- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
I am very new to the cisco IOS: I got my CCENT 6 months ago, so a lot of the information has come and gone out of my head from non-use. I am simply trying to setup NAT so that my router can get information from the internet and share it with its users via DHCP. Very basic.
I got DHCP to work, but I am having a hell of a time finding tutorials on setting up NAT.
It is a static business IP address that I have, this router will be replacing another router so I have some information from the one implemented currently:
code:Network Address: 192.168.2.1
IP Address: 111.111.111.111 (As seen outside)<---business IP
subnet: 255.255.255.240
Default Gateway: 111.111.111.112
Primary DNS: (DNS IP)
Secondary DNS: (DNS 2 IP)
This is on what is known as a RouteFinder RF820, a retail router worth 150 dollars. I am replacing it with an 1811 Cisco, here is my show run:
code:
Current configuration : 3427 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WG-STSC
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3872896560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3872896560
revocation-check none
rsakeypair TP-self-signed-3872896560
!
!
crypto pki certificate chain TP-self-signed-3872896560
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383732 38393635 3630301E 170D3130 30363136 31343536
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373238
39363536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE8A B5790460 A9253C5A 38A1933A 19925684 71E3593E F352827B CA66CCC1
024EEC73 63C2FB7E DE069B52 F335D5EA A1A0839F A9E6104E EC45ABFA 8DA03006
BD0FE01F 35D15726 8D8E23E5 21BCD930 D220CE65 4528F3DC BA15C82F 4720549B
5EA44127 8DA7E630 EC359BC4 502C5E31 9DC8DA5E FF3D0393 DE10ED8D BC0013F5
2FD30203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1157472D 53545343 2E496E64 69612E63 6F6D301F 0603551D
23041830 16801417 6C5BC22E 35E8A602 309904DA 180631A7 7880D930 1D060355
1D0E0416 0414176C 5BC22E35 E8A60230 9904DA18 0631A778 80D9300D 06092A86
4886F70D 01010405 00038181 0041C145 0FFDC369 72DA107F 0FF5AC48 A2723BF3
744FAB5F F373DCBE 116F73C8 B6D4B5B2 28DEE4E3 03AC2005 3E11F790 9792445F
8DB5EAFF 3C40B97F B72DCDD5 974CF177 65E982F4 697D5997 1C557D70 DB419674
EEF1F0CA CDE6C097 9E6C0089 13DA6D1B 59EE723B 3F35FCDE 48DB12FA EEF1ABC9
7F4AFB66 8A0840E4 1CA28ACF B4
quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
!
ip domain name WGSTSC
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
speed 100
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Vlan1 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
line vty 16
privilege level 15
login local
transport input all
!
end
sh ip int brief:
code:Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES manual up down
FastEthernet1 unassigned YES NVRAM up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES unset up down
FastEthernet5 unassigned YES unset up down
FastEthernet6 unassigned YES unset up down
FastEthernet7 unassigned YES unset up down
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up up
Vlan1 192.168.2.1 YES manual up up
Async1 unassigned YES NVRAM down down
NVI0 unassigned YES unset administratively down down
I have done a lot since attempting to enact NAT, so it may looked pretty messed up in that attempt. I do however have DHCP running fine. Not expecting a magical answer, if any of you have a solid link I can use as well, that would work too...
|
#
¿
Jun 18, 2010 17:41
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
#
¿
Apr 28, 2024 14:10
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
n0tqu1tesane posted:
Your ip route command is wrong. Unless, of course, you want to send all requests which are intended for inside the network to outside the network.
should be:
ip route 0.0.0.0 0.0.0.0 111.111.111.112
That way it will send requests for anything not locally connected to the outside network.
EDIT:
Also, you don't have any DNS servers set in your DHCP pool. Not really a problem, but unless you've manually set DNS servers on each of your clients you could possibly run into issues.
Would the DNS be my internal DNS server or the default gateway of the ISP? For example, my DNS Server is also my DC, which is 192.168.2.113.
dns-server 192.168.2.113
|
#
¿
Jun 21, 2010 15:42
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Hey guys, I have not had the chance to test out my NAT settings yet, unfortunately I have to wait till tomorrow. But here is another question.
With my Cisco 1811 router, can I block websites? I only want to block about five websites and I would really rather not have to buy extra equipment. Not that I don't want to, but management won't.
Is there a way I cann re-route a domain name such as facebook.com and shoot it to something useless like 0.0.0.0? Or block it all together?
|
#
¿
Jun 23, 2010 14:59
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Going back to my NAT issue, I am testing it tonight, but I have some new information that I wanted to give you all in case it's important in my NAT config.
