Configuring Cisco 1841.

dxbdxb2009
dxbdxb2009 used Ask the Experts™
on
Hi,

I have 1841 router which is to be configured Step by step with NAT, VPN, ACL,

I have configure it basic setup (find the configs in attached code)

But before going further to configure NAT VPN ACL, etc....

1) I noticed that i am not able to telnet into my router from outside.... rather inside from my PC i can login via telnet,

2) Could 1841 router be a VPN Server...if yes...pls share the commands to config it..& how can i test it.


Kindly advice at earliest possible,

thanks in advance...
ROUTER1841#sh run
Building configuration...

Current configuration : 2512 bytes
!
! Last configuration change at 10:20:40 UTC Tue May 17 2011
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$20Xq$38Dz1aGiARIkKcj/EOukN.
!
no aaa new-model
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server XX.XX.20.20
multilink bundle-name authenticated
!
!
license udi pid CISCO1841 sn FGL151422PH
username admin privilege 15 password 0 password
!
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address XX.XX.191.102 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.100.7 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
access-list 1 permit 192.168.100.0 0.0.0.255
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner motd ^C^C
!
line con 0
 exec-timeout 30 0
 password password
 login local
line aux 0
 password password
 login local
line vty 0 4
 access-class 23 in
 privilege level 15
 password password
 login
 rotary 33
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 password password
 login
 rotary 33
 transport input telnet
line vty 16 209
 password password
 login
!
scheduler allocate 20000 1000
end

ROUTER1841#

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

Commented:
You can enable Telnet and configure the VPN server via the Security Device Manager, or Cisco Configuration Professional.
There's a wizard to enable the VPN server.
You can enable management via any protocol you want under the Device Properties in SDM or under Router/Router Access in CCP.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
By default routers are configured to accept telnet from the inside, to get access from the outside create a nat entry:
ip nat inside source static tcp 192.168.100.7 23 interface FastEthernet0/0 23

I would recommend though, when everything is up and running, to switch to ssh.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
What type of VPN are you thinking of, btw?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
craigbeck : i would rather configure / see VPN later but kindly help me for getting me in via telnet first.. SDM is also not working...i install SDM with Java 6 updates when i try to launch it...it opens a IE page asking username pwd then i put the correct UN PWD it again open one small IE windows...and sudden closes...i dont know what's wrong with SDM...by googling i found some uncompatability with Java ..some one says install Java5 other says install Java6 with update11....I tried all but non of one is working...pls advice

erniebeek: Okay..i put the command as advised but even i am not able to be in via telnet ... later advice me how to setup ssh as well.

awaiting for your earlier reply...
Top Expert 2014
Commented:
Ok, to configure a VPN using a Cisco router have a look here... Cisco can provide better config than me depending on what VPN you want to configure...

http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html

Do you have internet access via the router?  The default gateway is set to the interface Fa0/0, but you have a /30 configured so you could replace the following:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

with

ip route 0.0.0.0 0.0.0.0 XX.XX.191.101


With the Java issue, I have had loads of problems with different versions.  The version I have on my PC right now is Version 6 Update 24 (build 1.6.0_24-b07).

Author

Commented:
craigbeck: Yes, I can ping any outside IP from my router,

adding the above command also could not help me....still not able to get my router from outside.

i am downloading Java6U24...will update you soon...
Top Expert 2014

Commented:
There is an ACL configured on each line on the router which is blocking TELNET access.
For TELNET you need to issue the following commands:

line vty 0 4
 no access-class 23 in
 transport input telnet
 exit
line vty 5 15
 no access-class 23 in
 transport input telnet
 exit
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
For telnet access, remove the access-class 23 in from the vty lines. Then it should work.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Oops, sorry craiq.... 2fast4me :-~

Author

Commented:
I am leaving the office for the day.... could only update you tomorrow...kindly be with me ..

thanks in advance....
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
We'll be here :)
Don't use telnet (it's not secure).  Configure ssh instead.

First create a username and password for ssh access.
username admin privilege 15 secret mysecretpassword

Open in new window


Generate a rsa crypto key.
crypto key generate rsa modulus 1024

Open in new window


Enable ssh version 2
ip ssh version 2

Open in new window


Configure the vty lines
line vty 0 15
login local
transport input ssh
no access-class 23 in
no rotary 33
no privilege level 15

Open in new window

no

Author

Commented:
Thanks craigbeck & erniebeek for ur prompt replies & sorry for delay,
I have added the last commands you advice but i still not able to get from outside into my router via telnet? I noticed i am not able to ping from outside now...it was pinging last day i left it.
everything is mashing here in configs thus i am posting my current configs here again attached in code.
Kindly advice...at earliest possible....i will be online today till 6:00 PM(GMT+4:00) & expecting to finish 1841 configuration today itself if you experts remains with me...Hopefully will be....
--------------------------------------------------------------------------------------------------------
Thanks alexjfisher for SSH configs ... i would rather prefer ssh config once the telnet goes successful ... anyway i am putting the commands & update you...with in 5 mints.... pls be with me..

thanks ....
1841#
1841#sh run
Building configuration...

