Solved

Cisco 857 Router Help

Posted on 2006-11-20
14
2,846 Views
Last Modified: 2009-06-14
I have just got a cisco 857 integrated services router for a client whose network I administer.  I have no experience with cisco routers.  I want to configure it to port forward incoming VPN connections and remote desktop connections to the server.  My Client has a SBS 2003 server and two workstations.  At the mo I can connect to the server remotely with remote desktop or through VPN.  My client wants to be able to connect to the network via VPN from home, but with the current router (a BT freebie) whenever she connects it locks me out.  I have determined this is a problem with the current router so have got a cisco 857, but Im not familiar with it. Please this is urgent any help would be greatly appreciated.
0
Comment
Question by:bbarr5179
  • 8
  • 5
14 Comments
 
LVL 4

Expert Comment

by:jetx
ID: 17984535
hello..

I suggest reading up on Cisco IOS commands http://www.fantek.org/cisco/wpbascom.htm

I believe you have a default cisco router setup which means NAT and all incoming connections are firewalled from the router. you want to setup services to allow PPTP and GRE on the router for the SBS 2003 server. Ofcourse you must also setup Remote routing on the SBS machine to allow VPN connection.

Here's a sample config for Cisco 857 with some access lists for some services...
http://www.velocityreviews.com/forums/t299872-cisco-857-ethernet0-wont-stay-up-unless-constant-ping-is-done.html

Jeff
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 17984799
I've never used a cisco 857, but i've configured an 831 before.  Their configuration should be similar in nature, but i can't remember what the interfaces are addressed as.  Follow this as a guideline, if you are using a statically assigned single public ip address.  Please comment if you have a small subnet assigned to you, or are using pppoe or dhcp to obtain your outside ip address.  Replace ip's with that of your own, these are examples.
This configuration is not complete, so ask if you need anything further.  This should get you most of the way there.  nat will provide some security, but would be advised to implement some kind of acl as well.  you'll also want to configure an acl for your telnet/ssh access and apply to line vty 0 4


int fa 0
ip address 192.168.15.1 255.255.255.0
ip nat inside
!
int eth 0
ip address x.x.x.x 255.255.255.252
ip nat outside
!
ip nat inside source list 15 interface ethernet 0 overload
ip nat inside source static tcp 192.168.15.10 1723 interface Ethernet0 1723  (modify 192.168.15.10 to be address of sbs server - this port is pptp)
ip nat inside source static tcp 192.168.15.10 3389 interface Ethernet0 3389 (again, modify address to be that of sbs - this port is rdp)
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip classless
!
access-list 15 permit 192.168.15.0 0.0.0.255
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 17984814
doh, that has integrated adsl.  your config will differ.  but port forwarding/nat will be the same.
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 17984828
the bottom link in the previous poster's comment has a good config example, follow that....i should have read that first before posting, bah. :p
0
 

Author Comment

by:bbarr5179
ID: 17990850
Hi. Ok had a bash at setting it up today. I followed the instructions for the initial setup and it took me to SDM express or something like that.  Anyway I configured the ADSl and router settings for the network and clicked on finished and..... Nothing happened it just froze.  I left it for 20 mins still nothing! So I brought up trusty Task manager and closed the program as it (and everything but TM) wasn't responding.  Then I tried to connect to the router using the Username and password I had changed it to.  It wouldn't let me in.  So I tried the factory password and username I got in! So nothing had change not the hostname or the ip address.  I tried this several times and even tried changing less things to see if that worked.  Nothing it locked up every time.  Any suggestions?
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 17990926
instead of using sdm, i would just configure it through the cli.  putty is a good tool.
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

telnet to whatever its default ip is, you should be able to get right in with no password, or cisco as the pass.

Go off of the link provided by the guy above.  
Then copy and paste configuration to notepad, etc.  Modify it all you need to suit your setup.  Once finished, you might just copy everything you have put together in notepad and post it here.  I or someone else can look it over, modify it if needed and post it back.  Or, if you want to give it a shot yourself first, do the following

Once connected, type
en <enter>
conf t <enter>
Copy and paste your configuration and see what happens.
If everything goes in good and tests out ok, type "wri mem" or, you can use the newer "copy running-config startup-config"

Tell us how it goes
0
 

Author Comment

by:bbarr5179
ID: 17994360
can i configure the broadbandconnection from this as well?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:bbarr5179
ID: 18002725
For gmooney I have a static ip address assigned to my broadband.   The network setup is as follows.  My SBS server acts as DHCP and DNS server for both workstations. Currently the internal network address is in the 192.168.1.0 range.  I need to know how to set up the broad band connection through IOS as the sdm isnt working.  Like I said Im completely in the dark with this. I also need to be able to acces the router remotely I assume I would do this through telnet once the internet connection is set up?  Thanks for all the comments I really appreciate it.
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18005335
sorry for the delay.  really busy yesterday and my wife and I hosted thanksgiving today.....so, finally checking my email :)

