Link to home
Start Free TrialLog in
Avatar of robscraig
robscraig

asked on

Router configuration

I have just got assigned to try and configure a Cisco 2651 router.  Well for one i have never worked on one of these before and looking on getting advise on where to start.

I need to find out all the ports that are currently being forwarded on this router.
I need to know how to make a vpn tunnel on this thing.
Avatar of Affiliated_IT
Affiliated_IT
Flag of Canada image

those have web interfaces
http://ipaddress and the menu should be clear


if not, telnet to it and type
en
type your password
then type show start
and it will give you all the config for it.
Avatar of robscraig
robscraig

ASKER

if the web interface is not enabled can i enable it
no, usualy it is always on if there is one.
use telnet and copy paste the show start here removing all passwords.
we'll answer your questions on the config from there.
When you enter the router through telnet if your prompt looks like this "routername>" This mode is sort of a read only mode. You need to enter exec mode to do this simply type "enable" this will change your prompt to "routername#". This is where you would type the comands above.  

If you need to do any configuration you need to enter global configuration mode by typing "configure terminal". Your command prompt will change to "routername(config)#" Note: you can not type in the show start command from this mode. You will either have to type "exit" to get back to exec mode.

If the http server is not enabled you can enable it from the command line by typing  "ip http server"

To view interfaces along with there IP properties type Note: this is another show command and must be done from exec mode

show ip int brief

If you do turn on the http server and want to save the change so that next time you reboot the router that it comes up with that configuration type "copy running-config startup-config" from exec mode.
PS here is a link to the Cisco IOS configuration fundementals configuration guide

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/12_4/cf_12_4_book.html
Ok i enabled ip http server but cant seem to get to it via http
If you are looking to configure the router through a web interface the basic http interface will not do much for you. It's pretty weak. The SDM is much better but I still prefer the command line interface. Although according to this document your router does not support the device manager ..

http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_installation_guide09186a00803e4727.html

The http interface could have an access list blocking it or you may want to save your change and reload the router.

If you have specific questions or goals if you do a "show startup" in exec mode and post that (minus username and passwords) and list what you need I can provide you plenty of configuration advice.
here is my show start
i would like to view via http
I am trying to configure a vpn tunnel
and maybe know how to forward a couple more ports

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname aitledrt1
!
logging queue-limit 100
logging buffered 51200 warnings
aaa new-model
enable password 7 08271D5D015F43141A021C147F
!

ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ip dhcp-client default-router distance 1
!
no call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description LAN INTERFACE
 ip address 192.168.102.254 255.255.255.0
 ip nat inside
 speed 100
 half-duplex
!
interface FastEthernet0/1
 description WAN INTERFACE
 ip address dhcp
 ip access-group 105 in
 ip nat outside
 duplex auto
 speed auto
!
interface Ethernet1/0
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/1
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/2
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
ip nat inside source list 120 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.102.15 8090 interface FastEthernet0/1 8090
ip nat inside source static tcp 192.168.102.14 15007 interface FastEthernet0/1 15007
ip nat inside source static tcp 192.168.102.14 15006 interface FastEthernet0/1 15006
ip nat inside source static tcp 192.168.102.14 15005 interface FastEthernet0/1 15005
ip nat inside source static tcp 192.168.102.14 15004 interface FastEthernet0/1 15004
ip nat inside source static tcp 192.168.102.14 15003 interface FastEthernet0/1 15003
ip nat inside source static tcp 192.168.102.14 15002 interface FastEthernet0/1 15002
ip nat inside source static tcp 192.168.102.14 15001 interface FastEthernet0/1 15001
ip nat inside source static tcp 192.168.102.11 110 interface FastEthernet0/1 110
ip nat inside source static tcp 192.168.102.14 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.102.15 9222 interface FastEthernet0/1 9222
ip nat inside source static tcp 192.168.102.14 1723 interface FastEthernet0/1 1723
ip nat inside source static tcp 192.168.102.12 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.102.12 443 interface FastEthernet0/1 443
ip classless
ip http server
ip http access-class 1
ip http authentication local
!
logging 192.168.102.5
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 105 permit tcp any eq 15001 any log
access-list 105 permit tcp any eq 15002 any log
access-list 105 permit tcp any eq 15003 any log
access-list 105 permit tcp any eq 15004 any log
access-list 105 permit tcp any eq 15005 any log
access-list 105 permit tcp any eq 15006 any log
access-list 105 permit tcp any eq 15007 any log
access-list 105 permit ip any any
access-list 105 permit ahp any any
access-list 105 permit esp any any
access-list 105 permit udp any any eq isakmp
access-list 105 permit udp any any eq 4500
access-list 120 permit ip 192.168.102.0 0.0.0.255 any
snmp-server community public RO 1
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C UNAUTHORIZED ACCESS IS PROHIBITED BY LAW ^C
!
line con 0

