How can I gain remote console access to my 2801? 3

[Deepseadata]

I am setting up my lab at a customer site but I need to fly back to my office soon. I need to configure the router remotely from my office.

The problem is I need to put the cisco 2801 behind a stupid netgear router. I don't have admin access to the netgear either. I only know its IP address and the DNS address it served my notebook VIA dhcp.

What can I do to get through the Netgear and into the 2801 from my office back home without doing anything to the Netgear box?

I only have 2 more days to figure it out.

 

[burtsbees]

You have to forward a remote port, like ssh, through the netgear to the Cisco, or console connect the Cisco to a dedicated workstation/server, and log into the server remotely.

Burt

 

[jeter]

Setup your AUX port for a modem access... Set auto answer on the modem and program your aux like this...

line aux 0
exec-timeout 30 0
logging synchronous
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
speed 115200
flowcontrol hardware

dial tone---modem---cisco aux port---program

Be sure to setup your access username password etc etc


SPC NVARNG
Tek-TIP Member 19,650

 

[Deepseadata]

Thanks for both ideas!

I know how to do the AUX modem dial-up solution but it's long distance and I have a LOT of work to do.

I better start searching for an SSL solution quick! In th meantime, can you guys point me to a link that that will help me understand exactly what is required to setup SSL?

Everyone here has internet through the Netgear but I dont think anyone is coming in remotely, there's no server, and nobody is going to let me attach to one of their PC's.

 

[burtsbees]

Can you post a sh ver? The router with the right IOS can be set up, and you can then download PuTTy for Windows (free) and SSH in with it...

Burt

 

[Deepseadata]

COOL!

http://www.mywanip.com

jut told me my WAN IP address. I just hope it's correct.

So now I have my dns and my wan IP. Is there anything else (other than configuration) I need to use SSL to get into my router remotely?


Here's a capture. Feel free to tell me any mistake that stand out. There's no SSL related stuff in there yet.

2801#SH RUN
Building configuration...

Current configuration : 5269 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2801
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
ip domain name yourdomain.com
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3884018817
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3884018817
revocation-check none
rsakeypair TP-self-signed-3884018817
!
!
crypto pki certificate chain TP-self-signed-3884018817
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383834 30313838 3137301E 170D3038 30373134 31333030
32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383430
31383831 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F44B 55244E48 2DABB86E 85300323 6CB6A2D6 7BFC37E6 F64EA797 7B5A515F
D8F3D1D1 653575C4 0B057D0B 6A1CB99A 50691E7F 46D62753 D6C452B2 04387548
0F9748BF 4CCC450E F027D761 6CD074A5 DFBF741B B2906CAC DA8C9C7B E9F81E53
5E45A4B9 CC1A9114 4FBF0AE0 B202CCD0 4D1CE8B0 AAC74F5B A40CF419 8A2893D5
EFA50203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13323830 312E796F 7572646F 6D61696E 2E636F6D 301F0603
551D2304 18301680 142EEE21 A37CB9C9 311757E3 6716F2C6 D7E18C0E 4C301D06
03551D0E 04160414 2EEE21A3 7CB9C931 1757E367 16F2C6D7 E18C0E4C 300D0609
2A864886 F70D0101 04050003 818100BA 30C94BAD BC57B93D 47F2D1B6 4B9A9633
D9AFC7DA 4B1CC7E8 D92F022F 4BA3B359 2815383C B858BAAE A0842297
CA8D6C67 D508227C 19ED03C8 03D55C16 9743AF6F 62B53D2B CFCA8B3F 49A20098
8D03DB86 3BA5FE25 8B6DDC0A A60E50BD D676B373 1FBF4373 2BDB6AAF 7B467406
E4B71684 F787351E FC53CD2F 6A2041
quit
username privilege 15 secret 5
!
!
!
!
interface FastEthernet0/0
description trunk to switches$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.50.100 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description internet interface to Netgear FWG114P$ETH-LAN$
ip address 192.168.15.223 255.255.255.0
ip nat outside
duplex auto
speed auto

interface FastEthernet0/3/0
switchport mode trunk
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
no ip address
!
interface Vlan51
description OWNER DATA
ip address 192.168.51.1 255.255.255.0
!
interface Vlan52
description GUEST DATA
ip address 192.168.52.1 255.255.255.0
!
interface Vlan53
description SHIP MANAGEMENT DATA
ip address 192.168.53.1 255.255.255.0
!
interface Vlan54
description CREW DATA
ip address 192.168.54.1 255.255.255.0
!
interface Vlan55
description SECURITY - CCTV
ip address 192.168.55.1 255.255.255.0
!
interface Vlan56
description AV1
ip address 192.168.56.1 255.255.255.0
!
interface Vlan57
description AV2
ip address 192.168.57.1 255.255.255.0
!
interface Vlan58
description SPARE - FUTURE
ip address 192.168.58.1 255.255.255.0
!
interface Vlan59
description VOICE OWNER
ip address 192.168.59.1 255.255.255.0
!
interface Vlan60
description VOICE GUEST
ip address 192.168.60.1 255.255.255.0
!
interface Vlan61
description VOICE SHIP MANAGEMENT
ip address 192.168.61.1 255.255.255.0
!
interface Vlan62
description VOICE CREW
ip address 192.168.62.1 255.255.255.0
!
router rip
version 1
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
passive-interface Vlan52
network 192.168.15.0
network 192.168.50.0
network 192.168.52.0
no auto-summary
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 1000
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.50.0 0.0.0.255
!
!
!
control-plane
!
!
!
voice-port 0/2/0
!
voice-port 0/2/1
!

