Connecting to and Configuring Cisco Routers with ‘Cisco Configuration Professional’

KB ID 0000512 

Problem

It’s not often I work on Cisco routers, but as I tend to do most of the Cisco ASA Firewalls, I’m the unofficial “Cisco Guy”. Which is fine until someone wants a router or some complex switching, then I need to do some heavy duty frowning.

Last time I put in a Cisco router it was a baby Cisco 800 series (an 877W) so I assumed the 1921 ISR router I had to put in would be the same. Before I used the Cisco SDM console that’s now either depreciated or not used, and a quick look in the flash memory of the router told me there was nothing in there apart from the IOS.

Now for all your web based router needs, you use the “Cisco Configuration Professional” software, it comes in two flavours:

1. Express – this installs on the router itself and is a cut down version.

2. PC Version – the full suite of tools installs on a Windows PC (that has Java installed) Note: is does NOT need anything else installing on the router.

To download the software you will need a valid Cisco CCO login and a valid support contract (or SmartNet) for your router. (download link).

Solution

1. Using the console cable provided with your router connect a PC/Laptop to the router and access using Hyperterminal or PuTTy, (See here for details).

2. Connect an ethernet port to your LAN, we are going to configure it to get an IP from DHCP (assuming you have DHCP of course if not give is a static IP address).

3. While connected via console cable, go to enable mode, set the ether net port you connected to DHCP, then configure Telnet and SSH login, and finally allow HTTP access.

Note: If you get an error message like “IP address may not be configured on L2 Links” then assign the IP address to the VLAN (usually, but not always VLAN 1).This is seen on smaller 800 series routers, to resolve also make sure the Ethernet port is NOT shutdown like this;

[box]

interface FastEthernet0
! <<<<<<<Note: Make sure the Ethernet ports you will use are NOT in a shutdown state!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
ip address 192168.1..1 255.255.255.0 <<<Or use DHCP as appropriate

[/box]

4. So all being well, this is what you should see if you issue a “show run” command.

5. Lets make sure it got an IP address with “show ip interface”.

6. Install CCP on you PC and launch it > Select “Manage Devices” > Enter the IP, username and password you set earlier > OK.

7. If discovery fails make sure you’re cabled correctly and select “Discover”.

8. It connects over https so it’s normal to see this, just click yes.

9. You can now configure the router as required.

10. If you have the Security/Firewall IOS you can also manage that from here.

 

Related Articles, References, Credits, or External Links

Original Article Written 26/09/11

 

Cisco Routers – Port Forwarding

KB ID 0000533 

Problem

If you have a server or host that you want to be publicly addressable and only have one public IP address then port forwarding is what you require.

Solution

Assumptions

1. You have a public IP on the outside of your Router.

2. You are performing NAT from your internal range of IP address to your External IP address.

To Make Sure

1. Run the following command:

[box]PetesRouter#show run | include ip nat inside[/box]

You should see a line like,

[box]ip nat inside source list 101 interface Dialer0 overload[/box]

2. That means NAT all traffic that access-list 101 applies to, to Dialer0 (this is an ADSL router and that’s it’s outside interface). To see what traffic is in access-list 101 is issue the following command:

[box]PetesRouter#show run | include access-list 101[/box]

You should see a line like,

[box]access-list 101 permit ip 10.10.0.0 0.0.255.255 any[/box]

3. This means permit (apply this ACL) to all traffic from 10.10.0.0/16 to anywhere. So its set to NAT all traffic from the inside network to the outside network.

4. Finally to see what IP is on your Dialer0 issue the following command:

[box]PetesRouter#show ip interface brief | exclude unassigned[/box]

You should see something like this

Now we know all traffic from 10.10.0.0/24 (All inside traffic) will be NAT translated to 123.123.123.123

Set up Port Forwarding

In this case Ill port forward TCP Port 443 (HTTPS) and TCP Port 25 (SMTP) to an internal Server (10.10.0.1).