line aux 0
line vty 0 4
 access-class 120 in

 rotary 1
 no exec
 transport input ssh
There is an acccess list on the http but it just says that you have to have an ip address in the range of 192.168.102.1-254 with a mask of 255.255.255.0

You are forwarding ports with these commands
"ip nat inside source static tcp 192.168.102.14 15001 interface FastEthernet0/1 15001"
This command says that someone frome the outside can connect to 192.168.102.14 port 15001 by connecting to FA0/1's IP address on port 15001.

To configure a VPN tunel here is a link on how to do that.
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

I could post the instructions but would hate to take up that much space what I will do is paste a sample config of one that I have done. This is just a pretend tunnel to another router at IP 1.2.3.4. All changeable names are in all caps. This states that any traffic from the 192.168.10.0/24 network  going to the 10.1.2.0/24 and 10.1.3.0/24 networks will be sent down the tunnel.

When building a tunnel like this since you are using NAT you must deny the traffic that is bound for the vpn from being NATed as well which is what the NAT statement does.





crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key REALLYLONGKEY address 1.2.3.4
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Preferred esp-3des esp-sha-hmac
!
crypto map TEST_VPN 118 ipsec-isakmp
 set peer 1.2.3.4
 set security-association lifetime seconds 3600
 set transform-set Preferred
 set pfs group2
 match address VPN_ADDRESS
 
ip access-list extended VPN_ADDRESS
 permit ip 192.168.10.0 0.0.0.255 10.1.2.0 0.0.0.255
 permit ip 192.168.10.0 0.0.0.255 10.1.3.0 0.0.0.255
 
ip nat inside source list 102 interface FastEthernet0/1 overload
 
access-list 102 deny ip 192.168.10.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 102 deny ip 192.168.10.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 102 permit ip any any

Open in new window

Sorry for all the questions but this is the first cisco i have worked on.

I want to configure the tunel from cisco router to a netgear router. Is this possible and what selection would i use on that link you sent me.
THanks
PS you need to apply the crypto map to the interface that is facing the device or host you want to create the vpn tunnel to. (most of the time it is the outside interface) The command is
 
crypto map TEST_VPN

Note: you can assign only one map to an interface but to see how to apply many tunnels under the same map including tunnels for client vpns just look at the documentation link
My example is from one router to another router so you can reference that as you move through this documentation but here is the link that I would suggest

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml
PS read this it will help with troubleshooting your tunnel if it does not come up

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801d55aa.shtml
I am having a little trouble with the comands to make this happen. on the instructions is the highlighted text the comands that i need to use or are those not included in those instructions. I tried to start with the write terminal and then the crypto line but i get unknow command.

sorry for the trouble but this is another language for me.
Write terminal is the same as "show running-config"

You need to start with configure terminal to take you to config mode

THe link that you gave me is for configureing over a private network. I am just looking to go from my office over the internet to a Netopia router. Is this possible.
Your LAN ip address is 192.168.102.0/24 that is a private network not the internet part. Chances are that behind the netopia It is configured with a private IP scheme as well.  A private network is defined as a network that is not routable overthe Internet. There are three private network ranges.