Current configuration : 2657 bytes
!
! Last configuration change at 05:31:39 UTC Sat May 21 2011 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$20Xq$38Dz1aGiARIkKcj/EOukN.
!
no aaa new-model
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server XX.XX.XX.20
multilink bundle-name authenticated
!
!
license udi pid CISCO1841 sn FGL151422PH
username admin privilege 15 password 0 password
!
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address XX.XX.191.102 255.255.255.252
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.100.7 255.255.255.0
 ip access-group 10 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.100.7 23 interface FastEthernet0/0 23
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 0.0.0.0 0.0.0.0 XX.XX.191.101
!
access-list 1 permit 192.168.100.0 0.0.0.255
!
!
control-plane
^C
banner motd ^C^C
!
line con 0
 exec-timeout 30 0
 password password
 login local
line aux 0
 password password
 login local
line vty 0 4
 privilege level 15
 password password
 login local
 rotary 33
 transport input telnet
line vty 5 15
 privilege level 15
 password password
 login local
 rotary 33
 transport input telnet
line vty 16 209
 password password
 login
!
scheduler allocate 20000 1000
end

Open in new window

Author

Commented:
alexjfisher:

The cry command gives the below error in Global Config mode at router:-

"1841(config)#crypto key generate rsa modulus 1024
                        ^
% Invalid input detected at '^' marker."

pls advice...

Author

Commented:
Okay... having waited long...i am going to run "write erase"...

I want to do the followings : kindly advice step by step:
1. telnet router from outside world?
2. Configuring Extended ACL with NAT
3. Allowing only www traffic from host 192.168.100.170 + 192.168.1.0 network,
4. blocking outgoing FTP request from 192.168.100.170 + 192.168.1.0 network,
5. blocking all Ping request from inside to outside(all internal network),

First this is configured rest will do later...

pls reply at earliest possible...

The cry command gives the below error in Global Config mode at router:-

"1841(config)#crypto key generate rsa modulus 1024
                        ^
% Invalid input detected at '^' marker."

Odd.  Could you share the output of 'show version' with us?
My guess is that you're running one of the 'W/O Crypto' images.
Top Expert 2014

Commented:
alex is correct, you are running a version of IOS without the 'k9' features.
You will need to install a crypto version of IOS in order to use SSH.
And of course you won't be able to configure any sort of VPN without a crypto enabled image.

Author

Commented:
alexjfisher: Thanks for your reply, here is the output of 'show version':

------------------------------------------------------------------------------------------------------


User Access Verification

Password:
1841>en
Password:
1841#sh ver
Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 28-Oct-10 15:40 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

1841 uptime is 2 minutes
System returned to ROM by power-on
System image file is "flash:c1841-ipbase-mz.150-1.M4.bin"
Last reload type: Normal Reload

Cisco 1841 (revision 7.0) with 235520K/26624K bytes of memory.
Processor board ID FGL151422PH
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
63808K bytes of ATA CompactFlash (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO1841             FGX1X1X2XPX



Configuration register is 0x2102

1841#

------------------------------------------------------------------------------------------------------
I have no idea how to check whether my router IOS is 'W/O Crypto' or 'W/ Crypto' Image.
Ofcource I got to use VPN so i must need Crypto enabled IOS.

craigbeck: what is K9 feature ?
From where i can get the crypto version of IOS & is it free or ...?

Kindly advice at earliest possible...

Top Expert 2014

Commented:
The IOS file must have 'k9' in it somewhere to signify strong encryption is included.

As an example you have c1841-ipbase-mz.150-1.M4.bin
This shows you are using the IPBase feature set with no cryptographic features.

If you had c1841-ipbasek9-mz.150-1.M4.bin for example this would mean you have the IPBase feature set with cryptographic features.

You can download any version of IOS for your router from Cisco's website, providing you have a valid service agreement for the router.  If you don't have a service agreement you can purchase one from your Cisco reseller - but ask if you can use the service agreement to download a new version of IOS for the router.
Top Expert 2014

Commented:
Just for info, I have an 1811 router running c181x-advipservicesk9-mz.124-15.T12.bin

This version of IOS allows SSH and VPN - so you might want to try the same version on your 1841.
As suspected, you're running IPBASE with crypto features removed.
The k9 version of the image you're running will let you configure ssh, but still doesn't contain any VPN stuff.

