Cisco 2600 Router - on private network

[McCisco]

I am connected to the internet via cable modem. I have a linksys broadband router\gateway (acting as a gateway) between me and the cable modem. I also have a Cisco 2600 Router with a Cisco 2950 switch behind the Cisco 2600 router. The router has a static assigned address for the e0/0 interface. Everything works great on the internal network. The Cisco 2600 router can not see the outside world (the internet). So no PCs connected to the 2950 switch can not use the internet or ping anything outside the private network. The Cisco 2600 router can not ping any internet addresses. Here is a "sho run" from the 2600 router. As you can see from the output there are some other routers, but they do not come into play in this situation. All the Cisco 2600 routers are directly connected to the Linksys broadband router\gateway. I am working toward a multi-segment private network to imulate wan sites. I eventually want to pass ALL traffic through on of the 2600 routers and use ACL's for a firewall. I have a total of 4-2600 routers, 2-2950 switch, 2-3500 switch. any help would be great.
~~~~~~~~~~~~
Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname R2_2600
!
enable secret 5 $1$/4El$zi1sBzhE9Pe3XHy60sVHj/
enable password 7 110A1016141D5A5F5C
!
!
!
!
interface Ethernet0/0
ip address 192.168.1.205 255.255.255.0
!
interface Serial0/0
ip address 192.168.3.100 255.255.255.0
clockrate 56000
!
router rip
network 192.168.1.0
network 192.168.3.0
neighbor 192.168.4.100
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
ip route 192.168.4.0 255.255.255.0 192.168.3.0
ip route 192.168.5.0 255.255.255.0 192.168.1.0
!
!
line con 0
line aux 0
line vty 0 4
password 7 151804040A337A7770
login
!
end
~~~~~~~~~~~~

 

[castlesmadeofsand]

You make several references to the fact that you have only 1 2600, like "a Cisco 2600 Router with a Cisco 2950 switch", and then you say
"All the Cisco 2600 routers are directly connected to the Linksys broadband router\gateway."
Is your topology like this?
modem-linksys-2600-2950-you
Please be more specific with your topology. Also, can the Linksys see the outside? How about your pc?
One more thing---cisco138 and johny138 are pretty easy to crack. Enable secret takes care of that. Later.

Tim

 

[McCisco]

Here is my topology, I did not see how to attach a file. I only made reference to one 2600 because I have the others turned off. The linksys and my PC "me" see the outside world ok. The 2600 or anything behind it can not. The 2600 work great on the inside, all the switches and routers can telnet and ping each other with no problems, but they can not see the outside world. i have enable secret turned on, how were you qable to tell what the passwords were?
***enable secret 5 $1$/4El$zi1sBzhE9Pe3XHy60sVHj/****
***enable password 7 110A1016141D5A5F5C****

~ Why can"t I copy pics or attach files?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Internet --- Linksys router\gateway --- ME
| | |
| R2600 R2600
R2600 |
| S3550
|
S2950
|
PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[DanInRaleigh]

...the problem is the modem does not know how to route to those address behind the internal router...i think

...why dont you hook that 2600 up to the cable modem...thats just ethernet right?
...then you can have more control in areas of mapping, pating, nating etc ect..
..you could have the Linksys modem hooked up behind the 2600 ..and set up routing tables in the 2600 to find those subnets behind the lyxes..also set up some type of vpn from clients through Linksys to 2600 for truer encryption.

..below is link of your similar problem..he was you using dsl but based on the same concept..

http://www.tek-tips.com/viewthread.cfm?qid=1292502

CCNP,CCSP,MCSE,Sec+,Net+,A+...

 

[McCisco]

I would like to setup one of the 2600 directly to my cable modem, I am not sure how to do a couple things. I would point f0/0 to toward the outside world (internet) and f0/1 toward the private network. I would need to be claer on a few things. I will take a look at hte link you posted.

- Few things:
~ How do I configure f0/0 to get a DHCP address from the cable modem.
~ Can the 2600 act as a GOOD firewall?
~ What ACL would I use to stop all the unwanted incoming traffic?
~ How would I configure f0/1 to hand out nat addresses.
~ Can I use outgoing ACL to block access to internet addresses or websites?
~ I also want to be able to use my routers and switchs for a test lab for ccna prep.
~ Can I create a DMZ between to 2600 routers?

