bbarr5179
asked on
Cisco 857 Router Help
I have just got a cisco 857 integrated services router for a client whose network I administer. I have no experience with cisco routers. I want to configure it to port forward incoming VPN connections and remote desktop connections to the server. My Client has a SBS 2003 server and two workstations. At the mo I can connect to the server remotely with remote desktop or through VPN. My client wants to be able to connect to the network via VPN from home, but with the current router (a BT freebie) whenever she connects it locks me out. I have determined this is a problem with the current router so have got a cisco 857, but Im not familiar with it. Please this is urgent any help would be greatly appreciated.
I've never used a cisco 857, but i've configured an 831 before. Their configuration should be similar in nature, but i can't remember what the interfaces are addressed as. Follow this as a guideline, if you are using a statically assigned single public ip address. Please comment if you have a small subnet assigned to you, or are using pppoe or dhcp to obtain your outside ip address. Replace ip's with that of your own, these are examples.
This configuration is not complete, so ask if you need anything further. This should get you most of the way there. nat will provide some security, but would be advised to implement some kind of acl as well. you'll also want to configure an acl for your telnet/ssh access and apply to line vty 0 4
int fa 0
ip address 192.168.15.1 255.255.255.0
ip nat inside
!
int eth 0
ip address x.x.x.x 255.255.255.252
ip nat outside
!
ip nat inside source list 15 interface ethernet 0 overload
ip nat inside source static tcp 192.168.15.10 1723 interface Ethernet0 1723 (modify 192.168.15.10 to be address of sbs server - this port is pptp)
ip nat inside source static tcp 192.168.15.10 3389 interface Ethernet0 3389 (again, modify address to be that of sbs - this port is rdp)
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip classless
!
access-list 15 permit 192.168.15.0 0.0.0.255
This configuration is not complete, so ask if you need anything further. This should get you most of the way there. nat will provide some security, but would be advised to implement some kind of acl as well. you'll also want to configure an acl for your telnet/ssh access and apply to line vty 0 4
int fa 0
ip address 192.168.15.1 255.255.255.0
ip nat inside
!
int eth 0
ip address x.x.x.x 255.255.255.252
ip nat outside
!
ip nat inside source list 15 interface ethernet 0 overload
ip nat inside source static tcp 192.168.15.10 1723 interface Ethernet0 1723 (modify 192.168.15.10 to be address of sbs server - this port is pptp)
ip nat inside source static tcp 192.168.15.10 3389 interface Ethernet0 3389 (again, modify address to be that of sbs - this port is rdp)
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip classless
!
access-list 15 permit 192.168.15.0 0.0.0.255
doh, that has integrated adsl. your config will differ. but port forwarding/nat will be the same.
the bottom link in the previous poster's comment has a good config example, follow that....i should have read that first before posting, bah. :p
ASKER
Hi. Ok had a bash at setting it up today. I followed the instructions for the initial setup and it took me to SDM express or something like that. Anyway I configured the ADSl and router settings for the network and clicked on finished and..... Nothing happened it just froze. I left it for 20 mins still nothing! So I brought up trusty Task manager and closed the program as it (and everything but TM) wasn't responding. Then I tried to connect to the router using the Username and password I had changed it to. It wouldn't let me in. So I tried the factory password and username I got in! So nothing had change not the hostname or the ip address. I tried this several times and even tried changing less things to see if that worked. Nothing it locked up every time. Any suggestions?
instead of using sdm, i would just configure it through the cli. putty is a good tool.
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
telnet to whatever its default ip is, you should be able to get right in with no password, or cisco as the pass.
Go off of the link provided by the guy above.
Then copy and paste configuration to notepad, etc. Modify it all you need to suit your setup. Once finished, you might just copy everything you have put together in notepad and post it here. I or someone else can look it over, modify it if needed and post it back. Or, if you want to give it a shot yourself first, do the following
Once connected, type
en <enter>
conf t <enter>
Copy and paste your configuration and see what happens.
If everything goes in good and tests out ok, type "wri mem" or, you can use the newer "copy running-config startup-config"
Tell us how it goes
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
telnet to whatever its default ip is, you should be able to get right in with no password, or cisco as the pass.