There is a Cisco 2600 attached to the current router (the lovely retail one) that goes from the lovely retail's WAN port to its Fastethernet port, there is a cable going from the Cisco 2600 labeled T1/CSU/DSU, this goes to a white box which I assume is the modem. My assumption is that the router connects to this Cisco 2600, which is a T1 line and then connects to the modem.
I don't think this should cause an issue and if it doesn't work I am going to draw a pretty picture with descriptive labels.
Side Note: If I want to have a dhcp pool of 192.168.2.100-199, would I use an exclude command?
|
#
¿
Jun 25, 2010 17:46
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Ok, so I tried using the NAT config recommended and I was half successful. When I do a ping 8.8.8.8 to googles DNS it works fine on the router. I can even do a traceroute all the way there. However, when I plug a computer into the Fastethernet 9 port I can't get out, however I do get an IP address of 192.168.2.2 so DHCP is working fine. I attempt a ping 8.8.8.8 on the computer and I can't ping anything outside my network.
I am sure its just one config line I am missing, but I can't figure out what. Is my VLAN1 supposed to have my internal IP? This is what I get from a show run, sh int fastethernet 9, and a sh ip int brief.
I am not sure what I am missing, but I have a feeling it is something to do with the vlan configuration.
code:
Interface IP-Address OK? Method Status Protocol
FastEthernet0 111.111.111.112 YES NVRAM up up
FastEthernet1 unassigned YES NVRAM up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES unset up down
FastEthernet5 unassigned YES unset up down
FastEthernet6 unassigned YES unset up down
FastEthernet7 unassigned YES unset up down
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up up
Vlan1 192.168.2.1 YES NVRAM up up
Async1 unassigned YES NVRAM down down
NVI0 111.111.111.112 YES unset up up
WG-STSC#sh run
Building configuration...
Current configuration : 3773 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WG-STSC
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3872896560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3872896560
revocation-check none
rsakeypair TP-self-signed-3872896560
!
!
crypto pki certificate chain TP-self-signed-3872896560
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383732 38393635 3630301E 170D3130 30363235 31363337
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373238
39363536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE8A B5790460 A9253C5A 38A1933A 19925684 71E3593E F352827B CA66CCC1
024EEC73 63C2FB7E DE069B52 F335D5EA A1A0839F A9E6104E EC45ABFA 8DA03006
BD0FE01F 35D15726 8D8E23E5 21BCD930 D220CE65 4528F3DC BA15C82F 4720549B
5EA44127 8DA7E630 EC359BC4 502C5E31 9DC8DA5E FF3D0393 DE10ED8D BC0013F5
2FD30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E57472D 53545343 2E574753 54534330 1F060355 1D230418
30168014 176C5BC2 2E35E8A6 02309904 DA180631 A77880D9 301D0603 551D0E04
16041417 6C5BC22E 35E8A602 309904DA 180631A7 7880D930 0D06092A 864886F7
0D010104 05000381 81008D31 D77BC5FC 24ECF53F D08E4371 5677043A 6A3F0D17
4E066A7B 8AB49E22 3B8F260F B8BB3723 2F10042A 66D44365 04F56FDB CD6DD582
7C1C0E80 E73093F2 00880ECB 11050139 A40B8767 F6D7EF2B BA3DDE2F 8DFA7D3C
58B8C04C 209A6D80 2C55F9B2 53BC4827 C92DEB9E E3865133 B6111C49 E98E486D
8C638C74 52170C4E AEBA
quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.196.216.10
!
ip dhcp pool 192.168.2.0\24
dns-server 192.168.2.113 255.255.255.0
!
!
ip domain name WGSTSC
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
ip address 111.111.111.112 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
speed 100
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 111.111.111.111
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Vlan1 overload
ip nat inside source list 102 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.2.1 6113 interface FastEthernet0 6113
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input ssh
line vty 16
privilege level 15
login local
transport input all
!
end
WG-STSC#sh int faste9
FastEthernet9 is up, line protocol is up
Hardware is FastEthernet, address is 0014.a832.8691 (bia 0014.a832.8691)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 10
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 2 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5235 packets input, 530176 bytes, 0 no buffer
Received 2093 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
2375 packets output, 189848 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
|
#
¿
Jun 28, 2010 14:03
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Harry Totterbottom posted:
sh xlate
This should show if you're getting translations or not.
