Cisco 857 Router Help

I have just got a cisco 857 integrated services router for a client whose network I administer.  I have no experience with cisco routers.  I want to configure it to port forward incoming VPN connections and remote desktop connections to the server.  My Client has a SBS 2003 server and two workstations.  At the mo I can connect to the server remotely with remote desktop or through VPN.  My client wants to be able to connect to the network via VPN from home, but with the current router (a BT freebie) whenever she connects it locks me out.  I have determined this is a problem with the current router so have got a cisco 857, but Im not familiar with it. Please this is urgent any help would be greatly appreciated.
bbarr5179Asked:
Who is Participating?
 
gmooney7Connect With a Mentor Commented:
Ok, you should be able to follow this well enough from a command line...  Let me know what parts you have trouble with, but its fairly simple.  The nat configuration is in-line with what I mentioned earlier.  Also include the configuration to port forward 3389 and 1723.  You will also want to change auth information if you haven't already.

Here is a sample config from cisco's site....

!--- Comments contain explanations and additional information.


service timestamps debug datetime msec
service timestamps log datetime msec
ip subnet-zero
!

!--- For DHCP:

ip dhcp excluded-address <ip address of ethernet0>
ip dhcp pool <dhcp pool name>
 network <ip network address of ethernet0> <subnet mask>
 default-router <ip address of ethernet0>
 dns-server <ip address of dns server>
!
interface ethernet0
 no shut
 ip address <ip address> <subnet mask>

!--- For NAT:

 ip nat inside
 no ip directed-broadcast
!
interface atm0
 no shut
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 pvc <vpi/vci>
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 
!--- Common PVC values supported by ISPs are 0/35 or 8/35.
 !--- Confirm your PVC values with your ISP.

!
interface dialer1
 ip address <ip address> subnet mask <subnet mask>
 no ip directed-broadcast

!--- For NAT:

 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname <username>
 ppp chap password <password>
 ppp pap sent-username <username> password <password>
!

!--- For NAT:

ip nat inside source list 1 interface dialer1 overload

!--- If you have a pool (a range) of public IP addresses provided
!--- by your ISP, you can use a NAT Pool. Replace
!--- ip nat inside source list 1 interface dialer1 overload

 
 

!--- with these two configuration statements:
!--- ip nat inside source list 1 pool <nat pool name> overload
!--- ip nat pool <nat pool name> <first ip address> <last ip address>
!---  netmask <subnet mask>




!--- If Internet users require access to an internal server, you can
!--- add this static NAT configuration statement:
!--- ip nat inside source static tcp <inside ip address of server> {80 or 25}
!--- <outside well-known ip address of server> {80 or 25} extendable
!--- Note: TCP port 80 (HTTP/web) and TCP port 25 (SMTP/mail) are used
!--- for this example. You can open other TCP or UDP ports, if needed.

!
ip classless
ip route 0.0.0.0 0.0.0.0 dialer1

!--- For NAT:

access-list 1 permit <ip network address of ethernet0> <wildcard mask>

!--- In this configuration, access-list 1 defines a standard access list
!--- that permits the addresses that NAT translates. For example, if  
!--- your private IP network is 10.10.10.0, configure
!--- access-list 1 permit 10.10.10.0 0.0.0.255 in order to allow NAT to translate
!--- packets with source addresses between 10.10.10.0 and 10.10.10.255.

!
end
0
 
jetxCommented:
hello..

I suggest reading up on Cisco IOS commands http://www.fantek.org/cisco/wpbascom.htm

I believe you have a default cisco router setup which means NAT and all incoming connections are firewalled from the router. you want to setup services to allow PPTP and GRE on the router for the SBS 2003 server. Ofcourse you must also setup Remote routing on the SBS machine to allow VPN connection.

Here's a sample config for Cisco 857 with some access lists for some services...
http://www.velocityreviews.com/forums/t299872-cisco-857-ethernet0-wont-stay-up-unless-constant-ping-is-done.html

