Solved

Cisco CISCO877-K9 config

Posted on 2009-05-19
4
712 Views
Last Modified: 2012-05-07
Hi Guys,

Im replacing a Draytek Vigor 2800 with a CISCO877-K9.

Its been a very long time since Ive been anywhere near Cisco kit and need to set this on up pretty fast with a LAN interface, DSL Connection, Static route and finally a IPSec VPN

Here is the details of what i need to configure (I cahnged any WAN addresses to ficticious ones) please could some body help me with this?

Many thanks






-=LAN=-
ip=192.168.57.1
s.net=255.255.255.0

No DHCP server


-=WAN=-

ISP=BT

PPPoE / PPPoA
VPI: 0
VCI: 38
Encapsulating type=VC MUX
Protocol=PPPoA
Modulation=G.DMT

Username=XXX@XXX.btclick.com
Password = ???

PPP Authentication= PAP or CHAP

Fixed IP= 81.81.81.81



-=Static routes=-

route #1
dest=192.168.54.0
s.net=255.255.255.0
g.way=192.168.57.3
i/face=LAN

-= VPN =-

IPSec
Target IP=213.213.213.213
IKE Authentication
IKE PSK= ?????
IPSec Security=Medium

RIP Direction=TX/RX Both
For NAT operation, treat remote sub-net as Private IP


TCPIP
My WAN IP=0.0.0.0
rEMOTE gw wan ip=192.168.200.254
Remote NW IP=192.168.200.0
Remote NW Mask=255.255.255.0

0
Comment
Question by:arundelr
  • 3
4 Comments
 

Author Comment

by:arundelr
ID: 24422904
Just to let you know I have connected using the Console cable and am using Hyper terminal

0
 

Author Comment

by:arundelr
ID: 24424704
I managed to get the LAN interface configurede and access via the web interface, here is my config so far
knbsap#show config

Using 1340 out of 131072 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname knbsap

!

boot-start-marker

boot-end-marker

!

enable secret*************

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-1171943734

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1171943734

 revocation-check none

 rsakeypair TP-self-signed-1171943734

!

!

crypto pki certificate chain TP-self-signed-1171943734

 certificate self-signed 01 nvram:IOS-Self-Sig#5.cer

dot11 syslog

ip cef

!

!

!

!

!

username ****** privilege 15 password****

username*****privilege 15 password****

!

!

archive

 log config

  hidekeys

!

!

!

!

!

interface ATM0

 no ip address

 shutdown

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 ip address 192.168.57.1 255.255.255.0

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

!

!

!

control-plane

!

!

line con 0

 login local

 no modem enable

line aux 0

line vty 0 1

 privilege level 15

 login local

 transport input telnet ssh

line vty 2 4

 login

!

scheduler max-task-time 5000

end
 

knbsap#

Open in new window

0
 
LVL 15

Assisted Solution

by:bkepford
bkepford earned 500 total points
ID: 24557164
This config is from a 876 but I added in the PPPoA template and the ATM interface (the ATM interface configuration is not tested so look at it first).

Again this config is mix matched and hasn't been tested but it may give you a starting point.
ip inspect log drop-pkt

ip inspect name myfw tcp

ip inspect name myfw udp

ip inspect name myfw icmp

ip inspect name myfw http

ip inspect name myfw https

ip inspect name myfw cuseeme

ip inspect name myfw dns

ip inspect name myfw ftp

ip inspect name myfw h323

ip inspect name myfw imap

ip inspect name myfw pop3

ip inspect name myfw netshow

ip inspect name myfw rcmd

ip inspect name myfw realaudio

ip inspect name myfw rtsp

ip inspect name myfw esmtp

ip inspect name myfw sqlnet

ip inspect name myfw streamworks

ip inspect name myfw tftp

ip inspect name myfw vdolive

ip inspect name myfw sip

ip inspect name myfw sip-tls

ip inspect name myfw oraclenames

ip inspect name myfw oracle

ip inspect name myfw oracle-em-vp

ip inspect name myfw orasrv

!

vpdn enable

vpdn-group 1

 accept dialin 

  protocol pppoe 

  virtual-template 1

!