 

[castlesmadeofsand]

Follow these links---the first is how to crack level 7 passwords. Enable secret cannot, but a lot of people use the same password for the enable secret and the level 7 password. If the attacker knows the level 7 passwords, then the enable secret is easier to guess.
The second link describes putting a username and password in with stronger encryption, on top of the enable secret.
First link...

http://www.kazmier.com/computer/cisco-noswing.html

second link...

http://www.cisco.com/en/US/products...assword_recovery09186a0080094675.shtml#topic1

The second is thanks to DanInRaleigh, as he answered a post of mine.

Tim

 

[DanInRaleigh]

...additional information...i'm sure more poeple will add/takeway..

..thanx Tim for update on password...


~ How do I configure f0/0 to get a DHCP address from the cable modem..link below
~ Can the 2600 act as a GOOD firewall?..yes
~ What ACL would I use to stop all the unwanted incoming traffic?..link below
~ How would I configure f0/1 to hand out nat addresses...link below
~ Can I use outgoing ACL to block access to internet addresses or websites? ..yes
~ I also want to be able to use my routers and switchs for a test lab for ccna prep...shouldnt be a problem
~ Can I create a DMZ between to 2600 routers?.yes with access-lists..





below is nat

http://www.cisco.com/warp/public/556/12.html

below is dhcp

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt1/1cddhcp.htm

..below common acl's..more complete solution in firewall examples

http://www.cisco.com/en/US/tech/tk6...ion_example09186a0080100548.shtml#intro#intro

http://www.dslreports.com/faq/7766

below are a couple you will need for firewall..and yes it will be a good firewall

http://www.windowsecurity.com/white...ontextBased_Access_Control_.html#xtocid155314

http://www.cisco.com/en/US/products...lementation_design_guide09186a00800fd670.html

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00800ca7c6.html

CCNP,CCSP,MCSE,Sec+,Net+,A+...

 

[McCisco]

Thanks guys,
I will use the links and give it a try. I will let you know over hte next couple day.

Thanks again for your help.

 

[McCisco]

Any recomendations on code levels for my equipment?

~ 4 - 2600 routers
~ 2 - 2950 switches
~ 2 - 3500 switches


Thanks,

 

[McCisco]

I didn't see what I can configure f0/0 to get a DHCP address from the public side of the netork, to take the place of my linksys

 

[DanInRaleigh]

...you didnt see this on f0/0..or whichever


perimeter_route(config-subif)#ip address dhcp

..please explain more for below...

Any recomendations on code levels for my equipment?

~ 4 - 2600 routers
~ 2 - 2950 switches
~ 2 - 3500 switches


CCNP,CCSP,MCSE,Sec+,Net+,A+...

 

[McCisco]

thanks dan..

for the code, I was just wondering what is the latest approved code for these swithces and routers ....

thanks,

 

[McCisco]

R4_2600#config t
Enter configuration commands, one per line. End with CNTL/Z.
R4_2600(config)#int f0/0
R4_2600(config-if)#ip address dhcp
^
% Invalid input detected at '^' marker.

R4_2600(config-if)#

 

[DanInRaleigh]

..ouch!

what ios are you using..
.....add..you might want the IOS firewall featurset..below..

flash:c2600-ik9o3s3-mz.123-19.bin

..what IOS, how much flash/dram does your router support..


CCNP,CCSP,MCSE,Sec+,Net+,A+...

 

[DanInRaleigh]

xxxxxxxxxxxxxxx
..i doubled check the dhcp..never mind its a subinterface..
...it works...so the above IOS ver whill support dhcp on interface...

interface FastEthernet0/0.100
encapsulation dot1Q 121
ip address dhcp
xxxxxxxxxxxxxxxxxxxxxx

CCNP,CCSP,MCSE,Sec+,Net+,A+...

 

[McCisco]

Here is a "sho ver" from the router I am using.

~~~~~~~~~~~~
sho ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 02:21 by phanguye
Image text-base: 0x80008088, data-base: 0x80C524F8
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
R4_2600 uptime is 30 minutes
System returned to ROM by power-on
System image file is "flash:c2600-is-mz.120-7.T"
cisco 2621 (MPC860) processor (revision 0x102) with 32768K/8192K bytes of memory.
Processor board ID JAD04510FOO (889883197)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102

R4_2600#


~~~~~~~~~~~~

 

[McCisco]

R4_2600# config t
Enter configuration commands, one per line. End with CNTL/Z.
R4_2600(config)#int f0/0.100
R4_2600(config-subif)#ip address
% Incomplete command.

