msgbartop
msgbarbottom

29 Aug 16 Password Recovery Cisco 1841 Router

Password Recovery on Cisco Router

This is just a quick post for my reference on how to do password recovery on a Cisco Router. Recently I had to do it on a Cisco 1841. Here are my steps:

    Boot up the router with a console cable and then from terminal emulation software hit pause/break
    Router will get to prompt
    Type confreg 0x2142
    Next prompt
    Type reset
    Once the router reloads it will not have a password.

First thing I like to do is right away run the following commands other wise if I reboot the router it will continue to go back to the default settings and nothing will be saved.

config t
!
config-register 0x2102

Tags: , ,

09 Apr 15 ip nat outside

IP NAT Outside

NAT – Network Address Translation, at times can be a complicated process depending on what you are trying to do and how it gets configured on a Cisco Router vs Cisco ASA’s is a bit different as well. This post is about recent NAT – Network Address Translation on a Cisco Router configuration that I had to do. Need was to translate an Outside IP address that belonged to a server in our Data Center (Outside Global) into another IP address at a branch location as an Outside Local. Example Network scenario:

Local Subnet at Branch = 172.16.1.0/24
Server IP at Data Center = 10.10.10.250
NAT IP for the server = 2.2.2.2

Basically the need was to translate 10.10.10.250 to 2.2.2.2 at the local branch. Usually it is the other way around where we NAT all the internal IP Addresses going out. However in this case we were trying to do the reverse. Following commands were used:

ip nat outside source static 10.10.10.250 2.2.2.2
!
Interface fa0/0
description ### WAN ###
ip nat outside
!
interface fa0/1
description ### LAN ###
ip nat inside

Now when the clients from 172.16.1.0/24 network attempted to connect to 2.2.2.2, branch router would translate that to 10.10.10.250 and route it to the Data Center server. Return packet would come from 10.10.10.250 and would get translated to 2.2.2.2 and then to the client(s) on the 172.16.1.0/24 network.

Tags: , ,

26 Aug 14 Cisco IOS ACL logging with Port numbers

Cisco IOS logging with source and destination ports

Recently I had to do some troubleshooting on a Cisco 2911 Router in order to find out if traffic is going from a certain IP address to another. So I did the usual created an extended Access List and then applied it to the interface like this:

ip access-list extended test
permit ip any any log
!
interface gi0/0
ip access-group test in
end

Now that is great and I was seeing the logs and traffic however what I also needed to know was the source and destination port numbers. This configuration was giving me the following:
Aug 25 08:24:28.608: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(0) -> 10.202.106.15(0), 1 packet
Aug 25 08:24:29.612: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(0) -> 10.202.106.15(0), 1 packet
Aug 25 08:24:30.700: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(0) -> 10.202.106.15(0), 1 packet
As you can see instead of getting the port number I am just getting a “0” in there. I needed to know the port numbers as well. Now the issue is if the access list line does not have the port numbers listed (Layer 4) it will not show them. So here is what I did to get it working:

ip access-list extended test
permit ip tcp any gt 1024 any gt 1024 log
!
interface gi0/0
ip access-group test in
end

When I did that I got the following results 🙂
Aug 25 08:24:28.608: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(9053) -> 10.202.106.15(12302), 1 packet
Aug 25 08:24:29.612: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(9052) -> 10.202.106.15(39817), 1 packet
Aug 25 08:24:30.700: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(9055) -> 10.202.106.15(12302), 1 packet

Tags: , ,

06 May 12 Cisco 881 IOS Router basic configuration with Dynamic WAN IP

Just finished configuring a Cisco 881 IOS Router with Comcast and Dynamic IP address. Sharing my configuration experience and steps for the Cisco router. Requirement: I just needed the Cisco 881 Router connected to the Comcast modem so that computers connected to the Cisco 881 router can access the network and the Internet.

Picture below shows you the connectivity diagram for my local network.

