Solved

Cisco 887 Config

Posted on 2013-01-24
13
892 Views
Last Modified: 2013-04-15
Hi

I need to replace an old 837 with a new 887 and have limited knowledge of the Cisco IOS.

I need the router to do port forwarding for SMTP, RRAS and I also need to configure an IPSEC tunnel to another site.

Does anyone have a blank config (insert IP here, insert ADSL username there etc) or a setup guide on this?

Thanks
0
Comment
Question by:George-
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 6

Assisted Solution

by:jgibbar
jgibbar earned 100 total points
ID: 38813953
You can't really insert a blank config and expect it to work in your network without having existing knowledge of your networks. The NAT statements will depend on if you are NATing one to one, one to many, which directions, etc. Also you would have to provide your existing IPSec configuration with keys and that is not a good idea on an open forum like here.

My suggestion is to just copy the running config from R1 and write it to the Starting Config on R2 making any changes to interface labels as appropriate.
0
 
LVL 1

Author Comment

by:George-
ID: 38814036
Hi

What i was after was a blnak document to be able to enter ipsec keys where required.  Or a step by step guide.  Are there just to many variables for this?

Will an 837 config work on an 887?  Which interfaces labels will to change to what?

Is it just a case of get working what i can and then post on EE the running config with what is not working?

Thanks
0
 
LVL 9

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 300 total points
ID: 38814092
Recently installed Cisco 887 with IPSEC
change the variables unber << >> quotes

CISCO887VA-SEC-K9
IOS: c880data-universalk9-mz.151-4.M4.bin

-=====================================
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname <<Hostname>>
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
enable secret 4 vanco

!
memory-size iomem 25
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!

ip dhcp excluded-address <<LAN_Ip_to_be_excluded>> <<Lan_IP_Address>>
!
ip dhcp pool sephora-dhcp
 network <<Lan_Network>> <<Lan_Netmask>>
 default-router <<Lan_IP_Address>>
 dns-server <<dns_server_ip>>
 netbios-name-server <<netbios_servier_ip>>
 domain-name <<domain_name>>
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
license udi pid CISCO887VA-SEC-K9 sn <<Device_SN>>
!
controller VDSL 0
!
ip telnet source-interface Loopback0
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60 periodic
!
crypto isakmp peer address <<Peer_hub_ip1>>
 set aggressive-mode password <<IPSec_Password>>
 set aggressive-mode client-endpoint fqdn <<Hostname>>

!
crypto isakmp peer address <<Peer_hub_ip2>>
 set aggressive-mode password <<IPSec_Password>>
 set aggressive-mode client-endpoint fqdn <<Hostname>>
!
!
crypto ipsec transform-set TransformVPN esp-3des esp-sha-hmac
!
crypto map vpn-map local-address Dialer1
crypto map vpn-map 1 ipsec-isakmp
 set peer <<Peer_hub_ip1>>
 set peer <<Peer_hub_ip2>>
 set transform-set TransformVPN
 set pfs group2
 match address HUB
!
interface Loopback0
 description  Management IP loopback address
 ip address <<Lo0_IP>> 255.255.255.255
!
interface Ethernet0
 description UNM Not-used
 no ip address
 shutdown
 no fair-queue
!
interface ATM0
 bandwidth <<Down_BW>>
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 bandwidth <<Down_BW>>
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 description Connection to +Main_router_hostname LAN
 switchport access vlan 2
 no ip address
 duplex full
 speed 100
 no cdp enable
!
interface FastEthernet1
 description UNM Not-used
 no ip address
 shutdown
!
interface FastEthernet2
 description UNM Not-used
 no ip address
 shutdown
!
interface FastEthernet3
 description Not-used
 no ip address
 shutdown
!
interface Vlan1
 description UNM Not-used
 no ip address
!
interface Vlan2
 description Connection to <<Hostname>> LAN
 ip address <<Lan_IP_Address>> <<Lan_Netmask>>
 no shut
!
interface Dialer1
 description P.V.I public ADSL Connection  Speed <<Down_BW>>/<<UP_BW>>   Provider <<Provider>> (customer provided)
 bandwidth <<Down_BW>>
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1416
 encapsulation ppp
 ip tcp adjust-mss 1300
 dialer pool 1
 ppp authentication pap callin
 ppp chap hostname <<DSL_Username>>
 ppp chap password <<DSL_Password>>
 ppp pap sent-username <<DSL_Username>> password <<DSL_Password>>
 ppp ipcp dns request
 no cdp enable
 crypto map vpn-map
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!

ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip route <<Peer_hub_ip1>> 255.255.255.255 Null0 name SecondaryIPsecurePeer
ip route <<telnet_server_ip>> 255.255.255.255 Dialer1 name TelnetServer
ip route <<Peer_hub_ip1>> 255.255.255.255 Dialer1 254 name SecondaryIPsecurePeer
ip route <<Peer_hub_ip2>> 255.255.255.255 Dialer1 name PrimaryIPsecurePeer
!

ip access-list extended HUB
 permit ip <<LAN_Netwrok>> <<Lan_inverse_mask>> any
 permit ip host <<Lo0_IP>> any

!

no cdp run
!
snmp-server community <<SNMP_STRING>>RW <<ACL number>>
snmp-server ifindex persist
snmp-server trap-source Loopback0
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server host <<host_ip>> <<key>>
!
control-plane

line con 0
 exec-timeout 5 0
 password cisco
 login
line aux 0
 exec-timeout 5 0
 password cisco
 login
line vty 0 4
 exec-timeout 5 0
 password cisco
 logging synchronous
 login
 transport input all
!
sntp server <<sntp_server_ip>>
end
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38819265
The 837 config should work on a 887 for the most part. Most likely name change is from Ethernet to FastEthernet for the LAN interfaces, i guess.
Maybe post a sanitized config, so we can check.