R4_2600(config-subif)#ip address ?
A.B.C.D IP address

R4_2600(config-subif)#ip address dhcp
^
% Invalid input detected at '^' marker.

R4_2600(config-subif)#

 

[McCisco]

~ CODE UPGRADE GONE WRONG -- I TFTP the code to image file to the router - did the "reload" command and got the following output --- thoughts?


~~~~~~~~~~~~~~
tcp
R4_2600# TCP he
R4_2600#ression
R4_2600#s
R4_2600#sho ver
Cisco Internetwork Operating System Softwaree IP processing without an explicit address
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)bles Enable sending ICMP Unreachable messagesuptime
Copyright (c) 1986-1999 by cisco Systems, Inc. Enable per packet validation600
Compiled Tue 07-Dec-99 02:21 by phanguyeMI
vrf VPN Routing/For
Image text-base: 0x80008088, data-base: 0x80C52bnet-zero
!
!
cisco 2621 (MPC860) processor (revision 0x102) with 32768K/8192K bytes of memory55.255.255.0
R4_2600(config-if)#ip address dhcp
no ip directed-broadcast
.
Processor board ID JAD04510FOO (889883197)
speed auto
% Invalid input detec
M860 processor: part number 0, mask 49
network

R4_2600(config-if)
Bridging software.efault-gateway 19

X.25 software, Version 3.0.0.
ip classless
% Inva
2 FastEthernet/IEEE 802.3 interface(s)Enter configuration commands, one

R4_
*** System received a Software forced crash ***
signal= 0x17, code= 0x4, context= 0x8000c0c0
PC = 0x0, Vector = 0x0, SP = 0x0

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 40960 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0xf4b1f4

Error : memory requirements exceed available memory
Memory required : 0x0283F734

*** System received a Software forced crash ***
signal= 0x17, code= 0x4, context= 0x8000c0c0
PC = 0x0, Vector = 0x0, SP = 0x0

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 40960 Kbytes of main memory

rommon 1 >

~~~~~~~~~~~~~~

 

[dillingerp]

McCisco.
I have the same orginal setup you have. I choose that setup so I can have my family enjoy the internet while I work on my hobby. If I was to put my 3600 right behind my DSL modem I would have a pissed off family every time I made a mistake. I too, have the same problem with passing traffic to the internet. It was nice to see that others are having this problem. There should be a way to do this and I will take this problem to work and see if some can sheld some light.
DanInRaleigh. Thanks for your support and suggestions

 

[yemaya]

Hi.

I have a this srtup;

Internet<-->CableModem<-->2514<-->2924<-->4 2620 and 2 more switches, i have running DHCP on my 2514 and 8 computers inside my LAN with internet without any problem, this's my conf on the 2514.

Current configuration : 2068 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname DHCP-Server
!
logging buffered 50000 debugging
logging console warnings
enable secret 5 XXXXXXXXXXXXXXXXXXX
!

clock timezone GMT -5
clock summer-time GMT recurring 1 Sun Mar 2:00 2 Sun Nov 2:00
ip subnet-zero
no ip source-route
no ip domain-lookup
ip dhcp excluded-address 172.16.0.1 
ip dhcp excluded-address 172.16.0.2 172.16.0.50
ip dhcp excluded-address 172.16.15.254
! 
ip dhcp pool DHCP
network 172.16.0.0 255.255.240.0
default-router 172.16.0.1 
dns-server 64.X.X.X 
! 
no ip bootp server 
! 
! 
interface Loopback1
ip address 172.16.0.2 255.255.240.0
! 
interface Ethernet0
description "The Big Door WAN "
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip route-cache
no ip mroute-cache
no cdp enable
! 
interface Ethernet1
description "Private LAN" Subnet-1
ip address 172.16.0.1 255.255.240.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip route-cache
no ip mroute-cache
no cdp enable
! 
! 
interface Serial0
no ip address
shutdown 
! 
interface Serial1
no ip address
shutdown 
! 
ip nat inside source list 1 interface Ethernet0 overload
ip classless
no ip http server
ip pim bidir-enable
! 
access-list 1 permit 172.16.0.0 0.0.15.255
! 
banner motd ^C



This is a Private Device - Unathorized Access is Prohibited



^C 
! 
line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXX
logging synchronous
login 
line aux 0
line vty 0 4
exec-timeout 2 0
password 7 XXXXXXXXXXXXX
logging synchronous
login 
transport input telnet
! 
end

Take a look and any question just post them.