Also
ip nat inside source static tcp 192.168.2.1 6113 interface FastEthernet0 6113
That will only translate tcp, ping is icmp.
I don't think I really need any static can I kill this line?
EDIT: Killing the Vlan inside line won't stop my NAT? Ill try both and get back to you on this. Thanks!
|
#
¿
Jun 28, 2010 15:17
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Harry Totterbottom posted:
Yes kill that line, you snuck in before my edits.
so
no ip nat inside source list 1 interface Vlan1 overload
no ip nat inside source static tcp 192.168.2.1 6113 interface FastEthernet0 6113
then attempt to send traffic across the wire
show xlate
You should then see stuff in that table.
Oh ok, thanks for clearing that up. Will show xlate only work when its connected to the wire?
I cannot test it until early morning tomorrow and it does not recognize (nor does it have a command when I ? it.) for show xlate... the commands I get from x? are: x25, x28, x29, xconnect, and xsm.
I'll let you know what I find.
|
#
¿
Jun 28, 2010 16:33
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Harry Totterbottom posted:
Doh, right here. I'm only doing nat on my firewalls so I forgot to check the syntax difference.
Thanks for the help!
Finally got NAT to work and I was able to reach out. Most of all I learned a little in the process! I will be doing the final step which is doing the five VPN's we have, they're pretty basic so I am going to give it a shot.
|
#
¿
Jun 29, 2010 14:02
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
jwh posted:
I think you should consider doing DMVPN. I can get you some skeletal configurations, if you like. Or you can Google them, they're pretty straightforward.
We may even have some posted in this thread, somewhere.
Looking up info on DMVPN, its basically what its named. Dynamic VPN's, meaning that I don't have to adjust the 'spoke' router (i.e. the 1811 I am implementing) if I change an IP address in another site? Or is it just when I add a VPN at another site?
This sounds interesting, if not complicated. I would be interested in this, however I do not know where to start. I am having trouble just getting started and learning VPN as it is.
I think I will have to watch some videos for it.
EDIT: Also, would it matter that the other five satellite sites are NOT Cisco routers and are indeed lovely retail VPN routers?
|
#
¿
Jun 30, 2010 21:56
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Powercrazy posted:
I think I may have even posted them. If not I can post some configs tomorrow.
I would greatly appreciate the help. I don't even know where to start, though I am still researching it.
|
#
¿
Jul 1, 2010 19:38
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
One thing is the hub sites, wont be cisco routers, they will be the lovely retail routers like I had mentioned so I really dont think the DMVPN will work for me in this instance...
What do you think?
EDIT: In fact if we can't go DMVPN that isn't a total loss as we do not change IP's very often at all, if at all for that matter. So, regular VPN would work just fine as well.
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5 <--- What does this part mean?
crypto isakmp nat keepalive 30
I noticed that this may work for me. Is 'Authentication pre-share' the same as 'Secret' shown on the images on the last page? I assumed it was a pre-share key but I didn't want to outright assume it. What is the 30<space>5 represent? 30 seconds and....
Bardlebee fucked around with this message at 20:28 on Jul 1, 2010
|
#
¿
Jul 1, 2010 20:23
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Powercrazy posted:
The 30 indicates that a keepalive or Dead Peer Detection message is sent every 30 seconds. Once a DPD message is missed by the peer, the router moves to a more aggressive state, sending DPD retry messages every 5 seconds. After 5 aggressive DPD retries, the tunnel is marked as down.
Its basically the keepalive time for the phase one secure tunnel.
And yes I'm pretty sure that Authentication pre-share is identical to (shared) secret in the gui.
The major advantage of DMVPN is that it is much more scalable, as each additional site doesn't change the hub configuration. But yea if you have only a few remote sites, then its actually pretty straight forward to add additional tunnels on the hub router. If you aren't using Cisco for the hub then you can't create GRE tunnels, so you won't be able to have routing protocols that use multicast running across them.
Yeah, we aren't doing anything elaborate like that. Trust me. This is a business of 100 people, I ain't doin' no fancy dandy Network Engineering stuff beyond this one gem of a router I got my grubby hands on.
Not only that, but we don't even have a domain controller. So it's that simple.
We are a medical clinic. I wish I knew the colon sign for that little yellow guy crying...
Anyway onward to the subject: Do I need any of this aaa authentication stuff in this link? Also, I hope CCNA2 goes into VPN's, because it would be nice to know what I am doing here.
http://www.fredshack.com/docs/vpnios.html
|
#
¿
Jul 1, 2010 20:54
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Harry Totterbottom posted:
Just as a side note, ASA's done support creating GRE tunnels and neither do the 3560 layer 3 switches.
