Solved

try to permit static route for remote admin with 827 cisco router

Posted on 2006-06-26
13
602 Views
Last Modified: 2012-06-21
Hi,
I have a 827 cisco router and I need to configure a static route from outside IP to inside IP.  Let's say outside IP is 222.222.222.222 and inside IP is 172.222.222.222 and the server to be administrated is 172.222.222.5 on port 555
Here is the current config.  thank you

1 Ethernet/IEEE 802.3
 set peer 222.222.222.222                      
1
 set transform-set papabear                      
128
 match address 106tile configuration
!e
bridge irb          

interface Ethernet0  
8192K bytes of
 ip address 192.168.168.1 255.255.255.0 secondary                      
*                      
 ip address 172.222.222.222 255.255.255.0 be 0x2102 at next reload)          
 ip nat inside              
 no cdp enable        

Dea
 hold-queue 32 in                
!

interface ATM0              

 ip access-group 102 in

Name c
 ip inspect inside-to-WWW out              
        destad
 ip nat outside8, prot=50, spi
 no ip route-cache)            
S
 no ip mroute-cachesion 12.1(1r)XB1, R
 crypto map armadillo9:09.839: %CRYPTO-4-R
!V
ip classless: decaps: re
ip route 0.0.0.0 0.0.0.0 111.111.111.217Systems, Inc.                          
no ip http server27
s invalid spi
!r
ip nat inside source route-map nonat interface BVI1 overloadpi=0x4DB85D6(81495510)confreg 0x2142                        
logging trap ere          
 
access-list 102 permit tcp any any eq 56316.22.10                                  
access-list 102 permit udp any any eq 5631        
   network 172.222.222.222 255.255.2
access-list 102 permit tcp any any eq 5632 default-router 172.222.222.1fornia 95134-17
access-list 102 permit udp any any eq 563206.13.28.12Internetwork Operating System S
access-list 106 permit ip 172.222.222.0 0.0.0.255 207.222.222.122 0.0.0.63e (C8
ip inspect one-minute low 280C, EARLY DEPLOYMENT RELE    
ip insp
access-list 152 deny   ip 172.222.222.0 0.0.0.255 222.222.222.192 0.0.0.63incomplete host 30 block-time 1
TAC:Home:SW:IOS:Specials for info      
access-list 152 permit ip 172.222.222.222 0.0.0.255 anyy cisco Systems, Inc.    
ip inspect name inside-t
access-list 152 permit ip 192.168.168.0 0.0.0.255 anyt name inside-to-WWW ftp              
Image text-ba
no cdp runpect name
route-map nonat permit 10                        

 match ip address 152-to-WWW udp U.S. Expo
!
snmp-server community coavlesw RWme inside-                      
outside the United Sta
snmp-server chassis-id <<Router Serial#>>bear esp-3des esp-sha-hmac              
snmp-server enable traps snmp linkdown linkup coldstart warmstart 10 ipsec-isakmp                                    
 set peer 20
snmp-server enable traps atm pvcuts
 set transform-set papabear
snmp-server enable traps syslogh address 106        
either b
snmp-server host 222.222.222.194 thlunlad  snmprnet0                  
 ip address 192.168.16
snmp-server managercondaryo Systems, I
bridge 1 protocol ieeeent.          
 ip add
 bridge 1 route ip5.255.255.0Persons
banner motd ^CS. and Canada
*****************************************************************queue 32 in          
     
!
interface ATM0              

^C
privilege exec level 5 ping
privilege exec level 5 show crypto isakmp sa
privilege exec level 5 show crypto ipsec sa
privilege exec level 5 clear crypto isakmp
privilege exec level 5 clear crypto sa
!
line con 0
 exec-timeout 30 30
 password 7 082B434B0D0B091219
 login authentication userauthen
 transport input none
 stopbits 1
line vty 0 4
 exec-timeout 30 30
 privilege level 5
 password 7 105D1A1E
 login authentication userauthen
!
scheduler max-task-time 5000
end
0
Comment
Question by:lizardqueen007
  • 7
  • 5
13 Comments
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16988493
also I would like to have more than 1 port static
0
 
LVL 25

Expert Comment

by:Ron M
ID: 16988566
Access-group +list + static mapping.