Tamas
0
 
LVL 1

Author Comment

by:George-
ID: 38826019
Hi

Please feel free to sanatise anything i have missied!  

I also need to pot froward 80, 443 and 25.

Thanks

version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname OLD837
!
enable secret 5 XXXXX
!
username OLD837 password 7 XXXXX
clock timezone gmt 0
clock summer-time bst recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authentication ppp default local
aaa authentication ppp local local
aaa authorization network default local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key 0 XXXXX-XXXXX address nnn.nnn.nnn.nnn
!
!
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
!
crypto map XXXXX-XXXXX 10 ipsec-isakmp
 set peer nnn.nnn.nnn.nnn
 set transform-set 3DES
 match address 103
!
!
!
!
interface Ethernet0
 ip address nnn.nnn.nnn.nnn 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address ip address negotiated
 ip access-group 111 in
 ip mtu 1492
 ip nat outside
 ip inspect myfw out
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname XXXXX
 ppp chap password XXXXX
 ppp pap sent-username XXXXX password XXXXX
 crypto map XXXXX-XXXXX
 hold-queue 224 in
!
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp nnn.nnn.nnn.nnn 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 103 permit ip nnn.nnn.nnn.nnn 0.0.0.255 nnn.nnn.nnn.nnn 0.0.0.255
access-list 105 deny   ip nnn.nnn.nnn.nnn 0.0.0.255 nnn.nnn.nnn.nnn 0.0.0.255
access-list 105 permit ip nnn.nnn.nnn.nnn 0.0.0.255 any
access-list 111 permit ip nnn.nnn.nnn.nnn 0.0.0.255 nnn.nnn.nnn.nnn 0.0.0.255
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
access-list 111 permit tcp any any eq smtp
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit udp any eq ntp any eq ntp
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 password 7 XXXXX
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 120 0
 password 7 XXXXX
 length 0
!
scheduler max-task-time 5000
!
end
0
 
LVL 9

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 300 total points
ID: 38826033
interface Dialer1
 ip address ip address negotiated


correct
 
interface Dialer1
 ip address negotiated

access-list 111 permit tcp any eq 80 any eq 80
access-list 111 permit tcp any eq 25 any eq 25
access-list 111 permit tcp any eq 443 any eq 443
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:George-
ID: 38826081
Is that it?  

Is all the Ethernet 0 the same?  I thought it changed to VLAN1 or something?

And the access lists stay the same (except the port forwarding)

Cheers
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38826235
I don't understand?..could you please explain..

I see you have acl 111 so I just added 3 more lines for your requirment.

do you want to use port 25,80 and 433 at any other interface...if yes then create seperate ACL and apply
0
 
LVL 1

Author Comment

by:George-
ID: 38826653
Just supprised that that is all the changes that are required between a 837 and and an 887 config, i thought they were more different than this.

Pots 80, 25 etc will all come through dialer1.

Does it stay as dialer1? i thought it was dialer0 on an 887?
0
 
LVL 17

Assisted Solution

by:TimotiSt
TimotiSt earned 100 total points
ID: 38826711
The number of the Dialer interface depends on the dialer-pool of the physical interface:
interface ATM0
[...]
  dialer pool-member 1

Open in new window


The LAN interfaces of the 887 can be individually configured (unlike the 837), so if you want them as a simple switch, you'll need to put them in a bridge group.
Several good solutions exist for that, a popular one is:
bridge irb
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.99.99.1 255.255.255.128
ip nat inside
no ip virtual-reassembly

Open in new window

which puts vlan1 into Bridge Virtual Interface 1. If you have onboard wifi, you can add that too in the mix:
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 60
!
!
ssid <WIRELESS SSID>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding

Open in new window

0
 
LVL 9

Accepted Solution

by:
Sandeep Gupta earned 300 total points
ID: 38826779
you have already configured your ATM interface calling dialer-pool member 1

and at you dialer interface..you have already maintioned dialer-pool1 that's it.

cheers

"Does it stay as dialer1? i thought it was dialer0 on an 887? "

it depneds what you are configuring...pool member you are calling should be correct.

I will never bother whether it is di 0 or di 1

cheers!!!
0
 
LVL 1

Author Comment

by:George-
ID: 38879295
Thanks Guys

I will leave this open until I install the router, which should be in the next couple of weeks.
0
 
LVL 1

Author Closing Comment

by:George-
ID: 39079667
Thanks for all your help

All up and working
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Suggested Solutions

When Apple released Swift last year, the aim was to introduce a new programming language for Cocoa and Cocoa Touch that was fast, easy and effective, like the name connotes. Apple succeeded. Swift is designed to couple with Objective-C program…
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now