Does this mean my Cisco 1811 can't make VPN tunnels with these random VPN routers?
|
#
¿
Jul 1, 2010 21:05
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Harry Totterbottom posted:
It depends on if the random VPN routers can handle terminating a GRE tunnel. Otherwise you might need to look at setting up basic IPSec tunnels between the sites. The main downside I know of (there could be more and someone else please chime in) with IPSec tunnels is that you can't run EIGRP across them without GRE as well. They can handle OSPF in point-to-point, but I don't think they'll do multi-point or broadcast for that either.
The ASA's can pass traffic through a gre tunnel from point A to point B, but they can't create or terminate the actual gre tunnel.
As a matter of fact they are using IPsec now, I would not be opposed to keeping it that way. So yes, definitely keeping it on IPsec.
Stupid question: Do I need OSPF or a routing protocol for this?
|
#
¿
Jul 1, 2010 21:25
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Powercrazy posted:
Right. The major thing for GRE is that it allows multicast, and since the common routing protocols (eigrp, ospf, rip) all use multicast for their discovery and routing updates without multicast, those protocols break.
For Bardlebee just setup some site-to-site IPSec tunnels, and use static default routes to point unknown traffic to the tunnels, and you should be fine. No you shouldn't need to run any routing protocols as long as the number of sites is low.
Ok, I am going to post a my attempt to do this and post my config later
Thanks for the help guys!
EDIT: Ok, can you guys take a look at this and tell me if I did this right? :P I am going off of pure research here, found a nice site that was a step-by-step for IPSEC/VPN
The other site local LAN is 192.168.11.0. It's outside IP is 333.333.333.333
The router I am replacing is 192.168.2.0.
Also, I don't think I did the following line right since both routers need to be using 3DES:
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
code:
Building configuration...
Current configuration : 4120 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WG-STSC
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3872896560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3872896560
revocation-check none
rsakeypair TP-self-signed-3872896560
!
!
crypto pki certificate chain TP-self-signed-3872896560
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383732 38393635 3630301E 170D3130 30363235 31363337
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373238
39363536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE8A B5790460 A9253C5A 38A1933A 19925684 71E3593E F352827B CA66CCC1
024EEC73 63C2FB7E DE069B52 F335D5EA A1A0839F A9E6104E EC45ABFA 8DA03006
BD0FE01F 35D15726 8D8E23E5 21BCD930 D220CE65 4528F3DC BA15C82F 4720549B
5EA44127 8DA7E630 EC359BC4 502C5E31 9DC8DA5E FF3D0393 DE10ED8D BC0013F5
2FD30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E57472D 53545343 2E574753 54534330 1F060355 1D230418
30168014 176C5BC2 2E35E8A6 02309904 DA180631 A77880D9 301D0603 551D0E04
16041417 6C5BC22E 35E8A602 309904DA 180631A7 7880D930 0D06092A 864886F7
0D010104 05000381 81008D31 D77BC5FC 24ECF53F D08E4371 5677043A 6A3F0D17
4E066A7B 8AB49E22 3B8F260F B8BB3723 2F10042A 66D44365 04F56FDB CD6DD582
7C1C0E80 E73093F2 00880ECB 11050139 A40B8767 F6D7EF2B BA3DDE2F 8DFA7D3C
58B8C04C 209A6D80 2C55F9B2 53BC4827 C92DEB9E E3865133 B6111C49 E98E486D
8C638C74 52170C4E AEBA
quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.105
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.196.216.10
!
ip dhcp pool 192.168.2.0\24
dns-server 192.168.2.113 255.255.255.0
!
!
ip domain name WGSTSC
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key <my password> address 333.333.333.333
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 333.333.333.333
set transform-set esp-aes-sha
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
ip address 111.111.111.112 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
speed 100
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 111.111.111.111
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 102 interface FastEthernet0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input ssh
line vty 16
privilege level 15
login local
transport input all
!
end
Bardlebee fucked around with this message at 22:55 on Jul 1, 2010
|
#
¿
Jul 1, 2010 21:30
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Moxnight posted:
Also, please change your admin password for that router.
Heh, of course I will be doing that, thanks for the heads up though.
