How do I add static IP addresses into Cisco 877W Router Configuration 1

[rb52]

HI

I work for a small charity in the UK, where we have an SBS 2003 network with a Cisco 877W router connecting us to the Internet. We have just changed our ISP and so need to change the router configuration. Unfortunately the chap who helped install the network and router is not around any more. I have changed the logon details so that we have access to the Internet through the new ISP. However, I now need to set up the static IP addresses we have been given.

I've installed Cisco SDM and can see the sript that was written for us, but don't know how to change it. BT has assigned us a block of 8 static IP addresses, of which 3 are reserved. They specify one is reserved for the router and one for the network address and to use a subnet mask of 255.255.255.248. They don't say what the third reserved IP address is for. We then have 5 static IP addresses for our use. One of these I have got our web hosting company to point to work.asksid.org.uk, which is the address we had working with our previous ISP for people to access remote desktop and OWA.

At he moment the router has an IP address of 192.168.0.1 for the intwernal network. The server (SBS2003) has an IP address of 192.168.0.2, a subnet of 255.255.255.0 and a default gateway of 192.168.0.1. All the PCs on the network get an IP address from the server.

I don't know which of the static IP goes into the router config. I'm presuming that the internal network can carry on using the 192.168.0.* range of addresses with the subnet 255.255.255.0. Also, to clarify our network setup, we have just one NIC in the server with ISA not in use. We are depending on the firewall in the Cisco router.

I know the basics of SBS and our network administration, but know nothing about Cisco commands. The script I got via Cisco SDM is shown below. Any help with this would be greatly appreciated.

Best wishes
Richard



Current configuration : 6771 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SIDHQ
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$RGez$ftyCE6ikmWYb.Uc5zVCWp1
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3820439300
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3820439300
revocation-check none
rsakeypair TP-self-signed-3820439300
!
!
crypto pki certificate chain TP-self-signed-3820439300
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383230 34333933 3030301E 170D3032 30333031 30303132
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38323034
33393330 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ABB0 25B7F238 01553DE1 8F0AE8DC 6AC63246 F797FD64 E2692006 5D721A1A
0A2FB52B 6D8B4BD7 7534EBAD 6F3EB895 347FDC44 2B94670B CEF7095B BFA87FE0
166B8690 A7753EED 8398BE2D ABBFEA92 6564F51D 838C02F9 961B9346 E77EAA57
7FB734F7 44963B7A 8FF32FD2 6D50D344 3E8389B1 91FA99E7 402649CC 587AEDC9
0DD30203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13534944 48512E61 736B7369 642E6F72 672E756B 301F0603
551D2304 18301680 14584EB0 C1512E25 87378339 DA3AC6D7 A9A8B6B0 D0301D06
03551D0E 04160414 584EB0C1 512E2587 378339DA 3AC6D7A9 A8B6B0D0 300D0609
2A864886 F70D0101 04050003 818100A1 254EACD3 4B86B59F 1340128A D3681E64
AC7F8AA1 C797782D 57AB69B6 DD10C1F8 A18C029C F240C626 44A86C91 C5AD1035
FBB4EAC1 E9EAFB28 DA65455C 3FC50D7A B6AFD6AB 90DF808C 7EE9C34A 98CE1070
7053CDBE 8F70FD41 5798E398 7C746DCD ACB49337 279D3AE0 F2723240 674BB063
8CBE6B7D 063710D4 D1DAF99B 601B69
quit
dot11 syslog
!
dot11 ssid sidwire
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 08651D4A3E4817443E585951
!
no ip source-route
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name asksid.org.uk
!
!
!
username sidboss privilege 15 secret 5 $1$77Nl$fkXMhDS859FodMNs8fvUJ.
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
encryption mode ciphers tkip
!
ssid sidwire
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
bridge-group 1
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname B946412@hg28.btclick.com
ppp chap password 7 073C08636A584B5643
!
interface BVI1
description $ES_LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 BVI1 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.2 444 interface Dialer0 444
ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.0.2 4125 interface Dialer0 4125
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[netjess]

A couple of things first. When you post a conf like this you should strip out all cryptographic information and/or user-name password info you could always leave the config line but where the information goes use something like <usernamed removed>
<password removed>
<crypto data removed>
This way people can see that it is configured but not divulged.

As to your IP configuration can you tell us what type of service your new ISP is providing? DSL, Cable, T-1?
It looks like your previous ISP was dial on demand.
What you describe with the two sets of IP ranges is typical, the set of three IPs is what you use to connect to your ISP; the larger range of IPs is what you use to assign static or NAT pool to your servers.
here is an example of a T-1 connection: (actual IP numbers replaced with x)
-----------------------------------------------------------
!
interface FastEthernet0/1
description Our usable outside address
<connects to a firewall or allows for NAT>
ip address x.x.x.x 255.255.255.192
ip broadcast-address x.x.x.255
no ip proxy-arp
duplex auto
speed auto
!
!
interface Serial0/1
no ip address
no ip proxy-arp
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
frame-relay lmi-type ansi
!
interface Serial0/1.779 point-to-point
description ATT-T1
<Connection to at&t; route out from our network>
bandwidth 1536
ip address x.x.x.x 255.255.255.252
no ip route-cache
no ip mroute-cache
frame-relay interface-dlci 779
!
-----------------------------------------------------------
If your connection is a just Ethernet is is very simple. But if you are not sure what you are doing I suggest you at least contract assistance to walk you through the configuration so you can learn what is going on without jeopardizing your network since you are relying on the Cisco device for firewall and be better prepared for future changes.
You are right in that you should not need to change anything in your internal network but you may need to modify your NAT records.

 

[rb52]

Thank you very much for your reply. I was careful not to put the static IP addresses in my original post and then completely forgot about the config. A definite "senior moment"! So thank you again for pointing that out to me. I'll talk to our ISP and see if we can get a new username and password just in case.

We have an ADSL broadband connection over a standard phone line. In fact the service is the same as we previously had but a different provider. The rest of the network internally is standard 100Mbps Ethernet.

I do take your point about getting a professional to help us out but as a charity we don't have the money to do everything we would like to and things like this will get pushed down the list until we have the money. But in the mean time I will carry on reading and asking questions in my spare time until I learn enough to master it.

The example you put in your reply has moved me further forward, though, as it ties up with what I've been reading on the Cisco site. Our office is very small (only 8 PCs on the network) and mostly staffed by part-timers. So there are times when I can try things out without interrupting the charity's work, and in this case, if it doesn't work I just put it back to where it was. For us the remote access is useful to our work but not essential yet.

Thank you for your suggestions and any other pointers will be gratefully received.

Best wishes
Richard