asked on

Configuring Cisco 1841.

Hi,

I have 1841 router which is to be configured Step by step with NAT, VPN, ACL,

I have configure it basic setup (find the configs in attached code)

But before going further to configure NAT VPN ACL, etc....

1) I noticed that i am not able to telnet into my router from outside.... rather inside from my PC i can login via telnet,

2) Could 1841 router be a VPN Server...if yes...pls share the commands to config it..& how can i test it.

Kindly advice at earliest possible,

thanks in advance...

ROUTER1841#sh run
Building configuration...

Current configuration : 2512 bytes
!
! Last configuration change at 10:20:40 UTC Tue May 17 2011
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$20Xq$38Dz1aGiARIkKcj/EOukN.
!
no aaa new-model
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server XX.XX.20.20
multilink bundle-name authenticated
!
!
license udi pid CISCO1841 sn FGL151422PH
username admin privilege 15 password 0 password
!
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address XX.XX.191.102 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.100.7 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
access-list 1 permit 192.168.100.0 0.0.0.255
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner motd ^C^C
!
line con 0
 exec-timeout 30 0
 password password
 login local
line aux 0
 password password
 login local
line vty 0 4
 access-class 23 in
 privilege level 15
 password password
 login
 rotary 33
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 password password
 login
 rotary 33
 transport input telnet
line vty 16 209
 password password
 login
!
scheduler allocate 20000 1000
end

ROUTER1841#

Open in new window

Craig Beck

You can enable Telnet and configure the VPN server via the Security Device Manager, or Cisco Configuration Professional.
There's a wizard to enable the VPN server.
You can enable management via any protocol you want under the Device Properties in SDM or under Router/Router Access in CCP.

Ernie Beek

By default routers are configured to accept telnet from the inside, to get access from the outside create a nat entry:
ip nat inside source static tcp 192.168.100.7 23 interface FastEthernet0/0 23

I would recommend though, when everything is up and running, to switch to ssh.

Ernie Beek

What type of VPN are you thinking of, btw?

dxbdxb2009

ASKER

craigbeck : i would rather configure / see VPN later but kindly help me for getting me in via telnet first.. SDM is also not working...i install SDM with Java 6 updates when i try to launch it...it opens a IE page asking username pwd then i put the correct UN PWD it again open one small IE windows...and sudden closes...i dont know what's wrong with SDM...by googling i found some uncompatability with Java ..some one says install Java5 other says install Java6 with update11....I tried all but non of one is working...pls advice

erniebeek: Okay..i put the command as advised but even i am not able to be in via telnet ... later advice me how to setup ssh as well.

awaiting for your earlier reply...

SOLUTION

Craig Beck

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

dxbdxb2009

ASKER

craigbeck: Yes, I can ping any outside IP from my router,

adding the above command also could not help me....still not able to get my router from outside.

i am downloading Java6U24...will update you soon...

Craig Beck

There is an ACL configured on each line on the router which is blocking TELNET access.
For TELNET you need to issue the following commands:

line vty 0 4
no access-class 23 in
transport input telnet
exit
line vty 5 15
no access-class 23 in
transport input telnet
exit

Ernie Beek

For telnet access, remove the access-class 23 in from the vty lines. Then it should work.

Ernie Beek

Oops, sorry craiq.... 2fast4me :-~

dxbdxb2009

ASKER

I am leaving the office for the day.... could only update you tomorrow...kindly be with me ..

thanks in advance....

Ernie Beek

We'll be here :)

alexjfisher

Don't use telnet (it's not secure). Configure ssh instead.