I will be testing this guy out on Tuesday. Thanks!
|
#
¿
Jul 4, 2010 19:02
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
I am back with my VPN results Yar! This is what I got when I setup the router to see if the vpn worked, I got it every few times I tried to ping the other network or every few minutes, not sure which:
Jul 8 12:42:56.955: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=222.222.222.222, prot=50, spi=0xDD21CD26(3709979942), srcaddr=333.333.333.333
What is spi?
code:
Current configuration : 4303 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WG-STSC
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3872896560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3872896560
revocation-check none
rsakeypair TP-self-signed-3872896560
!
!
crypto pki certificate chain TP-self-signed-3872896560
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383732 38393635 3630301E 170D3130 30363235 31363337
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373238
39363536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE8A B5790460 A9253C5A 38A1933A 19925684 71E3593E F352827B CA66CCC1
024EEC73 63C2FB7E DE069B52 F335D5EA A1A0839F A9E6104E EC45ABFA 8DA03006
BD0FE01F 35D15726 8D8E23E5 21BCD930 D220CE65 4528F3DC BA15C82F 4720549B
5EA44127 8DA7E630 EC359BC4 502C5E31 9DC8DA5E FF3D0393 DE10ED8D BC0013F5
2FD30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E57472D 53545343 2E574753 54534330 1F060355 1D230418
30168014 176C5BC2 2E35E8A6 02309904 DA180631 A77880D9 301D0603 551D0E04
16041417 6C5BC22E 35E8A602 309904DA 180631A7 7880D930 0D06092A 864886F7
0D010104 05000381 81008D31 D77BC5FC 24ECF53F D08E4371 5677043A 6A3F0D17
4E066A7B 8AB49E22 3B8F260F B8BB3723 2F10042A 66D44365 04F56FDB CD6DD582
7C1C0E80 E73093F2 00880ECB 11050139 A40B8767 F6D7EF2B BA3DDE2F 8DFA7D3C
58B8C04C 209A6D80 2C55F9B2 53BC4827 C92DEB9E E3865133 B6111C49 E98E486D
8C638C74 52170C4E AEBA
quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.105
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.196.216.10
!
ip dhcp pool 192.168.2.0\24
dns-server 192.168.2.113 255.255.255.0
!
!
ip domain name WGSTSC
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key <password> address 333.333.333.333
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
description HardyOak Tunnel
set peer 333.333.333.333
set transform-set esp-3des-sha1
set pfs group2
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
ip address 222.222.222.222 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
speed 100
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 111.111.111.111
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 102 interface FastEthernet0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input ssh
line vty 16
privilege level 15
login local
transport input all
!
end
|
#
¿
Jul 8, 2010 16:58
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Ok this is what I got from the two show commands:
It should be noted that this is the only Cisco router I have and that the destination router is a crappy RouteFinder brand which I have never heard of.
code:
WG-STSC#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
222.222.222.222 71.149.175.30 MM_NO_STATE 0 0 ACTIVE (deleted)
222.222.222.222 71.149.175.30 MM_NO_STATE 0 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
WG-STSC#sh crypto
WG-STSC#sh crypto ips
WG-STSC#sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: vpn, local addr 222.222.222.222
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
current_peer 333.333.333.333 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 222.222.222.222, remote crypto endpt.: 333.333.333.333
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
|
#
¿
Jul 12, 2010 13:31
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
inignot posted:
The output of "show crypto isakmp sa" indicates phase1 has failed; thus the output of "show crypto ipsec sa" is never going to show a phase2 association.
You need to "debug crypto isakmp" to find out what's wrong with phase1. It's likely either an isakmp policy mismatch or a preshared key mismatch. For best results debug at both ends.
I wish I could debug both ends, but again the destination router is not a Cisco. It is a retail VPN router, which I am not sure if that is the thing causing the issue.
I will try the debug, thanks for the advice!
|
#
¿
Jul 12, 2010 16:36
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
So, I am back.
I tested my tunnel VPN on the GUI and it complained about a NAT issue, I had it fix it by itself and it fixed it for the most part. Now the VPN is showing as up, however when I test it again it complains about the MTU size. I think this is the last hurdle I have.... how do I specify the MTU size in a VPN tunnel? Is that possible?
|
#
¿
Jul 16, 2010 14:43
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
tortilla_chip posted:
You can try:
service unsupported-transceiver
Note that this disables DOM (may or may not be an issue for you). There are a few good threads on optics on C-NSP/NANOG. The gist being the Cisco optics are manufactured by the same few companies and then just have Cisco serial numbers applied in the firmware. You can get non-Cisco optics for a tenth the price on memorydealers.com
Are you talking Optics as in fiber? Because we use nothing of the sort.
|
#
¿
Jul 21, 2010 20:33
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Ok, I wanted to get everyones opinion on whether or not my VPN tunnels look sane. Again, I am very new at this. The part I am worried about is if I am understanding access-lists right and I am using it appropriately, that and I am seeing at least on this routers end, does it look like I setup these five IPsec tunnels correctly?
code:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WG-STSC
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3872896560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3872896560
revocation-check none
rsakeypair TP-self-signed-3872896560
!