192.168.0.0/24 -192.168.255.0/24
172.16.0.0/16 - 172.31.0.0/16
10.0.0.0/8

If you look at the diagram in the link networks you will notice that both end user networks are 10.x.x.x
I understand that fully but what the diagram shows is a gateways in the middle that is configured with 2 ip's on both sides should that be in my case one ip address which would be the external IP?
Ignore the gateway. If you notice their is no configuration for it. The gateway is just there to show enough hops to seperate the two routers.
OK i followed your documentation there and i replaced the 1.2.3.4 with the static wan ip of that router.

my question is is the 192.168.10.0 the ip address of my router or the lan ip of the other router
192.168.10.0 is the internal lan trafic being matched to travel down the tunnel to the other lan segment which is 10.1.2.0 and 10.1.3.0. The second part where you see the deny lines is where the traffic that is going down the tunnel is being denied from being NATed.
ok here is what i have now i am thinking that this should do it but still no go

Using 4047 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!

!
logging queue-limit 100
logging buffered 51200 warnings
aaa new-model
!

ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ip dhcp-client default-router distance 1
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key DennisVPN address xxx.xxx.xxx.xxx
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Preferred esp-3des esp-sha-hmac
!
crypto map Dennis_VPN 118 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set security-association lifetime seconds 3600
 set transform-set Preferred
 set pfs group2
 match address VPN_ADDRESS
!
no call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description LAN INTERFACE
 ip address 192.168.102.254 255.255.255.0
 ip nat inside
 speed 100
 half-duplex
!
interface FastEthernet0/1
 description WAN INTERFACE
 ip address dhcp
 ip access-group 105 in
 ip nat outside
 duplex auto
 speed auto
!
interface Ethernet1/0
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/1
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/2
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
ip nat inside source list 102 interface FastEthernet0/1 overload
ip nat inside source list 120 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.102.12 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.102.12 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.102.14 1723 interface FastEthernet0/1 1723
ip nat inside source static tcp 192.168.102.15 9222 interface FastEthernet0/1 9222
ip nat inside source static tcp 192.168.102.14 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.102.11 110 interface FastEthernet0/1 110
ip nat inside source static tcp 192.168.102.14 15001 interface FastEthernet0/1 15001
ip nat inside source static tcp 192.168.102.14 15002 interface FastEthernet0/1 15002
ip nat inside source static tcp 192.168.102.14 15003 interface FastEthernet0/1 15003
ip nat inside source static tcp 192.168.102.14 15004 interface FastEthernet0/1 15004
ip nat inside source static tcp 192.168.102.14 15005 interface FastEthernet0/1 15005
ip nat inside source static tcp 192.168.102.14 15006 interface FastEthernet0/1 15006
ip nat inside source static tcp 192.168.102.14 15007 interface FastEthernet0/1 15007
ip nat inside source static tcp 192.168.102.15 8090 interface FastEthernet0/1 8090
ip classless
ip http server
ip http access-class 1
ip http authentication local
!
!
ip access-list extended VPN_ADDRESS
 permit ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
logging 192.168.102.5
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 105 permit tcp any eq 15001 any log
access-list 105 permit tcp any eq 15002 any log
access-list 105 permit tcp any eq 15003 any log
access-list 105 permit tcp any eq 15004 any log
access-list 105 permit tcp any eq 15005 any log
access-list 105 permit tcp any eq 15006 any log
access-list 105 permit tcp any eq 15007 any log
access-list 105 permit ip any any
access-list 105 permit ahp any any
access-list 105 permit esp any any
access-list 105 permit udp any any eq isakmp
access-list 105 permit udp any any eq 4500
access-list 120 permit ip 192.168.102.0 0.0.0.255 any
snmp-server community public RO 1
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C UNAUTHORIZED ACCESS IS PROHIBITED BY LAW ^C
!
line con 0
 password 7 1411431804426C282C21232577
line aux 0
line vty 0 4
 access-class 120 in
rotary 1
 no exec
 transport input ssh
!
end
You need to apply the crypto map to your WAN interface the command is below
crypto map Dennis_VPN
You have two nat statements this one is NATing nothing(delete this one)
ip nat inside source list 102 interface FastEthernet0/1 overload

And this one is NATing everything(Change access-list 120)
ip nat inside source list 120 interface FastEthernet0/1 overload
 in this access list NAT says  hey I need to not match the traffic to go down the tunnel and then match everything else.

access-list 120 deny ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 120 permit ip 192.168.102.0 0.0.0.255 any
I went ahead and put all the changes including the above crypto map statement that it would take to fix your config. Proof read it because I am not perfect and feel free to post questions.
 