2801#

 

[burtsbees]

domain-name local
crypto key gen rsa

Burt

 

[wjohnson2k1]

If you have your Wan Ip and Router Ip you still need to set up the Netgear router to forward SSH packets to your router.

To do this you will need to log-in to the netgear router, I would try the default log-in first just to see if it works. After that just do port forwarding for SSH (default port 22) to your router@ 192.168.x.x or however you have it set up.

After you setup the port forwarding, what you basically do is Download Putty (google it) and connect via SSH to your WAN ip address. Then you should be in!

 

[ptdog]

One thing you might want to try is a vpn tunnel between the 2811 and another router at your office/home location. The VPN tunnel will just pass thru the netgear.

For example, you could setup the DMVPN hub at work/home, then setup the 2811 as a spoke.

 

[Deepseadata]

Is a VPN tunnel always up or can it be established requested from the remote office?

I'm going to read up on tunneling right now. I just want to make sure that it doesn't ad any traffic to my Satellite link when the tunnel is not being used.

 

[burtsbees]

It can be set up both ways (remote access VPN or site-to-site VPN). For remote access, you'll need client software. You can config the 2801 as a VPN server, and use the Cisco VPN client on the pc remotely connecting to it. Let us know if you need help with the config and/or if you need a copy of the client.

Burt

 

[maczen]

This is a good place to start.. The Cisco link has the client as well as "stateful firewall bypass" software which may prove useful to you. Will have to check with Burt and the guys.. They may also have some different software that may be more effective.

http://compnetworking.about.com/od/vpn/p/ciscovpnclient.htm

B Haines
CCNA R&S, ETA FOI

 

[Deepseadata]

I'm glad I didn't close this thread. I'm barking up all my trees at this point.

This HAS to be an easy one. I'm trying to setup VPN server on the 2801 and I have a VPN client software loaded. All I need to do is somehow get the client in!

The problem is that my WAN IP is not my router.... just like the Netgear. But this time I have contact with the IP who have given me the public static IP.

I can telnet and get SDM access to the router from anyway through their public IP but I don't know how to get the VPN client and server talking!

Can anyone help?

 

[burtsbees]

What kind of service is this again? I am not sure you can forward tcp port 10000 for an IPSec VPN to a router that has already been NATted...
Also, on fa0/1, you need ip nat inside, not out, since it is somewhere past it that is doing the NAT.

Burt

 

[Deepseadata]

I'm just trying to get EZVPN Server working on my 2801 and a client on my PC at this point.

Here's a file my ISP gave me. It shows how they've made a tunnel through their gear to my outside interface.

http://flickr.com/photos/7280821@N08/3042013708/sizes/o/

Maybe I don't even need a vpn at this point. This diagram confuses me. I've altered the IP info and moved some stuff around. The one they gave me really threw me for a loop.

 

[Deepseadata]

Here's a less butchered version of what the ISP gave me.

They said "we will NAT 1 public IP address to your firewall if you have the internal interface on 10.20.46.30

http://www.flickr.com/photos/7280821@N08/3042095108/sizes/o/

I think they are asking me to make 10.20.46.30 my inside interface? Wow that would take a lot of work!

 

[burtsbees]

Can you just ask them to give you the public IP address for your outside interface, and you'll do your own NAT?

Burt

 

[Deepseadata]

I will for sure!

If they say no. then maybe I can turn off NAT and secure my router with my firewall?

 

[burtsbees]

Exactly.

Burt

 

[Deepseadata]

I now have a working VPN server Client working. I can get to some internal vlans. I think I have a NAT problem because I can't get to some of my internal hosts.

Can anyone help me adjust NAT so my client can get to all my networks?

Building configuration...

Current configuration : 5900 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.20.46.1 10.20.46.30
!
ip dhcp pool St_LAN
network 10.20.46.0 255.255.255.0
default-router 10.20.46.1
dns-server 158.152.1.58 158.152.1.43
!
!
ip domain name
ip name-server
ip name-server

crypto pki trustpoint TP-self-signed-3884018817
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3884018817
revocation-check none
rsakeypair TP-self-signed-3884018817
!
quit
fax interface-type fax-mail
archive
log config
hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group madsummer
key
pool SDM_POOL_1
include-local-lan
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group mad
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
interface Loopback0
ip address 194.217.5.38 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description Starboard Stratos VSAT$FW_OUTSIDE$
ip address 10.20.46.20 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.49.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router eigrp 1
network 192.168.0.0
network 192.168.49.0
auto-summary
!
ip local pool SDM_POOL_1 10.20.46.200 10.20.46.220
ip default-gateway 10.20.46.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.20.46.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0
ip nat inside source list 1 pool MADNATPOOL overload
!
access-list 1 permit 192.168.0.0 0.0.255.255

Sorry Burt. I saw where you told me to change my NAT enrtries and access-list. A lot has changed now so I thought I'd give you another look befoe I did anything.