!
crypto pki certificate chain TP-self-signed-3872896560
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383732 38393635 3630301E 170D3130 30363235 31363337
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373238
39363536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE8A B5790460 A9253C5A 38A1933A 19925684 71E3593E F352827B CA66CCC1
024EEC73 63C2FB7E DE069B52 F335D5EA A1A0839F A9E6104E EC45ABFA 8DA03006
BD0FE01F 35D15726 8D8E23E5 21BCD930 D220CE65 4528F3DC BA15C82F 4720549B
5EA44127 8DA7E630 EC359BC4 502C5E31 9DC8DA5E FF3D0393 DE10ED8D BC0013F5
2FD30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E57472D 53545343 2E574753 54534330 1F060355 1D230418
30168014 176C5BC2 2E35E8A6 02309904 DA180631 A77880D9 301D0603 551D0E04
16041417 6C5BC22E 35E8A602 309904DA 180631A7 7880D930 0D06092A 864886F7
0D010104 05000381 81008D31 D77BC5FC 24ECF53F D08E4371 5677043A 6A3F0D17
4E066A7B 8AB49E22 3B8F260F B8BB3723 2F10042A 66D44365 04F56FDB CD6DD582
7C1C0E80 E73093F2 00880ECB 11050139 A40B8767 F6D7EF2B BA3DDE2F 8DFA7D3C
58B8C04C 209A6D80 2C55F9B2 53BC4827 C92DEB9E E3865133 B6111C49 E98E486D
8C638C74 52170C4E AEBA
quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.105
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.196.216.10
!
ip dhcp pool 192.168.2.0\24
dns-server 192.168.2.113 255.255.255.0
!
!
ip domain name WGSTSC
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key pass address 66.64.51.100
crypto isakmp key pass address 209.206.174.555
crypto isakmp key pass address 24.153.154.777
crypto isakmp key pass address 97.77.188.666
crypto isakmp key pass address 216.201.140.999
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac
!
crypto map vpn 5 ipsec-isakmp
description San Tunnel
set peer 209.206.174.555
set transform-set esp-3des-sha1
match address 105
crypto map vpn 6 ipsec-isakmp
description New Tunnel
set peer 97.77.188.666
set pfs group2
match address 106
crypto map vpn 7 ipsec-isakmp
description Lar Tunnel
set peer 24.153.154.777
set transform-set esp-3des-sha1
set pfs group2
match address 107
crypto map vpn 9 ipsec-isakmp
description Top Tunnel
set peer 216.201.140.999
set transform-set esp-3des-sha1
set pfs group2
match address 109
crypto map vpn 10 ipsec-isakmp
description HardyOak Tunnel
set peer 66.64.51.100
set transform-set esp-3des-sha1
set pfs group2
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
no ip address
ip mtu 1400
!
interface FastEthernet0
ip address 216.201.143.222 255.255.255.240
ip mtu 1460
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
crypto ipsec df-bit clear
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
speed 100
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.201.143.111
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 remark SDM_ACL Category=16
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 106 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 107 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 109 permit ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input ssh
line vty 16
privilege level 15
login local
transport input all
!
end
|
#
¿
Jul 27, 2010 16:53
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
This is more of just a general network question:
Isn't it best practice, if you can to connect a switch to a router on a one per port basis.
What I mean is currently at my new position the old IT people that they had outsourced setup the network to where the router is connected to one switch and then the other two switches are daisy chained onto each other. So Switch1 goes to router, Switch2 is connected to Switch1, and Switch3 is connected to Switch2.
Wouldn't this create a lot of unnecessary network traffic? My cisco router that we just bought has 8 FastE ports on it, I would think it would be better from a network traffic point of view just to connect each one to a port. As in Router to Switch1, Router to Switch2, and Router to Switch3.
Perhaps someone with more experience in this field could tell me if this matters or not.
|
#
¿
Aug 2, 2010 20:51
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Yeah, we have 120 users, so its not a huge deal, but I am going to take it off this daisy chain situation.
|
#
¿
Aug 3, 2010 05:40
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
yeah they are all unmanaged switches. I plugged them in separately into the router and they seem to work fine. Time will tell.
|
#
¿
Aug 3, 2010 20:17
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Everything is going fine so far except that whatever computer has a static IP address cannot get out to the internet. I however can ping stuff via its IP address, so it almost seems like a DNS issue, but the computers that are set on dynamic IP can get out just fine. I am not sure what I am doing wrong exactly.