Jeff
0
 
gmooney7Commented:
I've never used a cisco 857, but i've configured an 831 before.  Their configuration should be similar in nature, but i can't remember what the interfaces are addressed as.  Follow this as a guideline, if you are using a statically assigned single public ip address.  Please comment if you have a small subnet assigned to you, or are using pppoe or dhcp to obtain your outside ip address.  Replace ip's with that of your own, these are examples.
This configuration is not complete, so ask if you need anything further.  This should get you most of the way there.  nat will provide some security, but would be advised to implement some kind of acl as well.  you'll also want to configure an acl for your telnet/ssh access and apply to line vty 0 4


int fa 0
ip address 192.168.15.1 255.255.255.0
ip nat inside
!
int eth 0
ip address x.x.x.x 255.255.255.252
ip nat outside
!
ip nat inside source list 15 interface ethernet 0 overload
ip nat inside source static tcp 192.168.15.10 1723 interface Ethernet0 1723  (modify 192.168.15.10 to be address of sbs server - this port is pptp)
ip nat inside source static tcp 192.168.15.10 3389 interface Ethernet0 3389 (again, modify address to be that of sbs - this port is rdp)
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip classless
!
access-list 15 permit 192.168.15.0 0.0.0.255
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
gmooney7Commented:
doh, that has integrated adsl.  your config will differ.  but port forwarding/nat will be the same.
0
 
gmooney7Commented:
the bottom link in the previous poster's comment has a good config example, follow that....i should have read that first before posting, bah. :p
0
 
bbarr5179Author Commented:
Hi. Ok had a bash at setting it up today. I followed the instructions for the initial setup and it took me to SDM express or something like that.  Anyway I configured the ADSl and router settings for the network and clicked on finished and..... Nothing happened it just froze.  I left it for 20 mins still nothing! So I brought up trusty Task manager and closed the program as it (and everything but TM) wasn't responding.  Then I tried to connect to the router using the Username and password I had changed it to.  It wouldn't let me in.  So I tried the factory password and username I got in! So nothing had change not the hostname or the ip address.  I tried this several times and even tried changing less things to see if that worked.  Nothing it locked up every time.  Any suggestions?
0
 
gmooney7Commented:
instead of using sdm, i would just configure it through the cli.  putty is a good tool.
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

telnet to whatever its default ip is, you should be able to get right in with no password, or cisco as the pass.

Go off of the link provided by the guy above.  
Then copy and paste configuration to notepad, etc.  Modify it all you need to suit your setup.  Once finished, you might just copy everything you have put together in notepad and post it here.  I or someone else can look it over, modify it if needed and post it back.  Or, if you want to give it a shot yourself first, do the following

Once connected, type
en <enter>
conf t <enter>
Copy and paste your configuration and see what happens.
If everything goes in good and tests out ok, type "wri mem" or, you can use the newer "copy running-config startup-config"

Tell us how it goes
0
 
bbarr5179Author Commented:
can i configure the broadbandconnection from this as well?
0
 
bbarr5179Author Commented:
For gmooney I have a static ip address assigned to my broadband.   The network setup is as follows.  My SBS server acts as DHCP and DNS server for both workstations. Currently the internal network address is in the 192.168.1.0 range.  I need to know how to set up the broad band connection through IOS as the sdm isnt working.  Like I said Im completely in the dark with this. I also need to be able to acces the router remotely I assume I would do this through telnet once the internet connection is set up?  Thanks for all the comments I really appreciate it.
0
 
gmooney7Commented:
sorry for the delay.  really busy yesterday and my wife and I hosted thanksgiving today.....so, finally checking my email :)

I notice you said you had a static ip.   are you using pppoe to acquire this or no?  Let me know that much, and i'll try to put together some config that will work.  

hard to do though without an actual router with an adsl wic, and i've never actually configured an adsl interface.  the sample configs i'm finding though look easy enough.  we should be able to get something working.

thanks!
0
 
bbarr5179Author Commented:
Ok we have a static ip address this is automatically assigned (by pppoa)
0
 
gmooney7Commented:
Oh, as far as remote access, do the following...

service password-encryption
!
hostname <your hostname>
ip domain name <your domain name>
username <username> password <password> priv 2
enable password <password>
enable secret <password>
!
access-list 150 permit ip <your remote subnet for remote access> <netmask> any
access-list 150 permit ip <2nd ip/range , and so on.....>
!
line vty 0 4
access-class 150 in
transport input pad udptn telnet rlogin ssh
password <password>

Now, if you want to use ssh instead of telnet, which I do anyways.  Everything to gain, nothing to lose by using it.
Execute this from configuration mode.

crypto key generate rsa general-keys modulus 1024

this will take a little bit to finish, be patient.  In order to generate a key pair you must have also at least specified a domain name using "ip domain name <your domain>"

Let me know if you still have questions.  Thanks!
0
 
bbarr5179Author Commented:
Hi thanks for the post it helped no end.  First off it turns out that the router was faulty so I had to get it replaced but now thats done Ive managed to sort it with your post. Thanks again
0
 
gmooney7Commented:
Good to hear that you got it worked out.  Sorry for the delay!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.