[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 857 router configuration how to.

Posted on 2009-02-13
9
Medium Priority
?
874 Views
Last Modified: 2012-08-14
Hello,
we have Cisco 857 routers configured for our small branch locations. These all connect to our head office via permanant VPN tunnels created via Cisco Security Manager.
We have one instance where local devices can access the internet directly thus bypassing the VPN tunnel back to head office. This was done by a 3r dparty. ie. the internet traffic on that branch's LAN can only go this one other place on the internet, all other internet bound traffic is directed back over the VPN tunnel where it is filtered etc.

For another one location, we need to allow handheld terminals that connect into the router to,
- gain outbound access to the internet to a specific location (via DNS name) probably using a specific port or ports.
- This outbound connection should freely accept any incoming responses where it has originated from the handheld device.

Can anyone please advice the exact commands to use when SSH'd on to the router to enable this.

thanks, regards
0
Comment
Question by:TED_UBB
  • 6
  • 3
9 Comments
 
LVL 8

Expert Comment

by:MrJemson
ID: 23640520
Will need to see your existing config.
It will be part of an access-list.
0
 

Author Comment

by:TED_UBB
ID: 23648221
ok thanks, can you advice how to pull of a copy of the config? this stuff is new to me as you can probably imagine so think of me as a complete begineer in this.
regards
0
 
LVL 8

Expert Comment

by:MrJemson
ID: 23648326
"show run"

cut and past all the output.
The space bar will drop down another page when it say --more--
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:TED_UBB
ID: 23650728
lol, I knew that one, have done it enough times.... Anyway, here's the config;
I have replaced IP addresses with x.x.x.x and names with xxx
thanks in advance
regards

Building configuration...
 
Current configuration : 6638 bytes
!
! Last configuration change at 16:50:37 UTC Thu Dec 4 2008 by 
! NVRAM config last updated at 16:50:39 UTC Thu Dec 4 2008 by
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname xxx
!
boot-start-marker
boot system flash:c850-advsecurityk9-mz.124-15.T4.bin
boot-end-marker
!
!
no aaa new-model
 --More--         clock summer-time UTC date Mar 31 2008 0:01 Oct 1 2008 0:01
!
crypto pki trustpoint TP-self-signed-397841442
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-397841442
 revocation-check none
 rsakeypair TP-self-signed-397841442
!
!
crypto pki certificate chain TP-self-signed-397841442
 certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33393738 34313434 32301E17 0D303230 33303130 30323533 
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3339 37383431 
  34343230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  BB461D3A 41041D92 86836680 04FF27E1 02B83446 663F080E 8AF5EA5B A85D9843 
  7177E31F C4BE6B6D 06B7DEFC 878283F6 EDFCAC32 F03FB2DA 53308FB9 AD9E9419 
  F8177D83 5ED27611 0D6C80A4 711ABF1C 9DC2D000 01F4D7EE 839C7127 16494C53 
  2F2E6226 5FB9CB0E 14F78A28 598C2745 B5B7B361 02BC8432 EA8DFBC6 652CBEDB 
  02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D 
  11042130 1F821D46 6C6F7261 6C537472 6565742D 3233302E 54656442 616B6572 
 --More--           2E636F6D 301F0603 551D2304 18301680 1406EBDA BD00DDC6 D540B6E7 0BC2D014 
  672A2726 74301D06 03551D0E 04160414 06EBDABD 00DDC6D5 40B6E70B C2D01467 
  2A272674 300D0609 2A864886 F70D0101 04050003 81810040 8867471C 4DBAA28E 
  33557697 9F00C7AA 30C973E7 2928C985 4F3D261E 328C41BE F9529182 334A8C91 
