George-
asked on
Cisco 887 Config
Hi
I need to replace an old 837 with a new 887 and have limited knowledge of the Cisco IOS.
I need the router to do port forwarding for SMTP, RRAS and I also need to configure an IPSEC tunnel to another site.
Does anyone have a blank config (insert IP here, insert ADSL username there etc) or a setup guide on this?
Thanks
I need to replace an old 837 with a new 887 and have limited knowledge of the Cisco IOS.
I need the router to do port forwarding for SMTP, RRAS and I also need to configure an IPSEC tunnel to another site.
Does anyone have a blank config (insert IP here, insert ADSL username there etc) or a setup guide on this?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The 837 config should work on a 887 for the most part. Most likely name change is from Ethernet to FastEthernet for the LAN interfaces, i guess.
Maybe post a sanitized config, so we can check.
Tamas
Maybe post a sanitized config, so we can check.
Tamas
ASKER
Hi
Please feel free to sanatise anything i have missied!
I also need to pot froward 80, 443 and 25.
Thanks
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname OLD837
!
enable secret 5 XXXXX
!
username OLD837 password 7 XXXXX
clock timezone gmt 0
clock summer-time bst recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authentication ppp default local
aaa authentication ppp local local
aaa authorization network default local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 0 XXXXX-XXXXX address nnn.nnn.nnn.nnn
!
!
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
!
crypto map XXXXX-XXXXX 10 ipsec-isakmp
set peer nnn.nnn.nnn.nnn
set transform-set 3DES
match address 103
!
!
!
!
interface Ethernet0
ip address nnn.nnn.nnn.nnn 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXXXX
ppp chap password XXXXX
ppp pap sent-username XXXXX password XXXXX
crypto map XXXXX-XXXXX
hold-queue 224 in
!
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp nnn.nnn.nnn.nnn 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 103 permit ip nnn.nnn.nnn.nnn 0.0.0.255 nnn.nnn.nnn.nnn 0.0.0.255
access-list 105 deny ip nnn.nnn.nnn.nnn 0.0.0.255 nnn.nnn.nnn.nnn 0.0.0.255
access-list 105 permit ip nnn.nnn.nnn.nnn 0.0.0.255 any
access-list 111 permit ip nnn.nnn.nnn.nnn 0.0.0.255 nnn.nnn.nnn.nnn 0.0.0.255
access-list 111 permit icmp any any administratively-prohibite d
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
access-list 111 permit tcp any any eq smtp
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit udp any eq ntp any eq ntp
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
password 7 XXXXX
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7 XXXXX
length 0
!
scheduler max-task-time 5000
!
end
Please feel free to sanatise anything i have missied!
I also need to pot froward 80, 443 and 25.
Thanks
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname OLD837
!
enable secret 5 XXXXX
!
username OLD837 password 7 XXXXX
clock timezone gmt 0
clock summer-time bst recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authentication ppp default local
aaa authentication ppp local local
aaa authorization network default local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 0 XXXXX-XXXXX address nnn.nnn.nnn.nnn
!
!
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
!
crypto map XXXXX-XXXXX 10 ipsec-isakmp
set peer nnn.nnn.nnn.nnn
set transform-set 3DES
match address 103
!
!
!
!
interface Ethernet0
ip address nnn.nnn.nnn.nnn 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXXXX
ppp chap password XXXXX
ppp pap sent-username XXXXX password XXXXX
crypto map XXXXX-XXXXX
hold-queue 224 in
!
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp nnn.nnn.nnn.nnn 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 103 permit ip nnn.nnn.nnn.nnn 0.0.0.255 nnn.nnn.nnn.nnn 0.0.0.255
access-list 105 deny ip nnn.nnn.nnn.nnn 0.0.0.255 nnn.nnn.nnn.nnn 0.0.0.255
access-list 105 permit ip nnn.nnn.nnn.nnn 0.0.0.255 any
access-list 111 permit ip nnn.nnn.nnn.nnn 0.0.0.255 nnn.nnn.nnn.nnn 0.0.0.255
access-list 111 permit icmp any any administratively-prohibite
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
access-list 111 permit tcp any any eq smtp
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit udp any eq ntp any eq ntp
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
password 7 XXXXX
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7 XXXXX
length 0
!
scheduler max-task-time 5000
!
end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is that it?
Is all the Ethernet 0 the same? I thought it changed to VLAN1 or something?
And the access lists stay the same (except the port forwarding)
Cheers
Is all the Ethernet 0 the same? I thought it changed to VLAN1 or something?
And the access lists stay the same (except the port forwarding)
Cheers
I don't understand?..could you please explain..
I see you have acl 111 so I just added 3 more lines for your requirment.
do you want to use port 25,80 and 433 at any other interface...if yes then create seperate ACL and apply
I see you have acl 111 so I just added 3 more lines for your requirment.
do you want to use port 25,80 and 433 at any other interface...if yes then create seperate ACL and apply
ASKER
Just supprised that that is all the changes that are required between a 837 and and an 887 config, i thought they were more different than this.
Pots 80, 25 etc will all come through dialer1.
Does it stay as dialer1? i thought it was dialer0 on an 887?
Pots 80, 25 etc will all come through dialer1.
Does it stay as dialer1? i thought it was dialer0 on an 887?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Guys
I will leave this open until I install the router, which should be in the next couple of weeks.
I will leave this open until I install the router, which should be in the next couple of weeks.
ASKER
Thanks for all your help
All up and working
All up and working
ASKER
What i was after was a blnak document to be able to enter ipsec keys where required. Or a step by step guide. Are there just to many variables for this?
Will an 837 config work on an 887? Which interfaces labels will to change to what?
Is it just a case of get working what i can and then post on EE the running config with what is not working?
Thanks