First create a username and password for ssh access.

username admin privilege 15 secret mysecretpassword

Open in new window

Generate a rsa crypto key.

crypto key generate rsa modulus 1024

Open in new window

Enable ssh version 2

ip ssh version 2

Open in new window

Configure the vty lines

line vty 0 15
login local
transport input ssh
no access-class 23 in
no rotary 33
no privilege level 15

Open in new window

dxbdxb2009

ASKER

Thanks craigbeck & erniebeek for ur prompt replies & sorry for delay,
I have added the last commands you advice but i still not able to get from outside into my router via telnet? I noticed i am not able to ping from outside now...it was pinging last day i left it.
everything is mashing here in configs thus i am posting my current configs here again attached in code.
Kindly advice...at earliest possible....i will be online today till 6:00 PM(GMT+4:00) & expecting to finish 1841 configuration today itself if you experts remains with me...Hopefully will be....
--------------------------------------------------------------------------------------------------------
Thanks alexjfisher for SSH configs ... i would rather prefer ssh config once the telnet goes successful ... anyway i am putting the commands & update you...with in 5 mints.... pls be with me..

thanks ....

1841#
1841#sh run
Building configuration...

Current configuration : 2657 bytes
!
! Last configuration change at 05:31:39 UTC Sat May 21 2011 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$20Xq$38Dz1aGiARIkKcj/EOukN.
!
no aaa new-model
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server XX.XX.XX.20
multilink bundle-name authenticated
!
!
license udi pid CISCO1841 sn FGL151422PH
username admin privilege 15 password 0 password
!
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address XX.XX.191.102 255.255.255.252
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.100.7 255.255.255.0
 ip access-group 10 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.100.7 23 interface FastEthernet0/0 23
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 0.0.0.0 0.0.0.0 XX.XX.191.101
!
access-list 1 permit 192.168.100.0 0.0.0.255
!
!
control-plane
^C
banner motd ^C^C
!
line con 0
 exec-timeout 30 0
 password password
 login local
line aux 0
 password password
 login local
line vty 0 4
 privilege level 15
 password password
 login local
 rotary 33
 transport input telnet
line vty 5 15
 privilege level 15
 password password
 login local
 rotary 33
 transport input telnet
line vty 16 209
 password password
 login
!
scheduler allocate 20000 1000
end

Open in new window

dxbdxb2009

ASKER

alexjfisher:

The cry command gives the below error in Global Config mode at router:-

"1841(config)#crypto key generate rsa modulus 1024
^
% Invalid input detected at '^' marker."

pls advice...

dxbdxb2009

ASKER

Okay... having waited long...i am going to run "write erase"...

I want to do the followings : kindly advice step by step:
1. telnet router from outside world?
2. Configuring Extended ACL with NAT
3. Allowing only www traffic from host 192.168.100.170 + 192.168.1.0 network,
4. blocking outgoing FTP request from 192.168.100.170 + 192.168.1.0 network,
5. blocking all Ping request from inside to outside(all internal network),

First this is configured rest will do later...

pls reply at earliest possible...

alexjfisher

The cry command gives the below error in Global Config mode at router:-

"1841(config)#crypto key generate rsa modulus 1024
^
% Invalid input detected at '^' marker."

Odd. Could you share the output of 'show version' with us?

alexjfisher

My guess is that you're running one of the 'W/O Crypto' images.

Craig Beck

alex is correct, you are running a version of IOS without the 'k9' features.
You will need to install a crypto version of IOS in order to use SSH.

SOLUTION

alexjfisher

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

dxbdxb2009

ASKER

alexjfisher: Thanks for your reply, here is the output of 'show version':

------------------------------------------------------------------------------------------------------

User Access Verification

Password:
1841>en
Password:
1841#sh ver
Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 28-Oct-10 15:40 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

1841 uptime is 2 minutes
System returned to ROM by power-on
System image file is "flash:c1841-ipbase-mz.150-1.M4.bin"
Last reload type: Normal Reload

Cisco 1841 (revision 7.0) with 235520K/26624K bytes of memory.
Processor board ID FGL151422PH
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
63808K bytes of ATA CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1841 FGX1X1X2XPX

Configuration register is 0x2102

1841#

------------------------------------------------------------------------------------------------------
I have no idea how to check whether my router IOS is 'W/O Crypto' or 'W/ Crypto' Image.
Ofcource I got to use VPN so i must need Crypto enabled IOS.

craigbeck: what is K9 feature ?
From where i can get the crypto version of IOS & is it free or ...?