I notice you said you had a static ip.   are you using pppoe to acquire this or no?  Let me know that much, and i'll try to put together some config that will work.  

hard to do though without an actual router with an adsl wic, and i've never actually configured an adsl interface.  the sample configs i'm finding though look easy enough.  we should be able to get something working.

thanks!
0
 

Author Comment

by:bbarr5179
ID: 18006711
Ok we have a static ip address this is automatically assigned (by pppoa)
0
 
LVL 4

Accepted Solution

by:
gmooney7 earned 500 total points
ID: 18025047
Ok, you should be able to follow this well enough from a command line...  Let me know what parts you have trouble with, but its fairly simple.  The nat configuration is in-line with what I mentioned earlier.  Also include the configuration to port forward 3389 and 1723.  You will also want to change auth information if you haven't already.

Here is a sample config from cisco's site....

!--- Comments contain explanations and additional information.


service timestamps debug datetime msec
service timestamps log datetime msec
ip subnet-zero
!

!--- For DHCP:

ip dhcp excluded-address <ip address of ethernet0>
ip dhcp pool <dhcp pool name>
 network <ip network address of ethernet0> <subnet mask>
 default-router <ip address of ethernet0>
 dns-server <ip address of dns server>
!
interface ethernet0
 no shut
 ip address <ip address> <subnet mask>

!--- For NAT:

 ip nat inside
 no ip directed-broadcast
!
interface atm0
 no shut
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 pvc <vpi/vci>
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 
!--- Common PVC values supported by ISPs are 0/35 or 8/35.
 !--- Confirm your PVC values with your ISP.

!
interface dialer1
 ip address <ip address> subnet mask <subnet mask>
 no ip directed-broadcast

!--- For NAT:

 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname <username>
 ppp chap password <password>
 ppp pap sent-username <username> password <password>
!

!--- For NAT:

ip nat inside source list 1 interface dialer1 overload

!--- If you have a pool (a range) of public IP addresses provided
!--- by your ISP, you can use a NAT Pool. Replace
!--- ip nat inside source list 1 interface dialer1 overload

 
 

!--- with these two configuration statements:
!--- ip nat inside source list 1 pool <nat pool name> overload
!--- ip nat pool <nat pool name> <first ip address> <last ip address>
!---  netmask <subnet mask>




!--- If Internet users require access to an internal server, you can
!--- add this static NAT configuration statement:
!--- ip nat inside source static tcp <inside ip address of server> {80 or 25}
!--- <outside well-known ip address of server> {80 or 25} extendable
!--- Note: TCP port 80 (HTTP/web) and TCP port 25 (SMTP/mail) are used
!--- for this example. You can open other TCP or UDP ports, if needed.

!
ip classless
ip route 0.0.0.0 0.0.0.0 dialer1

!--- For NAT:

access-list 1 permit <ip network address of ethernet0> <wildcard mask>

!--- In this configuration, access-list 1 defines a standard access list
!--- that permits the addresses that NAT translates. For example, if  
!--- your private IP network is 10.10.10.0, configure
!--- access-list 1 permit 10.10.10.0 0.0.0.255 in order to allow NAT to translate
!--- packets with source addresses between 10.10.10.0 and 10.10.10.255.

!
end
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18025101
Oh, as far as remote access, do the following...

service password-encryption
!
hostname <your hostname>
ip domain name <your domain name>
username <username> password <password> priv 2
enable password <password>
enable secret <password>
!
access-list 150 permit ip <your remote subnet for remote access> <netmask> any
access-list 150 permit ip <2nd ip/range , and so on.....>
!
line vty 0 4
access-class 150 in
transport input pad udptn telnet rlogin ssh
password <password>

Now, if you want to use ssh instead of telnet, which I do anyways.  Everything to gain, nothing to lose by using it.
Execute this from configuration mode.

crypto key generate rsa general-keys modulus 1024

this will take a little bit to finish, be patient.  In order to generate a key pair you must have also at least specified a domain name using "ip domain name <your domain>"

Let me know if you still have questions.  Thanks!
0
 

Author Comment

by:bbarr5179
ID: 18026318
Hi thanks for the post it helped no end.  First off it turns out that the router was faulty so I had to get it replaced but now thats done Ive managed to sort it with your post. Thanks again
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18028164
Good to hear that you got it worked out.  Sorry for the delay!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now