Also, should I delete this following line?
ip dhcp pool 192.168.2.0\24
dns-server 192.168.2.113 255.255.255.0
Here is my sh run, deleted the last octet of certain IP's for privacy:
code:crypto pki certificate chain TP-self-signed-3872896560
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383732 38393635 3630301E 170D3130 30363235 31363337
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373238
39363536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE8A B5790460 A9253C5A 38A1933A 19925684 71E3593E F352827B CA66CCC1
024EEC73 63C2FB7E DE069B52 F335D5EA A1A0839F A9E6104E EC45ABFA 8DA03006
BD0FE01F 35D15726 8D8E23E5 21BCD930 D220CE65 4528F3DC BA15C82F 4720549B
5EA44127 8DA7E630 EC359BC4 502C5E31 9DC8DA5E FF3D0393 DE10ED8D BC0013F5
2FD30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E57472D 53545343 2E574753 54534330 1F060355 1D230418
30168014 176C5BC2 2E35E8A6 02309904 DA180631 A77880D9 301D0603 551D0E04
16041417 6C5BC22E 35E8A602 309904DA 180631A7 7880D930 0D06092A 864886F7
0D010104 05000381 81008D31 D77BC5FC 24ECF53F D08E4371 5677043A 6A3F0D17
4E066A7B 8AB49E22 3B8F260F B8BB3723 2F10042A 66D44365 04F56FDB CD6DD582
7C1C0E80 E73093F2 00880ECB 11050139 A40B8767 F6D7EF2B BA3DDE2F 8DFA7D3C
58B8C04C 209A6D80 2C55F9B2 53BC4827 C92DEB9E E3865133 B6111C49 E98E486D
8C638C74 52170C4E AEBA
quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.105
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.196.216.10
!
ip dhcp pool 192.168.2.0\24
dns-server 192.168.2.113 255.255.255.0
!
!
ip domain name WGSTSC
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key s address 66.64.51.
crypto isakmp key s address 209.206.174.
crypto isakmp key s address 24.153.154.
crypto isakmp key s address 97.77.188.
crypto isakmp key s address 216.201.140.
crypto isakmp key s address 216.201.142.
crypto isakmp invalid-spi-recovery
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac
!
crypto map vpn 4 ipsec-isakmp
description WGPhysicalTherapy
set peer 216.201.142.
set transform-set esp-3des-sha1
set pfs group2
match address 104
crypto map vpn 5 ipsec-isakmp
description SanMarcos Tunnel
set peer 209.206.174.
set transform-set esp-3des-sha1
match address 105
crypto map vpn 6 ipsec-isakmp
description NewBraunfels Tunnel
set peer 97.77.188.
set transform-set esp-3des-sha1
set pfs group2
match address 106
crypto map vpn 7 ipsec-isakmp
description Laredo Tunnel
set peer 24.153.154.
set transform-set esp-3des-sha1
set pfs group2
match address 107
crypto map vpn 9 ipsec-isakmp
description Topperwein Tunnel
set peer 216.201.140.
set transform-set esp-3des-sha1
set pfs group2
match address 109
crypto map vpn 10 ipsec-isakmp
description HardyOak Tunnel
set peer 66.64.51.
set transform-set esp-3des-sha1
set pfs group2
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
no ip address
ip mtu 1400
ip tcp adjust-mss 1436
!
interface FastEthernet0
ip address 216.201.143. 255.255.255.240
ip mtu 1460
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
crypto ipsec df-bit clear
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
speed 100
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.201.143.
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 remark SDM_ACL Category=18
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 106 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 107 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 109 permit ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input ssh
line vty 16
privilege level 15
login local
transport input all
!
end
|
#
¿
Aug 9, 2010 16:02
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Question, if I pick the DNS server to be my router 192.168.2.1 in that same static IP situation, shouldn't the router relay the DNS information? Do I really have to statically set every static PC (there aren't that many) with an outside DNS and not my router to automatically find or use my current one?
isn't that what the command:
dns-server 1.1.1.1
is for?
|
#
¿
Aug 9, 2010 22:37
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Martytoof posted:
Out of the box, as long as a router has a next hop route for a packet it'll send it on. I don't think there are any restrictions until you add them yourself.