  2162550F D9EF2E61 2445D011 41D8C06D EE9A95AF 69105ACB 8569681E C1071447 
  EE83D97A 24715A9C 8250B015 6257E767 FEAADCC9 F8735281 E63395EA EABBFD6A 
  566B0D1D EBAC0E06 9D196CBA 0074CDA8 9AC249C2 9D4684
  	quit
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address x.x.x.x x.x.x.x
!
ip dhcp pool SITE-02
   network x.x.x.x x.x.x.x
   default-router x.x.x.x 
   domain-name xxx.com
   dns-server x.x.x.x x.x.x.x 
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name xxx.com
 --More--         !
!
!
username xxx privilege 15 secret 5 $1$f9.K$H3yEEhyRApjUdWueo.Nt5/
username xxx privilege 15 secret 5 $1$wmcF$yoIiqvGzq6LocwXjOl3cw0
username xxx privilege 15 secret 5 $1$hCn2$V6h/GnfbS9WeE4OuaiNrW.
! 
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key VtbLOv2d28pH6VLhntkXNhvL address x.x.x.x no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac 
!
crypto map CSM_CME_Dialer0 1 ipsec-isakmp 
 description Provisioned by CSM: Peer device = xxx
 set peer x.x.x.x
 set transform-set CSM_TS_1 
 --More--          set pfs group1
 match address CSM_IPSEC_ACL_2
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
!
!
!
interface Loopback1
 description Provisioned by CSM (private interface)
 ip address x.x.x.x x.x.x.x
 ip virtual-reassembly
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 --More--          no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description ** BROADBAND WAN **
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
 --More--         interface FastEthernet3
!
interface Vlan1
 description Provisioned by CSM (private interface)
 ip address x.x.x.x x.x.x.x
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 description Provisioned by CSM (public interface)
 ip address x.x.x.x x.x.x.x
 ip access-group BLOCK in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 --More--          ppp chap hostname xxx
 ppp chap password 7 0200085419070332585C0C1C1145415B
 crypto map CSM_CME_Dialer0
 crypto ipsec fragmentation before-encryption
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip nat inside source list NAT-Filter interface Dialer0 overload
!
ip access-list standard CSM_SNMP_ACL_1
 permit x.x.x.x
!
ip access-list extended BLOCK
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any host-unreachable
 permit icmp any any time-exceeded
 permit tcp any any eq 22
 --More--          permit ip host 195.112.2.50 any
 permit ip host 213.208.100.235 any
 permit 57 x.x.x.x 0.0.0.15 any
 permit ahp x.x.x.x 0.0.0.15 any
 permit esp x.x.x.x 0.0.0.15 any
 permit tcp x.x.x.x 0.0.0.15 any eq 500 4500
 permit udp x.x.x.x 0.0.0.15 any eq isakmp non500-isakmp
ip access-list extended CSM_IPSEC_ACL_2
 permit ip x.x.x.x 0.0.0.31 x.x.x.x 0.0.3.255
 permit ip x.x.x.x 0.0.0.31 x.x.x.x 0.0.0.31
 permit ip x.x.x.x 0.0.0.31 host 192.168.99.1
ip access-list extended NAT-Filter
 deny   ip x.x.x.x 0.0.0.31 x.x.x.x 0.0.3.255
 deny   ip x.x.x.x 0.0.0.31 x.x.x.x 0.0.0.31
 deny   ip x.x.x.x 0.0.0.31 host 192.168.99.1
 deny   ip host 192.168.99.2 x.x.x.x 0.0.3.255
 deny   ip host 192.168.99.2 x.x.x.x 0.0.0.31
 deny   ip host 192.168.99.2 host 192.168.99.1
 permit ip x.x.x.x 0.0.0.31 any
 permit ip host 192.168.99.2 any
 permit ip any host 195.112.2.50
 permit ip any host 213.208.100.235
!
 --More--         logging source-interface Vlan1
access-list 1 permit x.x.x.x 0.0.0.15
dialer-list 1 protocol ip permit
snmp-server community m4n43m3nt RO CSM_SNMP_ACL_1
snmp-server community Qu1nt4de4lder1z RO CSM_SNMP_ACL_1
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
!
scheduler max-task-time 5000
sntp server 192.168.99.1
sntp source-interface Vlan1
end

