Just got a Cisco ISR 891 - Need some configuration help!

I just acquired a Cisco ISR 891 and after getting the password out, I'm trying to get this set up to migrate from a PIX 506. This is what I need to get going:

1) Web interface (if this even has one)
2) DHCP assigned cable modem
3) Inside network able to get out
4) SSHv2 access from inside and outside
5) Few ports opened from interface to various internal IP addresses/ports
6) VPN with RADIUS authentication

Right now, I have an IP assigned and I can ping it! It is running 15.0-1.M2
LVL 2
mvalpredaAsked:
Who is Participating?
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Not sure about the web interface, but it should be there ... cli is quicker for anybody halfway experienced ...

DHCP - you have a cable modem that hands out DHCP information? Just hook it up to either the FE or GE and configure it with:
int fa0/0
ip address dhcp 

Open in new window

You can check with "show int fa0/0" if an address is correctly assigned ...

For the inside network to get out, you will most likely need to configure NAT ...
int vlan1
ip nat inside
int fa0/0
ip nat outside

ip access-list standard NATOUT
  permit ip 192.168.100.0 0.0.0.255    # assuming 192.168.100.0/24 as your internal network

ip nat inside source list NATOUT interface fa0/0 overload

Open in new window


For ssh, create a key, once done, it is automatically activated:

crypto key ren rsa gen mod 2048

Open in new window


To open single ports, you will need specific NATs ...

ip nat inside source static tcp <INSIDEIP> <INSIDEPORT> fa0/0 <OUTSIDEPORT>

Open in new window


As for VPN, that's a bit bigger to go through ... what client software, what features, etc ... probably deserves a separate question on here ...
0
 
mvalpredaAuthor Commented:
This is what I have so far. I assume this should be enough to get me out on the internet?

The crypto key command did not work.

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
enable secret 5 <encrypted whatever>
enable password <clear text?>
!
no aaa new-model
!
ip source-route
no ip routing
!
no ip cef
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FTX142481WW
!
username mark privilege 15 secret 5 <encrypted>
!
interface FastEthernet0
 spanning-tree portfast
 !
!
interface FastEthernet1
 shutdown
 !
!
interface FastEthernet2
 shutdown
 !
!
interface FastEthernet3
 shutdown
 !
!
interface FastEthernet4
 shutdown
 !
!
interface FastEthernet5
 shutdown 
 !
!
interface FastEthernet6
 shutdown
 !
!
interface FastEthernet7
 shutdown
 !
!
interface FastEthernet8
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
 !
!
interface Vlan1
 ip address 192.168.77.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 !
!
interface Async1
 no ip address
 encapsulation slip
 no ip route-cache
 !
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
access-list 1 permit 192.168.77.0 0.0.0.255
!
snmp-server community public RO
!
control-plane
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password <cleartext?>
 login
!
scheduler max-task-time 5000
end

Open in new window

0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Doesn't look too bad, just a few points:

- do enable cef ("ip cef")
- where did the "no ip routing" command come from? It's essentially killing all L3 forwarding ... ("ip routing")
- same with "ip source-route" - remove it ("no ip source-route")
- activate the password encryption - not really safe, but will stop someone glancing at the screen and remembering the PW ("service password-encryption")
- make sure you know the implications and results of mis-placed ethernet links with the "spanning-tree portfast" on Fa0

As for the ssh key - check the options after "crypto key gen rsa" ... depending on the IOS, the required options are slightly different ...
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
mvalpredaAuthor Commented:
OK, did all that. I don't have any other routers in the mix, so no chance of a routing loop. FE/0 will be plugged into a L2 HP gig switch and GE/0 is going to the cable modem. Doubtful that I will use any of the switch ports and if I do, it will just be to plug something in really quick.

As far as the VPN is concerned. I would like to use the Cisco 5.x VPN client. It's not a total requirement on this one, but I may want to deploy one of these for a client down the line and I like to test stuff at home first. So used to doing Cisco firewalls....routers just feel backwards to me!

I do have a CCO account and can download the latest software. I can upgrade from a flash drive? Is that quick and easy?

Will test a little later. Wife is online right now. :)
0
 
mvalpredaAuthor Commented:
crypto key generate rsa encryption <cr>
and it said the name of the key would be ISRNAME.ISP.TLD

I did get SSH working....but it does not take my username I have defined. I assume there is something else I need to define. How can I force SSHv2?
0
 
mvalpredaAuthor Commented:
Update to 15.2(1)T was easy from a USB stick. :)
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
ah yes ... all those little prerequisites ...
aaa new-model
aaa author login default local
aaa authe exec default local

Open in new window

That should fix the login issue.
Yes, forgot about the domain name that has to be configured before you can generate an RSA key.
0
 
mvalpredaAuthor Commented:
Got the username to work through SSH. :)

line vty 0 4
login local

Open in new window

0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Here's a sniplet from a sample config from our TFTP server, hope I got everything important off it ...
    aaa authentication login vpnuserauth local
    aaa authorization network vpnuser local
    username someuser password somepassword

    crypto isakmp enable
    crypto isakmp policy 10
    encrypt 3des
    hash sha
    authentication pre-share
    group 2

    crypto isakmp client configuration group vpnuser
    key GROUPPASSWORD
    dns YOUDNSIP
    domain YOURDOMAIN
    pool VPNPOOL
    acl ACLSPLITVPN

    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 1
    set transform-set 3DES-SHA
    reverse-route

    crypto map CRYPTO-OUTSIDE client authentication list vpnuserauth
    crypto map CRYPTO-OUTSIDE isakmp authorization list vpnuser
    crypto map CRYPTO-OUTSIDE client configuration address respond
    crypto map CRYPTO-OUTSIDE 10 ipsec-isakmp dynamic dynmap

    ip local pool VPNPOOL 192.168.100.100 192.168.100.150

    ip access-list extended ACLSPLITVPN
    permit ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255

    int g0
    crypto map CRYPTO-OUTSIDE

    ip access-list extended NAT
       deny ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
       permit ip 192.168.77.0 0.0.0.255 any

Open in new window

On the VPN client, use the group name "vpnuser" with the password entered above to get the tunnel started.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
For radius, add some more lines:

radius-server host 192.168.77.XXX key RADIUSKEY
aaa authentication login vpnuserauth group radius
ip radius source vlan1

Open in new window

0
 
mvalpredaAuthor Commented:
This is what I have so far, I think I am missing a few things for the VPN.

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname X
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 X
enable password 7 X
!
aaa new-model
!
aaa authentication login vpnuserauth group radius
aaa authorization network vpnuserauth local 
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
no ip source-route
!
ip domain name X.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO891-K9 sn FTX142481WW
!
username mark privilege 15 secret 5 X
!
ip ssh version 2
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group XVPN
 key X
 dns 192.168.77.25 8.8.8.8
 domain X.local
 pool VPNPOOL
 acl SPLIT-TUNNEL
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map dynmap 1
 set transform-set 3DES-SHA 
 reverse-route
!
crypto map CRYPTO-OUTSIDE client authentication list vpnuserauth
crypto map CRYPTO-OUTSIDE isakmp authorization list XVPN
crypto map CRYPTO-OUTSIDE client configuration address respond
crypto map CRYPTO-OUTSIDE 10 ipsec-isakmp dynamic dynmap 
!
interface FastEthernet0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 no ip address
 shutdown
!
interface FastEthernet5
 no ip address
 shutdown
!
interface FastEthernet6
 no ip address
 shutdown
!
interface FastEthernet7
 no ip address
 shutdown
!
interface FastEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.77.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool VPNPOOL 192.168.100.100 192.168.100.150
ip forward-protocol nd
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
ip access-list extended NAT
 deny   ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.77.0 0.0.0.255 any
ip access-list extended SPLIT-TUNNEL
 permit ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
!
ip radius source-interface Vlan1 
access-list 1 permit 192.168.77.0 0.0.0.255
!
snmp-server community public RO
radius-server host 192.168.77.27 key 7 X
!
control-plane
!
mgcp profile default
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password 7 X
 transport input all
!
scheduler max-task-time 5000
end

Open in new window

0
 
mvalpredaAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for mvalpreda's comment http:/Q_27313221.html#36554206

for the following reason:

When I try to connect, the Cisco VPN client gets an error &quot;The remote peer is no longer responding.&quot;<br /><br />Sure I'm missing something. You have been more than helpful on this. I am going to close this and open a new case.<br /><br />Thanks for everything!
0
 
mvalpredaAuthor Commented:
Woops, meant to accept Garry's!
0
 
mvalpredaAuthor Commented:
Thanks for all your help. I will work on the VPN in another thread.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.