Cisco 1721 problem 2

[Strawhidy]

I'm running into a problem where random PCs cannot play games online at my Cybercafe. Users can intially play online at times but may get kicked from an online game or simply choose another game when the problem starts. When I find one of my PCs having this problem I check to see if I can ping the PC from the main cafe management server. I can see the PC and ping it internally but multiplayer servers will not appear on any game nor will it allow me to connect to various games online such as World of Warcraft. WoW simply says" Unable to connect" when attempting to login. If I try to acccess the Internet using a broswer I can't connect as well. If I exclude the IP from my Win2k3 DHCP server's scope and force the problem PC to get a new IP, I can connect with no problems with a new IP. My was router was configured to handle dual T1s with two wics at one point but it's been reconfigured for only one. I do have an ISA server running with it's built in firewall but it's configured to proxy all Internet traffic though our DSL line and had nothing to do with this router or the T1. I've replaced my entire Win2k3 server and completely reinstalled DHCP server as well. I've also chage port on my Cisco 2948G switch. This problem has been gotten out of hand and I would appreciate any input.



NJ#sh conf
Using 2077 out of 29688 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname NJ
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$VF4H$IuHF8t1tEbXBs.YHOFnvU.
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip domain lookup
no ip bootp server
!
!
!
!
interface FastEthernet0
description to NetJam LAN
ip address 12.158.72.30 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip helper-address 192.168.0.5
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache policy
speed 100
!
interface Serial0
description to ATT T1
bandwidth 1536
ip address 206.121.216.162 255.255.255.252
ip nat outside
ip virtual-reassembly
encapsulation ppp
no keepalive
down-when-looped
service-module t1 remote-alarm-enable
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
ip nat pool 2T1S 12.158.72.30 12.158.72.30 prefix-length 29
ip nat inside source list 1 pool 2T1S overload
ip nat inside source static tcp 192.168.0.5 80 12.158.72.30 80 extendable
ip nat inside source static udp 192.168.0.5 80 12.158.72.30 80 extendable
ip nat inside source static tcp 192.168.0.200 8082 12.158.72.30 8082 extendable

!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 12.158.72.0 0.0.0.255
access-list 1 permit 206.121.216.0 0.0.0.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 7 06080A35464F04485744
login
!
end

 

[burtsbees]

Dude---you need to change your password---easy to crack and telnet into your router!

http://www.ifm.net.nz/cookbooks/passwordcracker.html

Also, ...
line vty 0 4
trans in ssh
hostname bla
crypto key gen rsa

Burt

 

[Alterac]

Did you fix the router for him when you telneted to it? lol.



----------------------------------
Bill

 

[burtsbees]

No---he's got an enable secret...lol

Change the NAT to this...
ip nat pool NAT 12.158.72.31 12.158.72.36 netmask 255.255.255.248
ip nat inside source pool NAT int s0 overload
no ip nat inside source list 1 pool 2T1S overload
no ip nat pool 2T1S 12.158.72.30 12.158.72.30 prefix-length 29

Burt

 

[Alterac]

Chances are 99% its the same password.

----------------------------------
Bill

 

[Alterac]

Anywhoo, Do what Burt says, and please enable an access list on the outside interface, for incomming traffic to limit it to the IP's you are going to manage it from.

Also suggest an ACL on the inside interface to the specific ips you want to manage it from internaly.

Add a user with a secret password, and enable local auth for your terminals (ssh, telnet, vty, console, etc)

----------------------------------
Bill

 

[burtsbees]

The enable (level 7) passwords and secret cannot be the same.

Burt

 

[Alterac]

If you say so.. but they can (I tested on my devices (1750, 1811, 1841, and 2611)

Anyways, I hope the original poster comes back and reads this. For running a business that depends on this router, and posting the hashes, they could be in for some issues.



----------------------------------
Bill

 

[burtsbees]

I did too---on some devices, it comes back with an error. I guess you can---one of my 2924 switches at home is like that...

