it.  These are one of the least used and least known routers Cisco ever bought and resold, so giving you the commands may not be as easy as just looking through the config and seeing if anything looks unusual.
0
 

Author Comment

by:Jonsie
ID: 6994996
L0239628> show ip filter all
IP Type Filter
Profile               ID   Dir  Type     Action  Addresses
----------------------------------------------------------
Standard              1    OUT  UDP      IGNORE  DST 0.0.0.0/0:137-139
Standard              2    OUT  TCP      IGNORE  DST 0.0.0.0/0:137
LAN                   1    IN   UDP      BLOCK   SRC 0.0.0.0/0:137-138
LAN                   2    IN   TCP      BLOCK   SRC 0.0.0.0/0:139
RemoteNet             1    IN   UDP      BLOCK   SRC 0.0.0.0/0:137-138
RemoteNet             2    IN   TCP      BLOCK   SRC 0.0.0.0/0:139
RemoteNet             3    OUT  UDP      IGNORE  DST 0.0.0.0/0:137-139
RemoteNet             4    OUT  TCP      IGNORE  DST 0.0.0.0/0:137

IP Generic Filter
Profile               ID   Dir  Type     Action  Patterns
---------------------------------------------------------


****

L0239628> show
System Parameters
    Environment
      Screen Length          20
      Echo Mode              ON
      CountryGroup           2
    Bridging Parameters
      LAN Forward Mode       ANY
      WAN Forward Mode       ONLY
      Address Age Time       OFF
    Call Startup Parameters
      Multidestination       OFF
    Line Parameters
      Switch Type            NET3
      Alaw Voice Encoding    ON
      Internal Tones         NONE
    Call Parameters          Link 1             Link 2             Link D
      Retry Delay              30                 30
      Serial Port State      CONFIG

<Q> and <enter> to Quit or <enter> for MORE
Profile Parameters
    Bridging Parameters
      Bridging               ON
      Routed Protocols       IP
      Learn Mode             ON
      Passthru               ON
    Call Startup Parameters
    Line Parameters
      Line Speed             AUTO
      Numbering Plan         NORMAL
    Call Parameters          Link 1             Link 2             Link D
      Auto                     ON                 ON                OFF
      Permanent               OFF                OFF                OFF
      Called Number
      Backup Number
      Ringback Number
      CLI Validate Number
    CLICallback              OFF
    CLIAuthentication        OFF
<Q> and <enter> to Quit or <enter> for MORE

Status    01/06/1995 02:13:59
Line Status
  Line Activated
  Terminal Identifier Assigned
Port Status                                           Interface Connection Link
  Ch:  1   64K Call In Progress         08440404002    DATA          2      1
  Ch:  2      Waiting for Call
L0239628>