To legally download a new image from cisco, you'll need a service contract.  If you need to configure a VPN on this router you'l also need to upgrade to a minimum of Advanced Security.

Use the Cisco Feature Navigator tool to determine what features are available in any particular IOS release.
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
The version you would most likely need is the Advanced IP Services (c1841-advipservicesk9-mz.151-4.M.bin).
Officialy you need 'a' smartnet for that. Just get the most cheap one and you'll get access to most software.....

The version you would most likely need is the Advanced IP Services (c1841-advipservicesk9-mz.151-4.M.bin).
Officialy you need 'a' smartnet for that. Just get the most cheap one and you'll get access to most software.....

A smartnet contract will only entitle you to IP BASE updates.  In the past (I think this may have recently changed), you may have technically been able to download better feature sets, but cisco have always monitored what you downloaded.  To get legal access to something better than IP BASE, you'll need to purchase the appropriate license upgrade as well.

If you need to upgrade (for instance to use some VPN features), get the cheapest feature set for the features you need.  There's no point in paying for stuff you'll never use.
For instance, I imagine Advanced Security may be significantly cheaper than Advanced IP Services.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
@alexjfisher: okayyyyyyyyyyyy, didn't knew that. Must have been a recent change then.
Well, never too late to learn :)

Author

Commented:
Thanks to all of you EEs,

craigbeck: thanks for your replies... i have asked my friend who is pursuing CCIE for this IOS image & he provided me named "c1841-adventerprisek9-mz.124-22.T.bin" 37.7MB.
now pls advice .. can i use this file forever in my 1841. if yes..pls share the process to replace with existing once...& how to backup the existing one before placing "K9" new one,
--------------------------------------
alexjfisher : good link for the tool to look into IOS..thanks.
It is not legal to use the IOS which i got from my friend?
"If you need to configure a VPN on this router you'l also need to upgrade to a minimum of Advanced Security."......What is Advanced Security & Smartnet ? how to get AS + Smartnet + Advanced IP Services
---------------------------------------

Kindly advice on this question as well:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_27053017.html

thanks in advance...

It is not legal to use the IOS which i got from my friend?

I am not a lawyer, but it seriously doubt it.  Technically, it's probably your friend breaking the law for supplying the IOS, but like I said, I'm not a lawyer.


"If you need to configure a VPN on this router you'l also need to upgrade to a minimum of Advanced Security."......What is Advanced Security & Smartnet ? how to get AS + Smartnet + Advanced IP Services

Advanced Security is a licensed feature set.  It contains more features (specifically security related) than IP BASE.  Advanced IP Services is different again.  Advanced Enterprise (as what your friend has available) is all features I think.

Smartnet is the support contract.  There are several options available.  The cheapest is a software update only option.  With this, you don't get access to the cisco support service (TAC), but you do get to login to the cisco website to download updates to the IOS feature set you have licensed on your hardware covered by the agreement.  If you had this, you could legally obtain IOS updates, but not feature set upgrades.  For instance, you could download any 12.4, 15.0 or even 15.1 IPBASE IOS, but you wouldn't be entitled to download a different feature set (that might contain features you want/need), such as Advanced Security or Advanced IP Services.

If you need these extra features, you'll need to buy some sort of upgrade license.  A cisco reseller will be able to advise on this.  In future, when you buy a router, you might want to get one that is bundled with the feature set you need.  In the last year, I've bought two 1841's both bundled with Advanced Security.  I suspect it's significantly cheaper this way.  Have you only just bought your 1841?  Perhaps you could return it and get a security bundle version instead?

The other potential problem could be if you bought your router through a non authorized reseller.  The cisco IOS license is non transferable.  This means that if you bought used from say ebay, then you don't legally have a right to use even IPBASE.  Cisco won't supply you with a smartnet contract until you relicense the IOS.

I admit that google/bittorrent might seem like your friend, but not being able to promptly get your hands on security and bug fixes will be a real pain.  Also, what would happen if you accidentally downloaded a modified IOS with a backdoor inserted?

All that aside, if you want to load a different version of IOS onto your router, then it's not too hard.
Most people use a tftp server and the command copy tftp flash

Author

Commented:
thank alexjfisher for your valuable info & help,
i got the concept, i have not opted correct IOS,
Upgrade Licence & new licence for 'Advanced Security' has huge difference in price?
If not then i will be asking my reseller to upgrade this IOS..

Also i request you to join my other question & advice accordingly by the time i ask my reseller to get the price..
my question is here:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_27053017.html
awaiting for your earlier reply,
many thanks...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial