Solved

Just got a Cisco ISR 891 - Need some configuration help!

Posted on 2011-09-16
14
1,072 Views
Last Modified: 2012-05-12
I just acquired a Cisco ISR 891 and after getting the password out, I'm trying to get this set up to migrate from a PIX 506. This is what I need to get going:

1) Web interface (if this even has one)
2) DHCP assigned cable modem
3) Inside network able to get out
4) SSHv2 access from inside and outside
5) Few ports opened from interface to various internal IP addresses/ports
6) VPN with RADIUS authentication

Right now, I have an IP assigned and I can ping it! It is running 15.0-1.M2
0
Comment
Question by:mvalpreda
  • 9
  • 5
14 Comments
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
ID: 36553280
Not sure about the web interface, but it should be there ... cli is quicker for anybody halfway experienced ...

DHCP - you have a cable modem that hands out DHCP information? Just hook it up to either the FE or GE and configure it with:
int fa0/0
ip address dhcp 

Open in new window

You can check with "show int fa0/0" if an address is correctly assigned ...

For the inside network to get out, you will most likely need to configure NAT ...
int vlan1
ip nat inside
int fa0/0
ip nat outside

ip access-list standard NATOUT
  permit ip 192.168.100.0 0.0.0.255    # assuming 192.168.100.0/24 as your internal network

ip nat inside source list NATOUT interface fa0/0 overload

Open in new window


For ssh, create a key, once done, it is automatically activated:

crypto key ren rsa gen mod 2048

Open in new window


To open single ports, you will need specific NATs ...

ip nat inside source static tcp <INSIDEIP> <INSIDEPORT> fa0/0 <OUTSIDEPORT>

Open in new window


As for VPN, that's a bit bigger to go through ... what client software, what features, etc ... probably deserves a separate question on here ...
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 36554206
This is what I have so far. I assume this should be enough to get me out on the internet?

The crypto key command did not work.

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
enable secret 5 <encrypted whatever>
enable password <clear text?>
!
no aaa new-model
!
ip source-route
no ip routing
!
no ip cef
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FTX142481WW
!
username mark privilege 15 secret 5 <encrypted>
!
interface FastEthernet0
 spanning-tree portfast
 !
!
interface FastEthernet1
 shutdown
 !
!
interface FastEthernet2
 shutdown
 !
!
interface FastEthernet3
 shutdown
 !
!
interface FastEthernet4
 shutdown
 !
!
interface FastEthernet5
 shutdown 
 !
!
interface FastEthernet6
 shutdown
 !
!
interface FastEthernet7
 shutdown
 !
!
interface FastEthernet8
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
 !
!
interface Vlan1
 ip address 192.168.77.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 !
!
interface Async1
 no ip address
 encapsulation slip
 no ip route-cache
 !
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
access-list 1 permit 192.168.77.0 0.0.0.255
!
snmp-server community public RO
!
control-plane
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password <cleartext?>
 login
!
scheduler max-task-time 5000
end

Open in new window

0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36554223
Doesn't look too bad, just a few points:

- do enable cef ("ip cef")
- where did the "no ip routing" command come from? It's essentially killing all L3 forwarding ... ("ip routing")
- same with "ip source-route" - remove it ("no ip source-route")
- activate the password encryption - not really safe, but will stop someone glancing at the screen and remembering the PW ("service password-encryption")
- make sure you know the implications and results of mis-placed ethernet links with the "spanning-tree portfast" on Fa0

As for the ssh key - check the options after "crypto key gen rsa" ... depending on the IOS, the required options are slightly different ...
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 36554246
OK, did all that. I don't have any other routers in the mix, so no chance of a routing loop. FE/0 will be plugged into a L2 HP gig switch and GE/0 is going to the cable modem. Doubtful that I will use any of the switch ports and if I do, it will just be to plug something in really quick.

As far as the VPN is concerned. I would like to use the Cisco 5.x VPN client. It's not a total requirement on this one, but I may want to deploy one of these for a client down the line and I like to test stuff at home first. So used to doing Cisco firewalls....routers just feel backwards to me!

I do have a CCO account and can download the latest software. I can upgrade from a flash drive? Is that quick and easy?

Will test a little later. Wife is online right now. :)
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 36554261
crypto key generate rsa encryption <cr>
and it said the name of the key would be ISRNAME.ISP.TLD

I did get SSH working....but it does not take my username I have defined. I assume there is something else I need to define. How can I force SSHv2?
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 36554290
Update to 15.2(1)T was easy from a USB stick. :)
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36554314
ah yes ... all those little prerequisites ...
aaa new-model
aaa author login default local
aaa authe exec default local

Open in new window

That should fix the login issue.
Yes, forgot about the domain name that has to be configured before you can generate an RSA key.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Author Comment

by:mvalpreda
ID: 36554320
Got the username to work through SSH. :)

line vty 0 4
login local

Open in new window

0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36554360
Here's a sniplet from a sample config from our TFTP server, hope I got everything important off it ...
    aaa authentication login vpnuserauth local
    aaa authorization network vpnuser local
    username someuser password somepassword

    crypto isakmp enable
    crypto isakmp policy 10
    encrypt 3des
    hash sha
    authentication pre-share
    group 2

    crypto isakmp client configuration group vpnuser
    key GROUPPASSWORD
    dns YOUDNSIP
    domain YOURDOMAIN
    pool VPNPOOL
    acl ACLSPLITVPN

    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 1
    set transform-set 3DES-SHA
    reverse-route

    crypto map CRYPTO-OUTSIDE client authentication list vpnuserauth
    crypto map CRYPTO-OUTSIDE isakmp authorization list vpnuser
    crypto map CRYPTO-OUTSIDE client configuration address respond
    crypto map CRYPTO-OUTSIDE 10 ipsec-isakmp dynamic dynmap

    ip local pool VPNPOOL 192.168.100.100 192.168.100.150

    ip access-list extended ACLSPLITVPN
    permit ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255

    int g0
    crypto map CRYPTO-OUTSIDE

    ip access-list extended NAT
       deny ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
       permit ip 192.168.77.0 0.0.0.255 any

Open in new window

On the VPN client, use the group name "vpnuser" with the password entered above to get the tunnel started.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36554365
For radius, add some more lines:

radius-server host 192.168.77.XXX key RADIUSKEY
aaa authentication login vpnuserauth group radius
ip radius source vlan1

Open in new window

0
 
LVL 2

Author Comment

by:mvalpreda
ID: 36555361
This is what I have so far, I think I am missing a few things for the VPN.

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname X
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 X
enable password 7 X
!
aaa new-model
!
aaa authentication login vpnuserauth group radius
aaa authorization network vpnuserauth local 
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
no ip source-route
!
ip domain name X.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO891-K9 sn FTX142481WW
!
username mark privilege 15 secret 5 X
!
ip ssh version 2
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group XVPN
 key X
 dns 192.168.77.25 8.8.8.8
 domain X.local
 pool VPNPOOL
 acl SPLIT-TUNNEL
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map dynmap 1
 set transform-set 3DES-SHA 
 reverse-route
!
crypto map CRYPTO-OUTSIDE client authentication list vpnuserauth
crypto map CRYPTO-OUTSIDE isakmp authorization list XVPN
crypto map CRYPTO-OUTSIDE client configuration address respond
crypto map CRYPTO-OUTSIDE 10 ipsec-isakmp dynamic dynmap 
!
interface FastEthernet0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 no ip address
 shutdown
!
interface FastEthernet5
 no ip address
 shutdown
!
interface FastEthernet6
 no ip address
 shutdown
!
interface FastEthernet7
 no ip address
 shutdown
!
interface FastEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.77.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool VPNPOOL 192.168.100.100 192.168.100.150
ip forward-protocol nd
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
ip access-list extended NAT
 deny   ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.77.0 0.0.0.255 any
ip access-list extended SPLIT-TUNNEL
 permit ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
!
ip radius source-interface Vlan1 
access-list 1 permit 192.168.77.0 0.0.0.255
!
snmp-server community public RO
radius-server host 192.168.77.27 key 7 X
!
control-plane
!
mgcp profile default
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password 7 X
 transport input all
!
scheduler max-task-time 5000
end

Open in new window

0
 
LVL 2

Author Comment

by:mvalpreda
ID: 36555375
I've requested that this question be closed as follows:

Accepted answer: 0 points for mvalpreda's comment http:/Q_27313221.html#36554206

for the following reason:

When I try to connect, the Cisco VPN client gets an error &quot;The remote peer is no longer responding.&quot;<br /><br />Sure I'm missing something. You have been more than helpful on this. I am going to close this and open a new case.<br /><br />Thanks for everything!
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 36555376
Woops, meant to accept Garry's!
0
 
LVL 2

Author Closing Comment

by:mvalpreda
ID: 36555377
Thanks for all your help. I will work on the VPN in another thread.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now