no ip nat inside source list 102 interface FastEthernet0/1 overload
 
no access-list 120
no access-list 102
 
access-list 120 deny ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 120 permit ip 192.168.102.0 0.0.0.255 any
interface FastEthernet0/1
crypto map Dennis_VPN
exit

Open in new window

I was just going to say also that your access list on your outside interface could be cleaned up and other then logging ports 15001-15007 is basically allowing everything. If that is your intension you just need the following lines
access-list 105 permit tcp any eq 15001 any log
access-list 105 permit tcp any eq 15002 any log
access-list 105 permit tcp any eq 15003 any log
access-list 105 permit tcp any eq 15004 any log
access-list 105 permit tcp any eq 15005 any log
access-list 105 permit tcp any eq 15006 any log
access-list 105 permit tcp any eq 15007 any log
access-list 105 permit ip any any
<no other lines needed as the other statements are allowed with the "permit ip any any">
Now if you don't need to do that logging you can just delete the access-group all together off the interface and delete access-list 105 just to keep things clean.
thanks that helps
here is what i got now i removed the logging and made those changes

version 12.2

!

!
logging queue-limit 100
logging buffered 51200 warnings
aaa new-model

ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ip dhcp-client default-router distance 1
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key DennisVPN1234567 address xxx.xxx.xxx.xxx
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Preferred esp-3des esp-sha-hmac
!
crypto map Dennis_VPN 118 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set security-association lifetime seconds 3600
 set transform-set Preferred
 set pfs group2
 match address VPN_ADDRESS
!
no call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description LAN INTERFACE
 ip address 192.168.102.254 255.255.255.0
 ip nat inside
 speed 100
 half-duplex
!
interface FastEthernet0/1
 description WAN INTERFACE
 ip address dhcp
 ip access-group 105 in
 ip nat outside
 duplex auto
 speed auto
 crypto map Dennis_VPN
!
interface Ethernet1/0
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/1
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/2
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 description UNUSED
 no ip address
 shutdown
 half-duplex
!
ip nat inside source list 120 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.102.12 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.102.12 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.102.14 1723 interface FastEthernet0/1 1723
ip nat inside source static tcp 192.168.102.15 9222 interface FastEthernet0/1 9222
ip nat inside source static tcp 192.168.102.11 110 interface FastEthernet0/1 110
ip nat inside source static tcp 192.168.102.14 15001 interface FastEthernet0/1 15001
ip nat inside source static tcp 192.168.102.14 15002 interface FastEthernet0/1 15002
ip nat inside source static tcp 192.168.102.14 15003 interface FastEthernet0/1 15003
ip nat inside source static tcp 192.168.102.14 15004 interface FastEthernet0/1 15004
ip nat inside source static tcp 192.168.102.14 15005 interface FastEthernet0/1 15005
ip nat inside source static tcp 192.168.102.14 15006 interface FastEthernet0/1 15006
ip nat inside source static tcp 192.168.102.14 15007 interface FastEthernet0/1 15007
ip nat inside source static tcp 192.168.102.15 8090 interface FastEthernet0/1 8090
ip classless
ip http server
ip http access-class 1
ip http authentication local
!
!
ip access-list extended VPN_ADDRESS
 permit ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
logging 192.168.102.5
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 102 deny   ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 120 deny   ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 120 permit ip 192.168.102.0 0.0.0.255 any
snmp-server community public RO 1
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C UNAUTHORIZED ACCESS IS PROHIBITED BY LAW ^C
!
line con 0
 line aux 0
line vty 0 4
 access-class 120 in

 rotary 1
 no exec
 transport input ssh
!
end
You can ignore the last post that is not entirely correct as I'm not 100% sure it covers
access-list 105 permit ahp any any
access-list 105 permit esp any any
But I am sure that it covers theses
access-list 105 permit udp any any eq isakmp
access-list 105 permit udp any any eq 4500
If you remove access-list 105 you need to remove the access-group 105 in from the interface.
BTW did the tunnel come up?
I am trying to configure a netopia r910 on the other side you know anything about those.  I have the tunnel in the router but i think i am not matching all the setting properly.
ASKER CERTIFIED SOLUTION
Avatar of bkepford
bkepford
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks For all the Help