Go off of the link provided by the guy above.
Then copy and paste configuration to notepad, etc. Modify it all you need to suit your setup. Once finished, you might just copy everything you have put together in notepad and post it here. I or someone else can look it over, modify it if needed and post it back. Or, if you want to give it a shot yourself first, do the following
Once connected, type
en <enter>
conf t <enter>
Copy and paste your configuration and see what happens.
If everything goes in good and tests out ok, type "wri mem" or, you can use the newer "copy running-config startup-config"
Tell us how it goes
ASKER
can i configure the broadbandconnection from this as well?
ASKER
For gmooney I have a static ip address assigned to my broadband. The network setup is as follows. My SBS server acts as DHCP and DNS server for both workstations. Currently the internal network address is in the 192.168.1.0 range. I need to know how to set up the broad band connection through IOS as the sdm isnt working. Like I said Im completely in the dark with this. I also need to be able to acces the router remotely I assume I would do this through telnet once the internet connection is set up? Thanks for all the comments I really appreciate it.
sorry for the delay. really busy yesterday and my wife and I hosted thanksgiving today.....so, finally checking my email :)
I notice you said you had a static ip. are you using pppoe to acquire this or no? Let me know that much, and i'll try to put together some config that will work.
hard to do though without an actual router with an adsl wic, and i've never actually configured an adsl interface. the sample configs i'm finding though look easy enough. we should be able to get something working.
thanks!
I notice you said you had a static ip. are you using pppoe to acquire this or no? Let me know that much, and i'll try to put together some config that will work.
hard to do though without an actual router with an adsl wic, and i've never actually configured an adsl interface. the sample configs i'm finding though look easy enough. we should be able to get something working.
thanks!
ASKER
Ok we have a static ip address this is automatically assigned (by pppoa)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh, as far as remote access, do the following...
service password-encryption
!
hostname <your hostname>
ip domain name <your domain name>
username <username> password <password> priv 2
enable password <password>
enable secret <password>
!
access-list 150 permit ip <your remote subnet for remote access> <netmask> any
access-list 150 permit ip <2nd ip/range , and so on.....>
!
line vty 0 4
access-class 150 in
transport input pad udptn telnet rlogin ssh
password <password>
Now, if you want to use ssh instead of telnet, which I do anyways. Everything to gain, nothing to lose by using it.
Execute this from configuration mode.
crypto key generate rsa general-keys modulus 1024
this will take a little bit to finish, be patient. In order to generate a key pair you must have also at least specified a domain name using "ip domain name <your domain>"
Let me know if you still have questions. Thanks!
service password-encryption
!
hostname <your hostname>
ip domain name <your domain name>
username <username> password <password> priv 2
enable password <password>
enable secret <password>
!
access-list 150 permit ip <your remote subnet for remote access> <netmask> any
access-list 150 permit ip <2nd ip/range , and so on.....>
!
line vty 0 4
access-class 150 in
transport input pad udptn telnet rlogin ssh
password <password>
Now, if you want to use ssh instead of telnet, which I do anyways. Everything to gain, nothing to lose by using it.
Execute this from configuration mode.
crypto key generate rsa general-keys modulus 1024
this will take a little bit to finish, be patient. In order to generate a key pair you must have also at least specified a domain name using "ip domain name <your domain>"
Let me know if you still have questions. Thanks!
ASKER
Hi thanks for the post it helped no end. First off it turns out that the router was faulty so I had to get it replaced but now thats done Ive managed to sort it with your post. Thanks again
Good to hear that you got it worked out. Sorry for the delay!
I suggest reading up on Cisco IOS commands http://www.fantek.org/cisco/wpbascom.htm
I believe you have a default cisco router setup which means NAT and all incoming connections are firewalled from the router. you want to setup services to allow PPTP and GRE on the router for the SBS 2003 server. Ofcourse you must also setup Remote routing on the SBS machine to allow VPN connection.
Here's a sample config for Cisco 857 with some access lists for some services...
http://www.velocityreviews.com/forums/t299872-cisco-857-ethernet0-wont-stay-up-unless-constant-ping-is-done.html
Jeff