Viewing/ Modifying Cisco 1760 Router Configs 1

[robertsIT]

Hope i have the right forum...

Anyway i am really new to all this and as you will note quite inexperienced...

I am running a Win 2000 Server, which i am using mainly as a mail server, connected to the internet through a cisco router 1760.To cut the long story short - the guy who did the configs has long disappeared off the face of this earth...

The thing is i am trying to set up VPN Tunnel and will obviously need to access the configurations on the router...

Q1. How can i do this? Is there a software i can download that has a user friendly interface to get me in there...

Q2. I will also need to make modifications to the access lists etc and same question applies...Is there a software/ or how ca i do this.

Info on this, reference websites etc would be highly appreciated as i am trying to learn all this so that i can run my VPN tunnel...

 

[chieftan999]

Access the router using either the Console (Blue console cable required and then use a VT100 Emulation program).

Use telnet if you have the IP address of an interface.

You will need the telnet and enable passwords to make the configuration changes.

Reamin positive. The affect on those around you will amaze.

 

[themut]

You will definitely need the enable password in order to view or modify the configuration, if you don't have this password you can recover it using the procedure below:

http://www.cisco.com/en/US/products...ducts_password_recovery09186a0080094773.shtml

 

[JOAMON]

Hello....


Take a look at the following config. IP addresses would need to be changed to your network addresses. Crypto keys for each vpn must be the same at each end. This would be one side of your VPN. The other side would be the same expect for the ip addresses.

Hope it helps


service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname router_2611
!
logging queue-limit 100
enable password 7 ##############################
!
memory-size iomem 15
ip subnet-zero
!
no ip domain lookup
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp key site1 address 64.12.22.81
!
!
crypto ipsec transform-set cm-transformset-1 esp-3des esp-md5-hmac
!
crypto map cm-cryptomap local-address Ethernet0/1
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 64.12.22.81
set transform-set cm-transformset-1
set pfs group1
match address 100
!
interface Ethernet0/0
description connected to LAN
ip address 172.16.10.2 255.255.255.0
ip nat inside
no keepalive
!
interface Ethernet0/1 (Static WAN Connection)
description connected to Internet
ip address 65.12.22.49 255.255.255.252
ip nat outside
crypto map cm-cryptomap
!
ip nat inside source list 102 interface Ethernet0/1 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 65.12.22.50 (Default route to next hop router)
!
access-list 12 permit 172.16.10.0 0.0.0.255 (Secure access to VTY port)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.18.10.0 0.0.0.255 (172.18.10.0 is remote lan segment)
access-list 102 deny ip 172.16.10.0 0.0.0.255 172.18.10.0 0.0.0.255 (Deny natting from lan to lan)
access-list 102 permit ip 172.16.10.0 0.0.0.255 any (Allow any traffic to internet and nat it)
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
access-class 12 in
password 7 ###################
login
!

 

[JOAMON]

Also....

If you want to experiment with a router config program you can use Cisco configmaker. It is a basic configuration utility but can be useful to learn about Cisco routers.

Go to the following site and look for cmaker2.6.006.exe

http://www.kk.ksc.co.th/download/Win-Software/

 

[robertsIT]

Thanks guys...i managed to recover the password and to TELNET onto the Router...so thats a big first step for me. Thank you all.

Now i am trying to view all the configs...and while i have managed to have a good idea of what commands are availabel using command prompt by typing '?' command i still cant them to work. can someone give me an example of a TELNET command...

Router name>

and then???

 

[chieftan999]

There are 2 ways to use the "?" in the Cisco IOS.

1: Use directly after the word typed with no space....this gives you the words available using the letters you typed.

2: Use after a space afetr the word you typed - This gives you all the next configuration commands that go with the word you typed.

If it does'nt sound great just give it a go, you will see what I mean. Type a command and then put the "?" with no space and press enter and then try typing a command, a space and then the "?" and press enter.

Reamin positive. The affect on those around you will amaze.

 

[JOAMON]

First of all you are in non-privelaged mode. The telnet password only opens the door. You need to be in enable mode and then config mode. Should like like the following:


router>ena (non-privelaged mode)
Password:XXXXXXX
router#conf t (privelaged mode)(there is a space between conf and t..short for config terminal)
Enter configuration commands, one per line. End with CNTL/Z.
router(config)# (config mode)

When done cntrl/z will exit config mode but remember to write your changes before a reboot or power cycle or you will loose them.
You can telnet from privelaged mode from your router to other telnet enabled devices.

router#telnet 192.168.1.1 (ip address of other device)

 

[JOAMON]

As for the VPN there are some pre-reqs to consider. What type of internet connection on each end ant are both using static ip address? Is there and ISP provided modem or router prior to the 1760?