Burt

 

[Strawhidy]

Thanks for the tips guys. I have limited experience with routers and im not sure how to change the password or what commands i use to make the changes you mentioned Burt. I attempted to change the password and believe I was successful but I don't know if I left any holes im my security. I know about adding or removing NAT statements but that about it. Im not sure how to enter the commands you listed below;

line vty 0 4
trans in ssh
hostname bla
crypto key gen rsa

and

ip nat pool NAT 12.158.72.31 12.158.72.36 netmask 255.255.255.248
ip nat inside source pool NAT int s0 overload
no ip nat inside source list 1 pool 2T1S overload
no ip nat pool 2T1S 12.158.72.30 12.158.72.30 prefix-length 29

 

[Alterac]

Log into the router, go to enable mode
Type the following

conf t

then enter the following lines in (I assume your using telnet?)

line vty 0 4
trans in ssh telnet

crypto key gen rsa

and the rest of the commands burt entered.

----------------------------------
Bill

 

[Strawhidy]

I entered the first command (line vty 0 4)with no problem however, the second command (trans in ssh telnet)does seem to work and gives me the following error:

NetJam(config-line)#trans in ssh telnet
^
% Invalid input detected at '^' marker.

When I type in "trans in ?" it only show that I can include the following commands:

NetJam(config-line)#trans in ?
all All protocols
none No protocols
pad X.3 PAD
rlogin Unix rlogin protocol
telnet TCP/IP Telnet protocol
udptn UDPTN async via UDP protocol

I haven't entered any other commands yet.

 

[burtsbees]

Guess your IOS image does not support ssh...

Burt

 

[Strawhidy]

Which of these commands should I still enter?

line vty 0 4
trans in ssh
hostname bla
crypto key gen rsa

ip nat pool NAT 12.158.72.31 12.158.72.36 netmask 255.255.255.248
ip nat inside source pool NAT int s0 overload
no ip nat inside source list 1 pool 2T1S overload
no ip nat pool 2T1S 12.158.72.30 12.158.72.30 prefix-length 29

 

[burtsbees]

hostname bla
crypto key gen rsa

ip nat pool NAT 12.158.72.31 12.158.72.36 netmask 255.255.255.248
ip nat inside source pool NAT int s0 overload
no ip nat inside source list 1 pool 2T1S overload
no ip nat pool 2T1S 12.158.72.30 12.158.72.30 prefix-length 29

 

[Strawhidy]

I entered all the commands you posted and this is what I got in return;

nj(config)#hostname nj-rtr
nj-rtr(config)#crypto key gen rsa
^
% Invalid input detected at '^' marker.

nj-rtr(config)#$ NAT 12.158.72.31 12.158.72.36 netmask 255.255.255.248
%Pool NAT mask 255.255.255.248 too small; should be at least 255.255.255.192
%Start and end addresses on different subnets
nj-rtr(config)#ip nat inside source pool NAT int s0 overload
^
% Invalid input detected at '^' marker.

nj-rtr(config)#no ip nat inside source list 1 pool 2T1S overload

Dynamic mapping in use, do you want to delete all entries? [no]: no
%Error: Dynamic mapping in use, cannot remove
nj-rtr(config)#$ool 2T1S 12.158.72.30 12.158.72.30 prefix-length 29
%Pool 2T1S in use, cannot destroy
nj-rtr(config)#

 

[Alterac]

you dont need the "crypto key gen rsa" since your router does not support SSH.

for the question that you answered NO to, you need to answer YES

This will probally disrupt service to your clients, so please schedual some downtime, or do it during off hours.

If everything breaks, you can always just reboot the router and it will restore the config you last saved.

Once all the new commands are in, and you have it proved / tested that its working. do a "copy run start" and then it will save your configuration

----------------------------------
Bill

 

[Strawhidy]

Thanks for the help on this folks but the advice you're giving me seems to only address security on the router. Should these changes also prevent customers from being denied online access from the router as the original post mentioned?

 

[Alterac]

The NAT statements are fixing your problem of hte PC's dropping off the network.

----------------------------------
Bill

 

[StaplesMan]

why would you have your public IP address set as secondary to your internal interface?

interface FastEthernet0
description to NetJam LAN
ip address 12.158.72.30 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0

CCNA, A+, HP Certified Professional