*****


L0239628> upload
CD
SET SCREENLENGTH 20
SET COUNTRYGROUP 2
SET LAN MODE ANY
SET WAN MODE ONLY
SET AGE OFF
SET MULTIDESTINATION OFF
SET SWITCH NET3
SET ALAWVOICE ON
SET INTERNALTONES NONE
SET 1 DELAY 30
SET 2 DELAY 30
SET BRIDGING ON
SET LEARN ON
SET PASSTHRU ON
SET SPEED AUTO
SET PLAN NORMAL
SET D   AUTO OFF
SET 1 AUTO ON
SET 2 AUTO ON
SET 1 NUMBER
SET 2 NUMBER
SET AODI OFF
SET 1 BACKUPNUMBER
SET 2 BACKUPNUMBER
SET 1 RINGBACK
SET 2 RINGBACK
SET 1 CLIVALIDATENUMBER
SET 2 CLIVALIDATENUMBER
SET CLICALLBACK OFF
SET CLIAUTHENTICATION OFF
SET SYSTEMNAME L0239628
LOG CALLS TIME VERBOSE
SET UNICASTFILTER OFF
DEMAND D THRESHOLD 0
DEMAND 1 THRESHOLD 0
DEMAND 2 THRESHOLD 48
DEMAND D DURATION 1
DEMAND 1 DURATION 1
DEMAND 2 DURATION 1
DEMAND D SOURCE LAN
DEMAND 1 SOURCE LAN
DEMAND 2 SOURCE BOTH
TIMEOUT D THRESHOLD 0
TIMEOUT 1 THRESHOLD 0
TIMEOUT 2 THRESHOLD 48
TIMEOUT D DURATION 1800
TIMEOUT 1 DURATION 1800
TIMEOUT 2 DURATION 1800
TIMEOUT D SOURCE LAN
TIMEOUT 1 SOURCE LAN
TIMEOUT 2 SOURCE BOTH
SET AOCDTIMEOUT OFF
SET REMOTEACCESS PROTECTED
SET LOCALACCESS ON
SET LOGOUT 20
SET CALLERID OFF
SET PPP AUTHENTICATION IN CHAP  PAP
SET PPP CHAPREFUSE NONE
SET PPP CHAPALLOW MULTIHOST OFF
SET PPP MAGICNUMBERCHECK ON
SET PPP AUTHENTICATION OUT NONE
SET PPP AUTHENTICATION ACCEPT EITHER
SET PPP TAS CLIENT 0.0.0.0
SET PPP TAS CHAPSECRET LOCAL ON
SET PPP PASSWORD CLIENT ENCRYPTED 1442342e5d210c0806
SET PPP SECRET CLIENT ENCRYPTED 15472d29550f0d070a
SET PPP PASSWORD HOST ENCRYPTED 124c2332432e2a2708
SET PPP SECRET HOST ENCRYPTED 055e202a7069682a3b
SET PPP CALLBACK REQUEST OFF
SET PPP CALLBACK REPLY OFF
SET PPP NEGOTIATION INTEGRITY 10
SET PPP NEGOTIATION COUNT 10
SET PPP NEGOTIATION RETRY  3000
SET PPP TERMREQ COUNT 2
SET PPP MULTILINK OFF
SET PPP MULTILINK PPPHEADER ON
SET COMPRESSION STAC
SET PPP BACP ON
SET PPP ADDRESS NEGOTIATION LOCAL OFF
SET PPP IP NETMASK LOCAL OFF
SET IP PAT UDPTIMEOUT 5
SET IP PAT TCPTIMEOUT 30
SET IP RIP TIME 30
SET X25 LIC 0
SET X25 HIC 0
SET X25 LTC 0
SET X25 HTC 0
SET X25 LOC 1024
SET X25 HOC 1024
SET CALLDURATION 0
SET SNMP CONTACT ""
SET SNMP LOCATION ""
SET SNMP TRAP COLDSTART OFF
SET SNMP TRAP WARMSTART OFF
SET SNMP TRAP LINKDOWN OFF
SET SNMP TRAP LINKUP OFF
SET SNMP TRAP AUTHENTICATIONFAIL OFF
SET DHCP OFF
SET DHCP DOMAIN
SET DHCP NETBIOS_SCOPE
SET TPAD PARITY NONE
SET X25D TEI 0
SET X25D X121HOST
SET CALLTIME VOICE INCOMING OFF
SET CALLTIME VOICE OUTGOING OFF
SET CALLTIME DATA INCOMING OFF
SET CALLTIME DATA OUTGOING OFF
SET RCAPI ON
SET RCAPI SERVER PORT 2578
SET USER LAN
SET BRIDGING OFF
SET IP ROUTING ON
SET IP ADDRESS 10.0.0.1
SET IP NETMASK 255.0.0.0
SET IP FRAMING ETHERNET_II
SET IP PROPAGATE ON
SET IP COST 1
SET IP RIP RECEIVE V1
SET IP RIP UPDATE OFF
SET IP RIP VERSION 1
SET USER Internal
SET IP ROUTING OFF
SET IP ADDRESS 0.0.0.0
SET IP FRAMING ETHERNET_II
SET USER Standard
SET PROFILE ID 000000000000
SET PROFILE POWERUP ACTIVATE
SET PROFILE DISCONNECT KEEP
SET IP ROUTING ON
SET IP ADDRESS 0.0.0.0
SET IP NETMASK 0.0.0.0
SET IP FRAMING NONE
SET IP RIP RECEIVE V1
SET IP RIP UPDATE OFF
SET IP RIP VERSION 1
SET NETBIOS FILTER ON
SET USER RemoteNet
SET PROFILE ID 000000000000
SET PROFILE POWERUP ACTIVATE
SET PROFILE DISCONNECT KEEP
SET BRIDGING OFF
SET 1 NUMBER 08440404002
SET 2 NUMBER 08440404002
TIMEOUT 1 THRESHOLD 20
TIMEOUT 2 THRESHOLD 48
TIMEOUT 1 DURATION 360
TIMEOUT 2 DURATION 60
TIMEOUT 1 SOURCE BOTH
TIMEOUT 2 SOURCE BOTH
SET PPP ADDRESS NEGOTIATION LOCAL ON
SET IP ROUTING ON
SET IP ADDRESS 213.122.226.229
SET IP NETMASK 255.255.255.0
SET IP FRAMING NONE
SET IP PROPAGATE ON
SET IP COST 1
SET IP RIP RECEIVE V1
SET IP RIP UPDATE OFF
SET IP RIP VERSION 1
SET IP PAT  ON
SET NETBIOS FILTER ON
SET IP ROUTE DEST 0.0.0.0/0 GATEWAY 0.0.0.0 PROPAGATE ON COST 1
CD
SET SERIALPORT CONFIG
LOGOUT
L0239628>