 

[JOAMON]

Also....would be a good idea to at least get a print out of your current config or even better tftp a copy to a tftp server in case something goes wrong when you begin working with the router. Remember that if you enter any commands and something bad happens as long as you have not written those changes you can simply power cycle your router and any changes will erased. There are two configurations you work with. One is the running config. When changes are made they only affect the running config. The other is the startup config which is only changed if you write (save) running config. This replaces startup config with running config.

 

[robertsIT]

This is great Joamon i am moving fast here too fast and i really appreciate all this info...this is good.

in a way tho my question still stands..the router is already configured...at this point i can change the configs by coing into enable and then config mode so i have been there and done that like they say...

now how do i view the current config...before i change it. This is what i am doing...at command prompt i type in...

telnet 192.168.X.X

my router> (so what do i do here)

my router> view config????

 

[robertsIT]

By the way...its a Cisco Router 1760

 

[JOAMON]

first enter:
enable
your prompt will change to
my router#
then enter
show run
this will display the running config one page at a time...hit space bar for next page
the other command is
show start
this will display startup config in same manner

 

[robertsIT]

PERFECT!!!!!!!!!!!!!!!!!

 

[JOAMON]

Seeing as how you have a Cisco 1760 it is supported hardware for the new Cisco Security Device Manager software. Just make sure you have enough flash and memory to support it.
Visit the following page for information on this program.

http://www.cisco.com/en/US/products/sw/secursw/ps5318/index.html

Do a show flash from the router enable mode and see if the SDM files are present on your router. If they are there then all you need to is setup the router to use it. If not you need a CCO login to download it so check to see if your router has a smartnet contract and if so you can get a CCO login. I use this program with my 2811 router and it is really useful. I still prefer the old fashioned command line configuration but this tool would help a beginner with its graphical displays and GUI web interface.

 

[robertsIT]

Ok now i am spoilt...please exercise tolerance and patient because this is just becomming exciting for me!

I need to modify my access-list 23 becuse it doesn't seem to be assigned to anything, I am wondering what it's purpose is. i also need to incorporate access-list 103 into this config. I need to enable the ip inspect commands, which would give me additional firewall features and after that add an acl for your my mail server once acl 103 is in place.

Much i have written this out in perfect router engish i have no idea...

Joamon you said...i will have to re-write the config...line by line...
thats a lot of lines man...any advice

 

[JOAMON]

Be careful with the sample config I supplied as it may not be a perfect fit with your production network. It was meant only as a guide. If you have your router in config mode you can copy and paste into it form other documents. Would also be helpful if you could post the config with any password and other security itmes changed. Access-list 23 is a standard access list and if you look at the end of your config it may be applied on the vty lines as access-class 23 in or one of the other lines such as con 0 or aux 0.
Make sure to visit the Cisco website in my last post. The automation it has will be very helpful to you.

 

[JOAMON]

Just remember this as you go. Your router is up right now and functioning. Document configurations as you go. Also as you make changes do not write them until you are 100% sure there are no problems. That way to undo any errors all you need do is power cycle the router and the stored startup config that was working before the change will be the one that boots up.

 

[robertsIT]

MY CURRENT CONFIG LOOKS SOMETHING LIKE THIS!

My Router#sh run
Building configuration...

Current configuration : 4210 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname My Router
!
boot-start-marker
boot-end-marker
!
enable secret XXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXXXXXXX
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name FOFW tcp
ip inspect name FOFW udp
ip inspect name FOFW ftp
ip inspect name FOFW realaudio
ip inspect name FOFW smtp
ip inspect name FOFW streamworks
ip inspect name FOFW vdolive
ip inspect name FOFW tftp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key ipsec57 address XX.XXX.XX.X
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set single esp-des esp-sha-hmac
crypto ipsec transform-set triple esp-3des esp-sha-hmac
!
crypto map singlemap 10 ipsec-isakmp
set peer XX.XXX.XX.X
set transform-set single
match address 110
!
crypto map triplemap 10 ipsec-isakmp
set peer XX.XXX.XX.X
set transform-set triple
match address 110
!

 

[JOAMON]

Only received first page....can you post the rest....
Did notice something minor you may want to consider

crypto ipsec transform-set single esp-des esp-sha-hmac
crypto ipsec transform-set triple esp-3des esp-sha-hmac


If both routers will support it you might change as follows to all routers:
crypto ipsec transform-set single esp-3des esp-md5-hmac
crypto ipsec transform-set triple esp-3des esp-md5-hmac
The single transfor-set is set to des and not 3 des and both are using sha instead of the more secure md5.

By the way did you get a chance to look at that Cisco program?