1. First set up the static NAT translations.

[box]

PetesRouter#ip nat inside source static tcp 10.10.0.1 443 123.123.123.123 443 extendable
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 123.123.123.123 extendable
OR If you are running with a Public DHCP address

PetesRouter#ip nat inside source static tcp 10.10.0.1 443 interface Dialer0 443
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 interface Dialer0 25

[/box]

2. Second stop that traffic being NATTED with everything else.

[box]

PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 443 any
PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 25 any

[/box]

3. Save the changes with “copy run start”, then press enter to access the default name of startup-config:

[box]

PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#

[/box]

Setup port forwarding and restrict it to an IP or network

For things like HTTPS and SMTP you might want them accessible from anywhere but you might want to lock down access for something like RDP, (TCP port 3389) if that’s the case then you need to do the following.

1. Create a new ACL that allows traffic from you but denies it from everyone else (remember to put an allow a permit at the end).

[box]

PetesRouter#access-list 199 permit tcp host 234.234.234.234 host 123.123.123.123 eq 3389
PetesRouter#access-list 199 deny tcp any host 123.123.123.123 eq 3389
PetesRouter#access-list 199 permit ip any any

[/box]

Note: To allow a network substitute the first line for,

[box]PetesRouter#access-list 199 permit tcp 234.234.234.232 0.0.0.7 host 123.123.123.123 eq 3389[/box]

Note: Cisco Routers use inverted masks, so 234.234.234.232 0.0.0.7 is 234.234.234.232 255.255.255.248 (or/29)

2. Then (as in the example above) create the static NAT translation.

[box]PetesRouter#ip nat inside source static tcp 10.10.0.1 3389 123.123.123.123 3389 extendable[/box]

3. Then (as in the example above) exempt this traffic from the default NAT ACL.

[box]PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 3389 any[/box]

4. Finally apply the ACL you created inbound on the Dialer0 interface.

[box]

PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#interface Dialer0
PetesRouter(config-if)#ip access-group 199 in
PetesRouter(config-if)#exit
PetesRouter#

[/box]

5. Save the changes with “copy run start”, then press enter to access the default name of startup-config:

[box]

PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#

[/box]

Related Articles, References, Credits, or External Links

Cisco PIX / ASA Port Forwarding

Backup and Restore Cisco IOS (Switches and Routers)

KB ID 0000538 

Problem

It’s been a long time since I ran through setting up a TFTP server, but I still use 3CDeamon. Below I’ll run though the simple commands to back up, and restore the devices configuration.

Solution

Backing up a Cisco IOS Device

1. First you have to setup a TFTP server, and know the IP address of the machine it’s on!

2. Connect to the device, either via console cable, Telnet or SSH.

3. Log in > Go to enable mode > issue a “copy running-config tftp”* command > Supply the IP address of the TFTP server > Give the backup file a name.

Note: You can also use startup-config to copy the config saved in NVRAM rather than the running-config.

[box]

User Access Verification

Username: username
Password:*******

PeteRouter#enable
PeteRouter#copy running-config tftp
Address or name of remote host []? 10.10.0.1
Destination filename [PeteRouter-confg]? PeteRouter_Backup
!!
7400 bytes copied in 0.548 secs (13504 bytes/sec)

PeteRouter#

[/box] 4. If you keep an eye on the TFTP server you can see the file coming in.

Restoring a Cisco Cisco IOS Device

1. As above have your TFTP server up and running with the file you want to restore in its root directory.

2. Connect to the device either via console cable, Telnet or SSH.

3. Log in > Go to enable mode > issue a “copy tftp running-config”* command > Supply the IP address of the TFTP server > Give the backup file a name.

Note: You can also use startup-config to restore the config saved in NVRAM rather than the running-config.

[box]

User Access Verification

Username: username
Password: *******

PeteRouter#enable
PeteRouter#copy tftp running-config
Address or name of remote host []? 10.10.0.1
Source filename []? PeteRouter_Backup
Destination filename [running-config]? {Enter}
Accessing tftp://10.10.0.1/PeteRouter_Backup...
Loading PeteRouter_Backup from 10.10.0.1 (via GigabitEthernet0/0): !
[OK - 7400 bytes]

7400 bytes copied in 0.440 secs (16818 bytes/sec)

PeteRouter#

[/box]

4. Remember you have restored the running-config you would need to issue a “copy run start” command to make this config persistent (i.e. after a restart or reload of the router). If you issued a “copy tftp startup-config”, you would need to reboot for the restored config to be loaded into memory.

Related Articles, References, Credits, or External Links

Install and Use a TFTP Server

Backup and Restore a Cisco Firewall