Kindly advice at earliest possible...

Craig Beck

The IOS file must have 'k9' in it somewhere to signify strong encryption is included.

As an example you have c1841-ipbase-mz.150-1.M4.bin
This shows you are using the IPBase feature set with no cryptographic features.

If you had c1841-ipbasek9-mz.150-1.M4.bin for example this would mean you have the IPBase feature set with cryptographic features.

You can download any version of IOS for your router from Cisco's website, providing you have a valid service agreement for the router. If you don't have a service agreement you can purchase one from your Cisco reseller - but ask if you can use the service agreement to download a new version of IOS for the router.

Craig Beck

Just for info, I have an 1811 router running c181x-advipservicesk9-mz.124-15.T12.bin

This version of IOS allows SSH and VPN - so you might want to try the same version on your 1841.

alexjfisher

As suspected, you're running IPBASE with crypto features removed.
The k9 version of the image you're running will let you configure ssh, but still doesn't contain any VPN stuff.

To legally download a new image from cisco, you'll need a service contract. If you need to configure a VPN on this router you'l also need to upgrade to a minimum of Advanced Security.

Use the Cisco Feature Navigator tool to determine what features are available in any particular IOS release.
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Ernie Beek

The version you would most likely need is the Advanced IP Services (c1841-advipservicesk9-mz.151-4.M.bin).
Officialy you need 'a' smartnet for that. Just get the most cheap one and you'll get access to most software.....

alexjfisher

The version you would most likely need is the Advanced IP Services (c1841-advipservicesk9-mz.151-4.M.bin).
Officialy you need 'a' smartnet for that. Just get the most cheap one and you'll get access to most software.....

A smartnet contract will only entitle you to IP BASE updates. In the past (I think this may have recently changed), you may have technically been able to download better feature sets, but cisco have always monitored what you downloaded. To get legal access to something better than IP BASE, you'll need to purchase the appropriate license upgrade as well.

If you need to upgrade (for instance to use some VPN features), get the cheapest feature set for the features you need. There's no point in paying for stuff you'll never use.
For instance, I imagine Advanced Security may be significantly cheaper than Advanced IP Services.

Ernie Beek

@alexjfisher: okayyyyyyyyyyyy, didn't knew that. Must have been a recent change then.
Well, never too late to learn :)

dxbdxb2009

ASKER

Thanks to all of you EEs,

craigbeck: thanks for your replies... i have asked my friend who is pursuing CCIE for this IOS image & he provided me named "c1841-adventerprisek9-mz.124-22.T.bin" 37.7MB.
now pls advice .. can i use this file forever in my 1841. if yes..pls share the process to replace with existing once...& how to backup the existing one before placing "K9" new one,
--------------------------------------
alexjfisher : good link for the tool to look into IOS..thanks.
It is not legal to use the IOS which i got from my friend?
"If you need to configure a VPN on this router you'l also need to upgrade to a minimum of Advanced Security."......What is Advanced Security & Smartnet ? how to get AS + Smartnet + Advanced IP Services
---------------------------------------

Kindly advice on this question as well:
https://www.experts-exchange.com/questions/27053017/How-to-Create-ACL-NAT-on-Cisco-Router-1841.html

thanks in advance...

ASKER CERTIFIED SOLUTION

alexjfisher

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

dxbdxb2009

ASKER

thank alexjfisher for your valuable info & help,
i got the concept, i have not opted correct IOS,
Upgrade Licence & new licence for 'Advanced Security' has huge difference in price?
If not then i will be asking my reseller to upgrade this IOS..

Also i request you to join my other question & advice accordingly by the time i ask my reseller to get the price..
my question is here:
https://www.experts-exchange.com/questions/27053017/How-to-Create-ACL-NAT-on-Cisco-Router-1841.html
awaiting for your earlier reply,
many thanks...