IOS 12.3(9) VPN works, why it does not work with IOS 12.1 (16)?

[rbby2003]

When I use the same configuration in 2 Cisco routers, VPN and Internet-browsing works on a Cisco router 2610 with IOS 12.3 (9),
IOS (tm) C2600 Software (C2600-IO3-M), Version 12.3(9), RELEASE SOFTWARE (fc2),
System image file is "flash:c2600-io3-mz.123-9.bin"
cisco 2610 (MPC860) processor (revision 0x203) with 28672K/4096K bytes of memory

but it does not work on another Cisco router 2611 with IOS 12.1 (16),
IOS (tm) C2600 Software (C2600-DO3S-M), Version 12.1(16), RELEASE SOFTWARE (fc1)
System image file is "flash:c2600-do3s-mz.121-16.bin"
cisco 2611 (MPC860) processor (revision 0x203) with 53248K/12288K bytes of memory.

I only use 2 Ethernet ports on the 2 routers, Cisco 2611 and Cisco 2610. To me, I can treat them as the same model, so that the only difference is the IOS version, IOS 12.1(16), and IOS 12.3 (9), and their corresponding IOS image files.

My goal is:I want to open only certain ports on a private server using a private IP address, and do not restrict outgoing traffic. Am I trying the right thing?

I am afraid I am going to turn the Cisco 2611 to a brick if I upgrade the IOS. Is the IOS version the real problem?

The following is the configuration on the working router 2610 with IOS 12.3 (9)------replaced public IP addresses

what does service nagle mean in the config?


version 12.3
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption


boot-start-marker
boot system flash:c2600-io3-mz.123-9.bin
boot-end-marker


interface Ethernet0/0
ip address 5.5.5.5 255.255.255.0
ip nat outside
half-duplex
!
interface Ethernet1/0
ip address 192.168.202.1 255.255.255.0
ip nat inside
half-duplex
!
router rip
version 2
network 192.168.202.0
network 5.0.0.0
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.202.100 80 5.5.5.5 80 extendable
ip nat inside source static tcp 192.168.202.100 1723 5.5.5.5 1723 extendable
ip nat inside source static tcp 192.168.202.100 443 5.5.5.5 443 extendable
ip nat inside source static tcp 192.168.202.100 110 5.5.5.5 110 extendable
ip nat inside source static tcp 192.168.202.100 25 5.5.5.5 25 extendable
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 5.5.5.1
!
!
access-list 1 permit 192.168.202.0 0.0.0.255
!
end

 

[JOAMON]

2610-2613 use same image....tftp out of most current and into 12.1. The 2611 has more main memory and should be fine so long as the flash memory are the same size or larger on the destination router. Also beleive you will need and inbound access list to allow all traffic with those ports access to the IP address of your outside interface.

access-list 101 permit ip any eq 80 host 5.5.5.5 eq 80
setup for all ports and last line is always default of deny ip any any but i always like to type it so it shows. Apply to ethernet 1/0 inbound. Make sure to turn of ip http server and ip http secure server if they are enabled on the routers. I would also apply to your line vty 0 4 access-class 1 in. This will restrict telnet to only your local subnet. You will of course also need login and a password also. Would also recommend service password-encryption.

 

[JOAMON]

Correction....apply access list to ethernet 0/0 not 1/0....

 

[JOAMON]

Also you can get rid of RIP as you do not need it or at least add the following: passive interface ethernet0/0

 

[JOAMON]

Never seen it used....you can get rid of it by entering in config no service nagle.

http://www.ciscopress.com/articles/article.asp?p=27137&seqNum=7&rl=1

 

[rbby2003]

Thanks, Joamon.
I will add passive interface ethernet 0/0

I still have questions of the above config. It works on
IOS (tm) C2600 Software (C2600-IO3-M), Version 12.3(9), RELEASE SOFTWARE (fc2),
System image file is "flash:c2600-io3-mz.123-9.bin"
cisco 2610 (MPC860) processor (revision 0x203) with 28672K/4096K bytes of memory

But it does not work on
IOS (tm) C2600 Software (C2600-DO3S-M), Version 12.1(16), RELEASE SOFTWARE (fc1)
System image file is "flash:c2600-do3s-mz.121-16.bin"
cisco 2611 (MPC860) processor (revision 0x203) with 53248K/12288K bytes of memory.

I mean without any access-list, it works fine on 2610 with 12.3, but it does not work on 2611 with 12.1. When I tried to VPN from a XP desktop to Windows 2003 RRAS behind 2611, error 721 shows on XP desktop and the windows server 2003 behind the 2611 recorded an error that GRE 47 was not configured properly, but it works fine on 2610 with 12.3.