!

username adminperson privilege 15 password <PASSWORD>

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key <PRESHARED KEY> address 213.213.213.213

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Preferred esp-3des esp-sha-hmac

!

crypto map VPN_MAP 118 ipsec-isakmp

 set peer 213.213.213.213

 set security-association lifetime seconds 3600

 set transform-set Preferred

 set pfs group2

 match address VPN_TRAFFIC

!

!

interface ATM0.38 point-to-point

 no ip address

 no shutdown

 pvi ATM 0/38

   encapsulation aal5mux ppp virtual-template 1

 no atm ilmi-keepalive

 dsl operating-mode auto
 

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface virtual-template 1

 description $FW_OUTSIDE$$ES_WAN$

 ip address 81.81.81.81 255.255.255.0

 ip mtu 1492

 ip nat outside

 ip virtual-reassembly

 ip access-group 101 in

 ppp authentication chap pap callin

 ppp chap hostname XXX@XXX.btclick.com

 ppp chap password <PASSWORD>

 ppp pap sent-username XXX@XXX.btclick.com password <PASSWORD>

 crypto map VPN_MAP

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

 ip address 192.168.57.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip inspect myfw in

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 <DEFAULT GATEWAY>

ip route 192.168.54.0 255.255.255.0 192.168.57.3

!

ip nat inside source list 102 interface virtual-template 1 overload

!

ip access-list extended VPN_TRAFFIC

 permit ip 192.168.57.0 0.0.0.255 192.168.200.0 0.0.0.255

!

access-list 101 deny   ip any any log

access-list 102 deny ip 192.168.57.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 102 permit ip any any

Open in new window

0
 

Accepted Solution

by:
arundelr earned 0 total points
ID: 24557787
Hi,

Thanks for your input, no idea if yours works or not, after much effort I managed to get it working on the day I posted the question.

I have XX over the actual IP address and keys and posted my config just incase anybody else comes across this issue in future

cheers
Building configuration...
 

Current configuration : 3853 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname knbsap

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret ***********

no aaa new-model

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-1171943734

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1171943734

 revocation-check none

 rsakeypair TP-self-signed-1171943734

!

!

crypto pki certificate chain TP-self-signed-1171943734

 certificate self-signed 01

  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX

  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX

  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX

        quit

dot11 syslog

ip cef

!

!

!

!

!

username *********1 privilege 15 secret ***********

username********* privilege 15 secret ***************

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2
 

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

 description Tunnel toXXX.XXX.XXX.XXX

 set peer XXX.XXX.XXX.XXX

 set transform-set ESP-3DES-SHA

 match address 100

!

archive

 log config

  hidekeys

!

!

!

!

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

 dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 ip address 192.168.xx.x 255.255.255.0

 ip tcp adjust-mss 1412

!

interface Dialer1

 ip address xx.xxx.xxx.xxx 255.255.255.248

 ip mtu 1452

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap pap callin

 ppp chap hostname XXXXXX@hg7.btclick.com

 ppp chap password 0 xxxxxx

 ppp pap sent-username xxxxxxx@hg7.btclick.com password 0 xxxxxxx

 crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.xx.x 255.255.255.0 192.168.xx.x permanent

!

ip http server

ip http authentication local

ip http secure-server

!

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.xx.0 0.0.0.255 192.168.xx.0 0.0.0.255

dialer-list 1 protocol ip permit

!

!

!

control-plane

!

!

line con 0

 login local

 no modem enable

line aux 0

line vty 0 1

 privilege level 15

 login local

 transport input telnet ssh

line vty 2 4

 login

!

scheduler max-task-time 5000

end

Open in new window

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now