Hope this helps... do you need any other info?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6995030
Thanks scraig84, I didn't realize there was another thread on this.


Jonsie.  The chances are that this device requires a one to one NAT in order to properly pass GRE packets.  The symptoms in the other thread are usually indicative of connecting on the control port 1723 but then failing to properly pass GRE packets.
0
 

Author Comment

by:Jonsie
ID: 6995045
would this not then mean that only one PC will have direct access to the outside world?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6995074
No.  GRE is a strange animal.  It is not a TCP or UDP port level service, it is a type of IP packet.  On most Cisco IOS implementations of NAT, it requires that a static association be made between the private and public IP for GRE.  The one to one assocation need only apply to GRE packets.
0
 

Author Comment

by:Jonsie
ID: 6995089
Thats great, how do I do this though?
0
 

Author Comment

by:Jonsie
ID: 6995138
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/750/700cr44/700crip.htm#xtocid554917

pretty sure the relevent information is under "set ip filter ...." or "set ip pat porthandler" although I'm not totally sure of the usage for my specific problem.

Hope you guys can make more sense out of it.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 11

Expert Comment

by:geoffryn
ID: 6995160
I cannot find any indication that this device has any ability to deal wiht GRE ion a NAT configuration.
0
 

Author Comment

by:Jonsie
ID: 6995168
hmmmm... do both IPSec AND PPTP use GRE??? I don't mind which I use.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6995177
Yes.  IPSEC is even more picky about NAT than PPTP.  What version of the "IOS" is on the 761?
0
 

Author Comment

by:Jonsie
ID: 6995191
All version Information

L0239628> version
Software Version c760-in.rxd.NET3 4.4(3) - Aug  2 2000 14:15:00
Cisco 761
ISDN Stack Revision NET3 2.10
Copyright (c) 1993-2000 by Cisco Systems, Inc.  All rights reserved.
Software is used subject to software license agreement contained
with this product. By using this product you agree to accept the
terms of the software license.
Hardware Configuration:
   DRAM:  1.5MB
   Flash: 1.0MB
   POTS:  Not Installed
   NT1:   Not Installed
   ROM:   2.1(2)
L0239628>
0
 
LVL 11

Accepted Solution

by:
geoffryn earned 100 total points
ID: 6995214
Time to think about an upgrade.  I don't think you are going to get VPN to work through this router.
0
 

Author Comment

by:Jonsie
ID: 6995223
Geoffryn. Although no solution was found you were a fantastic help in solving my problem. Will be replacing router in due course! May even kick me into moving from ISDN to Broadband.

Thanks Again
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6995239
I wish I could have been more encouraging.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6995513
Hell - as soon as you mentioned 761 my first thought was that a different router would be best!  That has always sort of been the bastard-step-child router from Cisco.  Sort of a "whoops, we bought a crappy company this time" deal.
0
 

Author Comment

by:Jonsie
ID: 6995858
Yeah, it has been a nightmare since I first got it. Unfortunatley it was supplied tied in with a deal with an ISP. Nver mind, thanks for your help guys.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now