Is the problem with IOS versions, or is it caused by something else?

In the above config, to my understanding, Internet users can only access certain ports on the Windows server 2003, 25, 80, 110, 443, 1723 (VPN), and they can not access any other ports on the windows server 2003 because only ports 25, 80, 110, 443, 1723 are in the static NAT config. Is this right?

Sure for the Cisco router, I can use some access-list to open certain ports and deny other ports. But when I added some access-list on ethernet 0/0 IN to enable only ports 25, 80, 110, 443, 1723, Internet users can access those ports on the windows server 2003 behind Cisco 2611, but internal users have some problem to access the Internet, it seems that Internet traffic is blocked on Cisco 2611 IN when Internet web servers put a random port on the Internet traffic back to the internal users after internal users initiate web browsing. This is where I do not understand: if that is the case, how to open certain ports to Internet users and NOT to restrict internal users' access to the Internet since Internet servers may put a random port to the Internet traffic back to internal users?

Thanks.

 

[rbby2003]

Joamon,
Very good advice on restricting telnet to only local subnet and adding service password-encryption, thanks.

Does
ip http server
cause some problem? You recommend to turn it off. It looks that it treats the router as web server, is that right?

 

[JOAMON]

If you extend port 80 to your outside interface people will have the possibility to get into your router that way. It is usually best practice to disable it anyway especially as the web browser on that series is not very useful.

If you want to keep it then you could do the following

ip http server
ip http access-class 1
ip http timeout-policy idle 600 life 86400 requests 10000

 

[JOAMON]

Release: 12.1.27b ( GD - General Deployment )
IP/IPX/AT/DEC/FW/IDS PLUS
c2600-do3s-mz.121-27b.bin



Release: 12.3.20 ( GD - General Deployment )
IP/FW/IDS
c2600-io3-mz.123-20.bin

12.1 has the PLUS feature set whereas the 12.3 does not. Notice the s missing from the 12.3 release. Either download and install the correct version or you could just tftp the older 12.1 IOS into it and it should work.

 

[rbby2003]

Joamon, I will turn off ip http server.

The following is my previous thread. Do you mind looking at it and giving me some thoughts on it: difference between IOS 12.1 and IOS 12.3, and to use NAT without access-list to restrict access to our server.

I still have questions of the above config. It works on
IOS (tm) C2600 Software (C2600-IO3-M), Version 12.3(9), RELEASE SOFTWARE (fc2),
System image file is "flash:c2600-io3-mz.123-9.bin"
cisco 2610 (MPC860) processor (revision 0x203) with 28672K/4096K bytes of memory

But it does not work on
IOS (tm) C2600 Software (C2600-DO3S-M), Version 12.1(16), RELEASE SOFTWARE (fc1)
System image file is "flash:c2600-do3s-mz.121-16.bin"
cisco 2611 (MPC860) processor (revision 0x203) with 53248K/12288K bytes of memory.

I mean without any access-list, it works fine on 2610 with 12.3, but it does not work on 2611 with 12.1. When I tried to VPN from a XP desktop to Windows 2003 RRAS behind 2611, error 721 shows on XP desktop and the windows server 2003 behind the 2611 recorded an error that GRE 47 was not configured properly, but it works fine on 2610 with 12.3.

Is the problem with IOS versions, or is it caused by something else?

In the above config, to my understanding, Internet users can only access certain ports on the Windows server 2003, 25, 80, 110, 443, 1723 (VPN), and they can not access any other ports on the windows server 2003 because only ports 25, 80, 110, 443, 1723 are in the static NAT config. Is this right?

Sure for the Cisco router, I can use some access-list to open certain ports and deny other ports. But when I added some access-list on ethernet 0/0 IN to enable only ports 25, 80, 110, 443, 1723, Internet users can access those ports on the windows server 2003 behind Cisco 2611, but internal users have some problem to access the Internet, it seems that Internet traffic is blocked on Cisco 2611 IN when Internet web servers put a random port on the Internet traffic back to the internal users after internal users initiate web browsing. This is where I do not understand: if that is the case, how to open certain ports to Internet users and NOT to restrict internal users' access to the Internet since Internet servers may put a random port to the Internet traffic back to internal users?

Thanks.

 

[JOAMON]

I did reply to it in previous post.....the 12.1 is a ip plus feature set were the 12.3 is just a basi ip feature set.

 

[rbby2003]

Joamon, thanks for all your advice.

When I use only access-list 1 to allow all traffic IN and OUT on cisco 2611 with IOS 12.1, from the Internet, I can access the ports 80, 443 on 192.168.202.100 ( the Windows server 2003 bebind Cisco 2611), but I can not VPN (1723) to 192.168.202.100, VPN shows error message 721, saying GRE 47 error. How can I allow VPN pass-through ( port 1723, and GRE 47 together) on Cisco 2611?


ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.202.100 80 5.5.5.5 80 extendable
ip nat inside source static tcp 192.168.202.100 1723 5.5.5.5 1723 extendable
ip nat inside source static tcp 192.168.202.100 443 5.5.5.5 443 extendable
ip nat inside source static tcp 192.168.202.100 110 5.5.5.5 110 extendable
ip nat inside source static tcp 192.168.202.100 25 5.5.5.5 25 extendable

access-list 1 permit 192.168.202.0 0.0.0.255



When I changed the NAT config to the following, VPN from Internet works fine. But I do not want to mapped a public IP to my server 192.168.202.100, since I tried access-list and it gave a big headache, the following NAT config with access-list just does not work out for me ( as I explained in my first thread, internal users can not browse the Internet even though I opened port 80 ). I used the following config just to make sure that my Cisco router 2611 supports VPN pass-through.

ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static 192.168.202.100 5.5.5.5

access-list 1 permit 192.168.202.0 0.0.0.255


Using the first port mapping in NAT in this thread, how do I make VPN pass-through work on Cisco 2611 with IOS 12.1? Basically it comes down to this: how to make GRE 47 pass-through work? Since port 1723 is working after I tested access-list for 1723 traffic, and the server behind cisco 2611 is recording the VPN traffic although it says GRE 47 error for VPN connection.

 

[rbby2003]

Joamon,

What are the steps to download IOS to the Cisco 2611 when it boots up without IOS?

Tomorrow I am going to customer's office to upgrade the IOS on the Cisco 2611 and then reconfigure it. I am going to use
copy tftp flash
to upgrade IOS. I am wondering if some problem happens, the router boots without IOS, then what should I do? Sure I prefer to use Ethernet connection (NOT Xmodem) to download IOS from my laptop to the cisco 2611.

Can you post some info on that please?

Thanks.

 

[JOAMON]

Before you start do a show version and make sure config register is set to 0x2102. I would also recommend that you tftp the current running config and current ios out of the router. Also make sure to copy run start and save config in case changes have been made and never saved.
Remember to compare flash size and make sure router has a large enough capacity to copy from other router.

If the worst does happen you can use the following commands to tftp from rom monitor mode rommon>

rommon 16 > IP_ADDRESS=192.168.1.1
rommon 17 > IP_SUBNET_MASK=255.255.255.0
rommon 18 > DEFAULT_GATEWAY=192.168.1.1
rommon 19 > TFTP_SERVER=192.168.1.2
rommon 20 > TFTP_FILE=c2600-is-mz.113-2.0.3.Q
rommon 21 > tftpdnld

If you connect router direct to PC then will nees x-over cable.
TIP:The commands are case sensative for this.
This is from the following link:

http://www.cisco.com/en/US/products/hw/routers/ps259/products_tech_note09186a008015bf9e.shtml

 

[rbby2003]

Thank you, Joamon, problem solved.

I upgraded Cisco 2611 IOS
copy tftp flash
I did not have to use rommon commands since the above command worked out upgrading IOS. After saving running-config, I powered off the router and then powered it on.

I used the same configuration, and the GRE 47 error message is gone and VPN works fine. IOS upgrade is the magic in solving the GRE 47 error message although it is still a mystery.

Thanks for all your advice, Joamon.

 

[JOAMON]

Not really a mystery as the 2611 only had the basic IP feature set were the other IOS was IP with PLUS. You need the plus and for what you are doing.

 

[rbby2003]

Joamon,

Now Cisco 2611 with IOS basic edition 12.3 (9) is working with the following config. The working IOS image is flash:c2600-io3-mz.123-9.bin

Before the upgrade, I had IOS 12.1 (16), and the image was flash:c2600-do3s-mz.121-16.bin.
At that time, ports 80 and 443 were working when I accessed from the Internet, but port 1723 ( VPN ) access from the Internet showed error 721----GRE 47 error. So, to my understanding, port forwarding works with IOS 12.1, but the mystery is still with port 1723 ( GRE 47 error ).

ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.202.100 80 5.5.5.5 80 extendable
ip nat inside source static tcp 192.168.202.100 1723 5.5.5.5 1723 extendable
ip nat inside source static tcp 192.168.202.100 443 5.5.5.5 443 extendable
ip nat inside source static tcp 192.168.202.100 110 5.5.5.5 110 extendable
ip nat inside source static tcp 192.168.202.100 25 5.5.5.5 25 extendable

access-list 1 permit 192.168.202.0 0.0.0.255