Well to explain my problem a bit. I was told that as soon as I installed my new Cisco 1811 this old as crap device stopped working:
http://www.amazon.com/Dell-Axim-X5-400-Pocket/dp/B00007GPI1
We have other devices like this that are newer (and don't require a plugged in wireless card) but they can connect to the wireless just fine. To me, the settings look the same on both devices. I guess the only good way to test out whether it is my device or the new router is to take it home and try it on my wireless network....
Currently we use WPA-PSK as our wireless encryption, though this bit of information probably isn't helpful.
|
#
¿
Aug 16, 2010 18:55
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Powercrazy posted:
If other devices are working wirelessly through the router, then its not the settings on the router, it an incompatibility somewhere. Maybe the device only works with 802.11b, and the router isn't using that, so you have to turn it on. MAybe the device doesn't understand a keylength greate than 48bits? Who knows, but its obviously a device limitation, and not a router security issue.
That said, check some basic things on the router, sh mac-address-table look for the device mac, check that it is being assigned an IP, sh arp, possibly debug the wireless association process.
Actually the device uses a device that utilizes 802.11b, it is that old. Could this be the issue? Can I implement something in the router to accept this?
I should mention that it is not being assigned an IP.
EDIT EDIT: Oh, also our WAP are basic netgear wireless. Those WAP's are connected to my 1811 and they are running WPA-PSK.
Bardlebee fucked around with this message at 22:01 on Aug 16, 2010
|
#
¿
Aug 16, 2010 21:53
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Martytoof posted:
Has the WAP configuration changed? If the 'b' devices can't connect make sure that you're not operating in 'g' only mode or something like that.
Nothing has changed.
Strangely enough if they take this device to an off site location they can connect to the router, get internet, but however when they try to get on to the server thats behind my new shiny (refurbished) cisco router, it doesn't work. On site, it simply can't grab an IP for probably same reason it can't get through the cisco. On site being the cisco being the main router.. my off site locations have the same lovely retail routers.
I say throw this palm pilot out, as it it was made in the ninety's, sadly I won't get this option.
My WAP's support a/b/g and are currently running WPA-PSK, TKIP. Which makes me wonder if I should try just switching to WPA-PSK+WPA2-PSK, AES mode just to see what happens.
It seems like its the devices limitations, but drat I really don't want that to happen because I garauntee you they will take down my new router (which has made our network a beautiful dream of stability) and replace it back with that 100 dollar piece of garbage. Eh, rant.
|
#
¿
Aug 16, 2010 22:56
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Martytoof posted:
Wait can you doodle up a little thing of how your network is laid out (if you can)? Is the DHCP server on a separate network from the WAP? You will actually need to issue the ip helper-address command on the interface connected to the WAP's network to get it to pass those on.
edit: Nevermind, you mentioned some devices could connect. I'm not making any sense. Please ignore.
I can doodle something. Essentially for purposes right now as I do not have the tools right here...
I have the 1811 which is purely wired. DHCP comes from it and it does NAT and VPN connections thats it. Connected to that are my WAP's, which are netgear WAP's and yes I haven't had a problem until this 802.11b-hi-im-from-ninteen-ninety's device. I just tried it at home as well, and it locks up on me, so I am going to try it at another site tomorrow and see if I get the same issue.
I am calling it on the device itself, but will let you know. Thanks for the help on this.
|
#
¿
Aug 17, 2010 03:52
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
#
¿
Apr 28, 2024 14:10
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Ok, I connected this old piece of garbage (this palm) to my network where I installed the Cisco 1811. I switched over one of our WAP's to WEP and it connected fine, except it is not getting granted an IP address. It always tries and gets stuck with 169.254.something.windowsIP. So, it's not getting an IP from the router. Is there a reason for this? It seems it can connect fine to WAP, but the router says no. It seems that due to this device being unable to handle new and shiny things, it is causing much frustration. Any clues on how I can get traffic to go through this Cisco with this device or to get an IP address for this little thing?
One more question... how do I completely open a port on the cisco? If I wanted to do port 60001 would it be a part of the access-list like this:
access-list 107 permit tcp any any 60001
Things we know:
Palm is using 802.11b
Only connects with WEP, WPA or WPA2 is not available to it.
It can connect off site (I found out offsite uses WEP to my ever lasting shame, this is changing)
They can get internet offsite, but again cannot get to my servers back at the main office where I installed the Cisco.
Bardlebee fucked around with this message at 17:57 on Aug 17, 2010
|
#
¿
Aug 17, 2010 17:12
|
|