============================================================================
>config t

access-group acl_out in interface outside
access-group acl_in in interface inside

                                                     from                                               outsideip         port
access-list acl_in permit tcp 222.222.222.222 255.255.255.255 host 222.221.221.221 eq 555
access-list acl_out permit tcp any any eq 555


+

                                             outsideip     port   insideip       port
static (inside,outside) tcp 222.221.221.221 555 192.168.2.222 555 netmask 255.255.255.255 0 0
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16988627
Thank you I will try right now
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16988640
This router does not recognize access-group.  
Router(config)#access-group acl_out in interface outside
                                   ^
% Invalid input detected at '^' marker.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16989446
can you do the following on the router?

no debug all

and then type show running and post the output again?
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16990707
Yes, I can post agin with "no debug all" but I not for a day, because I am not at the location.
May I ask what we are looking for?
Also, their network is very simple.  All they have is a DSL connection with 4 computers.  I did not configure this thing and it seems like an unnecessarily complicated configuration.  I am considering resetting the config and starting from scratch.  Any opinions?
I asked the ISP how the router autenticates since it is ppoe, but no username and password that I see.  He said that entering the external IP address works.  Has any one used this before and is it a common way to configure PPoe/DSL?
Thanks for the help
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 10

Expert Comment

by:naveedb
ID: 16994099
You can have connection without username password, depending on the ISP.

We need to create static NAT translation on the router itself. Since your configuration is not very clear, I don't want to give commands based on guessing
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16999895
Hi Naveedb,
I agree that this configuration is not very clear.  I am glad to hear someone else say it.  I am new to cisco and looking at that ipsec stuff really threw me.  I was able to accomplish the task of permitting a static route for the remote admin with the following:
ip nat inside source static tcp 192.168.0.5 4000 171.68.1.1 4000 extendable
Where the inside IP of the host to be remotely administrated is 192.168.0.5 and the 171.68.1.1 is the outside IP.  The port number is hypothetically 4000.
I also had to add a permit tcp 4000 to the access list.
I was surprised that it worked, but sometimes I get lucky.
The documents that helped me were:
http://www.exio.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml
http://www.linuxhomenetworking.com/cisco-hn/dsl-router.htm
I believe that the person that originally set it up just used some stock configuration, because the clients needs are very simple and this configurations seem way too complicated.
Thank you for the help.  Any insite into what the mroute-cachesion is about please let me know.  I can not find it in the ios book that I have nor cisco documents.  Someday this configuration will come back to haunt me I am sure and I will probably have to clear the config and start from scratch.
0
 
LVL 10

Accepted Solution

by:
naveedb earned 500 total points
ID: 17000789
I believe the command you are referring to is

no ip mroute-cache

-sion is probably from console message or debug which was mixed in the output.

You can safely ignore this commnad. mroute-cache is used for multicast traffic switching, like if you will be feeding 25 workstations with Video and have a infrastructure that support multicasting, you may come accross using mroute-cache, which is highly unlikely in your scenario so it is disabled on your router.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/switch_r/xrmds.htm#wp1017466
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 17003061
Hello, Naveedb,
May I ask?
1)what is in your opinion the best book for someone starting cisco?  I am looking for a book that is not necessarily aimed at  becoming certified, but a good, quick(if possible), book on real-world solutions to cisco routers for someone new to cisco devices.

0
 
LVL 10

Expert Comment

by:naveedb
ID: 17004346
There are many areas in Cisco Routers, like Routing, Switching, Security, Voice and Data etc.? Which one would better describe your needs?

For very beginners, you normally start with understing IOS commands, but  with the newer routers supporting Web GUIs, it might be much easier to use these tools instead of old command line. So, it is also a generation question in this respect.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 17006092
I have to use command line do to generation issues as you said.
I have the ios in a nutshell book.  I am looking for a book that can translate cisco terminology into more network+ type terminology.  I suppose there is no one book, but I thought you might have a favorite for making the leap from network+ to  cisco.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 17006488
I have used many books for my certification and latter just to keep up with changing technologies, so would not recommend any one book, as in my experience two readers can have a different opinion about the same book. I would however suggest as my teachers have to use cisco.com for learning. It is an excelent source for training on all aspects of technology and cisco products.

To try; just have a look at the following link; and browse through NAT. Spend sometime gonig through the links and you will realize that it gives a lot of information (and an answer to your question too).

http://www.cisco.com/en/US/tech/tk648/tsd_technology_support_category_home.html

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now