Open in new window

0
 

Author Comment

by:TED_UBB
ID: 23651064
sorry to add we would need to allow internet access for any devices attached to the router (being non discriminate here) to internet IP a.b.c.d port abcde
hopr that makes sense.
regards
0
 
LVL 8

Expert Comment

by:MrJemson
ID: 23654351
Hello,

Please provide the config again without removing the private IP addresses (Eg. 192.__.__.__)

Feel free to remove any names and PUBLIC IP addresses, but I can't do anything without the internal IP addressing.
0
 

Author Comment

by:TED_UBB
ID: 23657780
May have got carried away there. Ol, I have reattached and only removed any company names, usernames and our internet  IP's. Hopefully, there is enough info there now.
regards

Building configuration...
 
Current configuration : 6638 bytes
!
! Last configuration change at 16:50:37 UTC Thu Dec 4 2008 by 
! NVRAM config last updated at 16:50:39 UTC Thu Dec 4 2008 by 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname xxx
!
boot-start-marker
boot system flash:c850-advsecurityk9-mz.124-15.T4.bin
boot-end-marker
!
!
no aaa new-model
 --More--         clock summer-time UTC date Mar 31 2008 0:01 Oct 1 2008 0:01
!
crypto pki trustpoint TP-self-signed-397841442
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-397841442
 revocation-check none
 rsakeypair TP-self-signed-397841442
!
!
crypto pki certificate chain TP-self-signed-397841442
 certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33393738 34313434 32301E17 0D303230 33303130 30323533 
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3339 37383431 
  34343230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  BB461D3A 41041D92 86836680 04FF27E1 02B83446 663F080E 8AF5EA5B A85D9843 
  7177E31F C4BE6B6D 06B7DEFC 878283F6 EDFCAC32 F03FB2DA 53308FB9 AD9E9419 
  F8177D83 5ED27611 0D6C80A4 711ABF1C 9DC2D000 01F4D7EE 839C7127 16494C53 
  2F2E6226 5FB9CB0E 14F78A28 598C2745 B5B7B361 02BC8432 EA8DFBC6 652CBEDB 
  02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D 
  11042130 1F821D46 6C6F7261 6C537472 6565742D 3233302E 54656442 616B6572 
 --More--           2E636F6D 301F0603 551D2304 18301680 1406EBDA BD00DDC6 D540B6E7 0BC2D014 
  672A2726 74301D06 03551D0E 04160414 06EBDABD 00DDC6D5 40B6E70B C2D01467 
  2A272674 300D0609 2A864886 F70D0101 04050003 81810040 8867471C 4DBAA28E 
  33557697 9F00C7AA 30C973E7 2928C985 4F3D261E 328C41BE F9529182 334A8C91 
  2162550F D9EF2E61 2445D011 41D8C06D EE9A95AF 69105ACB 8569681E C1071447 
  EE83D97A 24715A9C 8250B015 6257E767 FEAADCC9 F8735281 E63395EA EABBFD6A 
  566B0D1D EBAC0E06 9D196CBA 0074CDA8 9AC249C2 9D4684
  	quit
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.150.42 172.16.150.62
!
ip dhcp pool SITE-02
   network 172.16.150.32 255.255.255.224
   default-router 172.16.150.62 
   domain-name xxx
   dns-server 172.16.0.11 172.16.0.12 
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name xxx
 --More--         !
!
!
username xxx privilege 15 secret 5 $1$f9.K$H3yEEhyRApjUdWueo.Nt5/
username xxx privilege 15 secret 5 $1$wmcF$yoIiqvGzq6LocwXjOl3cw0
username xxx privilege 15 secret 5 $1$hCn2$V6h/GnfbS9WeE4OuaiNrW.
! 
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key VtbLOv2d28pH6VLhntkXNhvL address x.x.x.x no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac 
!
crypto map CSM_CME_Dialer0 1 ipsec-isakmp 
 description Provisioned by CSM: Peer device = xxx
 set peer x.x.x.x
 set transform-set CSM_TS_1 
 --More--          set pfs group1
 match address CSM_IPSEC_ACL_2
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
!
!
!
interface Loopback1
 description Provisioned by CSM (private interface)
 ip address 192.168.99.2 255.255.255.255
 ip virtual-reassembly
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 --More--          no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description ** BROADBAND WAN **
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
 --More--         interface FastEthernet3
!
interface Vlan1
 description Provisioned by CSM (private interface)
 ip address 172.16.150.62 255.255.255.224
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 description Provisioned by CSM (public interface)
 ip address x.x.x.x 255.255.255.0
 ip access-group BLOCK in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 --More--          ppp chap hostname xxx
 ppp chap password 7 0200085419070332585C0C1C1145415B
 crypto map CSM_CME_Dialer0
 crypto ipsec fragmentation before-encryption
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip nat inside source list NAT-Filter interface Dialer0 overload
!
ip access-list standard CSM_SNMP_ACL_1
 permit 172.16.0.18
!
ip access-list extended BLOCK
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any host-unreachable
 permit icmp any any time-exceeded
 permit tcp any any eq 22
 --More--          permit ip host 195.112.2.50 any
 permit ip host 213.208.100.235 any
 permit 57 x.x.x.x 0.0.0.15 any
 permit ahp x.x.x.x 0.0.0.15 any
 permit esp x.x.x.x 0.0.0.15 any
 permit tcp x.x.x.x 0.0.0.15 any eq 500 4500
 permit udp x.x.x.x 0.0.0.15 any eq isakmp non500-isakmp
ip access-list extended CSM_IPSEC_ACL_2
 permit ip 172.16.150.32 0.0.0.31 172.16.0.0 0.0.3.255
 permit ip 172.16.150.32 0.0.0.31 192.168.176.0 0.0.0.31
 permit ip 172.16.150.32 0.0.0.31 host 192.168.99.1
ip access-list extended NAT-Filter
 deny   ip 172.16.150.32 0.0.0.31 172.16.0.0 0.0.3.255
 deny   ip 172.16.150.32 0.0.0.31 192.168.176.0 0.0.0.31
 deny   ip 172.16.150.32 0.0.0.31 host 192.168.99.1
 deny   ip host 192.168.99.2 172.16.0.0 0.0.3.255
 deny   ip host 192.168.99.2 192.168.176.0 0.0.0.31
 deny   ip host 192.168.99.2 host 192.168.99.1
 permit ip 172.16.150.32 0.0.0.31 any
 permit ip host 192.168.99.2 any
 permit ip any host 195.112.2.50
 permit ip any host 213.208.100.235
!
 --More--         logging source-interface Vlan1
access-list 1 permit x.x.x.x 0.0.0.15
dialer-list 1 protocol ip permit
snmp-server community m4n43m3nt RO CSM_SNMP_ACL_1
snmp-server community Qu1nt4de4lder1z RO CSM_SNMP_ACL_1
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
!
scheduler max-task-time 5000
sntp server 192.168.99.1
sntp source-interface Vlan1
end

Open in new window

0
 

Author Comment

by:TED_UBB
ID: 23927645
Anyone who can possibly help with this please?
regards
0
 

Accepted Solution

by:
TED_UBB earned 0 total points
ID: 24105012
I think I should close this as I havn't had any responses. How do I do that?
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question