Keeping the above connectivity requirements I configured the Cisco 881 Router like this, Note: Keep in mind there are other configuration options too, I’m just sharing a very basic level of Cisco 881 configuration with Comcast ISP and Dynamic IP address:

conf t
!
hostname myhomerouter
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100 (This command is used to exclude the IP’s from the DHCP Range)
ip dhcp excluded-address 192.168.1.254 (Excluded this – VLAN 1 IP)
ip dhcp excluded-address 192.168.1.245 (Excluded this – Access Point IP)
!
ip dhcp pool dhcppool (Created DHCP Pool and named it)
import all
network 192.168.1.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 192.168.1.254 (VLAN 1 IP)
lease 5 (No really required, just making the lease for 5 days)
!
ip domain name mydomain.local
!
username admin secret mysecret-here (Using the “secret” keywords encrypts the password”)
enable secret mysecret-here
!
crypto key generate rsa modulus 1024 (generating RSA key for SSH access)
!
ip ssh version 2 (This enables SSH version 2.0 in case default is 1.99)
!
int range fa0-3
no shut
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source list inside-nat-pool interface FastEthernet4 overload (This will actually NAT all the IP’s from the “inside-nat-pool” ACL. This uses Ports instead of one to one mapping. Its more like “many to one”. For instance multiple Internal IP addresses get translated to a single IP that is assigned to the WAN Interface or FastEthernet 4 on Cisco 881 Router)
!
!
ip access-list standard rtr_access (This access list will be used for the VTY Line)
permit 192.168.1.0 0.0.0.255
!
ip access-list extended inside-nat-pool (This is for the NAT Overload we did above)
permit ip 192.168.1.0 0.0.0.255 any
!
line con 0
login local (If you have TACACS+, RADIUS or some other external form of authentication use that but since I don’t have it I am just using the local authentication that I defined above locally)
no modem enable
line aux 0
line vty 0 4
transport input ssh (This will only allow access to the router via SSH
access-class rtr_access in (This will only allow networks or hosts that are specified in the ACL to be able to access the router)
login local (If you have TACACS+, RADIUS or some other external form of authentication use that but since I don’t have it I am just using the local authentication that I defined above locally)

You definitely want to focus on adding some access list statements to secure your network and the Cisco 881 router once you are done configuring the basic connectivity

Note: Please keep in mind that this is a very basic configuration example on Cisco 881 Router with Comcast ISP and Dynamic WAN IP, use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo :).

Tags: , ,

26 Apr 12 Cisco Switch or Router as TFTP Server

Cisco Switch or Router as TFTP Server – Cisco device to device IOS transfer

Recently I had to update IOS on a few Cisco Switches but was having trouble loading the software since I work remotely and there were couple of firewalls one of them being newly deployed Cisco FWSM. Connection kept timing out even though time out was really high or I would just get an error.

There was another switch on the same network with the right IOS image that I was trying to load. So I decided I can just copy the IOS image from one switch to another. So here is what I did:

  • Switch with the correct IOS I set it up as a tftp server:
  • conf t
    tftp-server flash:image-name

  • Next I logged into the switch where I wanted to load the required IOS Image and ran the commands as usual:
  • copy tftp: flash:

  • Just follow the prompts where it asks you for the TFTP Server IP type in the IP of the other switch
  • Next for the source file type the file name and then for the destination file name I just used the default name
  • That was it and I was able to transfer the IOS image from one switch to another switch
  • . This also can be accomplished on the Cisco Routers as well.

Tags: , , ,

09 Feb 12 Cisco Soho 91 Basic Configuration

How to configure Cisco Soho 91 Router for Basic Connectivity

I needed to configure a Cisco Soho 91 router for my home to work with Comcast Cable – Dynamic IP. I was looking for a basic config online that I can just copy and paste and wasn’t really able to find any so I started to configure it from the scratch. It was just simple basic configuration however I was having an issue getting the IP Address on the WAN Interface – Ethernet 1 from the Comcast Modem. I reset the modem, called Comcast and tried to work with them no use, rebooted the Cisco Soho 91 multiple times, left it plugged into the modem for a long time, left them both off for a while and turned them back on but no use. So lets see what I did and what caused the issue. First I’m going to go over the basic configuration:

Internal DHCP Server Configuration on Cisco Soho 91

ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 192.168.1.245
!
ip dhcp pool dhcp_pool
import all
network 192.168.1.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 192.168.1.1
lease 5
!
ip dhcp-server 192.168.1.1

So I started doing debugging and saw these DHCP debug messages:

*Mar 1 00:16:09.655: DHCP Offer Message Offered Address: 1.1.1.10
*Mar 1 00:16:09.655: DHCP: Lease Seconds: 3600
*Mar 1 00:16:09.655: DHCP: Server ID Option: 1.1.1.5
*Mar 1 00:16:09.659: DHCP: offer received from 1.1.1.5
*Mar 1 00:16:09.659: DHCP: offer: server 1.1.1.5 not in approved list
*Mar 1 00:16:09.759: DHCP: Received a BOOTREP pkt Not for us..: xid: 0xAAA0E5B3

Now if you look at the debug it is clearly telling you that the DHCP server that offered the IP address to the WAN Interface is not the approved server. Well after looking at the Soho 91’s configuration I found the following line to be the culprit: “ip dhcp-server 192.168.1.1”. Basically I disallowed any other servers to act as a DHCP Server and offer IP’s to the routers WAN Interface. Hope this will help some one out in future and one line won’t waste an hour of your time :).

Tags: , , , , ,

22 Oct 11 Basics of HSRP on a Cisco Router

Basic configuration steps for HSRP (Hot Standby Router Protocol)

In this post I am going to go over some HSRP – Hot Standby Router Protocol options and basic configuration steps. HSRP – Hot Standby Router Protocol in simple terms makes two Cisco routers with two different IP addresses look like one. You would need at least three (3) IP addresses to configure HSRP – Hot Standby Router Protocol. Each Cisco router will get an IP address and one IP address will be the virtual IP.

So lets take a look at the list of steps for configuring HSRP – Hot Standby Router Protocol. I am going to use Cisco 800 series router for this example. It has a total of 5 interfaces, 1 X WAN (fa4), 3 X LAN (fa0, fa1, fa2, fa3):

  • Console into the router and switch to the “global exec” mode
  • First type “enable” and then “conf t”
  • Now you need to go to the interface configuration to finish rest of the HSRP setup

Router 1:
conf t
interface fa4
ip address 192.168.1.2 255.255.255.0
standby 1 ip 192.168.1.1 (This sets up the Virtual IP address)
standby version 2 (This will enable HSRP Version 2 not required)
standby 1 timers 15 30 (This specifies the Hello and router status timers)
standby 1 priority 100 (This specifies the priority of the router)
standby 1 preempt delay sync 30 (This will make the higher priority router active with a delay)
standby 1 track fastethernet4 (This will track the interface, in this case “fa4”)
—————————————————————————————————
Router 2
conf t
interface fa4
ip address 192.168.1.3 255.255.255.0
standby 1 ip 192.168.1.1 (This sets up the Virtual IP address)
standby version 2 (This will enable HSRP Version 2 not required)
standby 1 timers 15 30 (This specifies the Hello and router status timers)
standby 1 priority 100 (This specifies the priority of the router)
standby 1 preempt delay sync 30 (This will make the higher priority router active with a delay)
standby 1 track fastethernet4 (This will track the interface, in this case “fa4”)

Now you have both Cisco Routers configured for HSRP – Hot Standby Router Protocol. Next I would like to talk a little bit more about some command line options that I mentioned above to give a general idea of what they do:

Standby IP: This is the virtual IP address that all clients can use as their gateway.
Standby group#: You can create multiple groups of HSRP routers. One router can be an active router for one group and it can be a standby for another.
Standby Priority: This specifies the priority of each router in the standby configuration. Higher priority router will be the active router. If no priority is defined router with the highest IP address will be come the active router. Default Priority is 100 i.e; if you do not define it.
Preempt: This setting makes the router with the highest priority take over and become an active router.
Preempt Delay: Preempt delay setting is optional but you do want to fine tune it because of STP make sure that STP has time to converge on the switch and also that the standby router can populate the routes in its database.

Read more about HSRP on Cisco’s Website in detail if you like

Tags: , , , , ,

29 Jun 11 Changing default SSH port on a Cisco Router

How to change the default SSH Port on a Cisco router?

Recently I ran into a scenario when a Cisco router was sitting behind another firewall and I needed access to that Cisco router via SSH – Port 22. I asked the customer to forward SSH – Port 22 to the internal IP address of the Cisco router. However because they were using a Juniper Firewall they were unable to do that because Juniper Firewalls use that port for management hence they don’t allow you to do that instead you get an error, “Port 22 is used for the management of this device”

Now you have two options, 1- Change the default SSH port on the Juniper firewall to something other than Port 22 or do it on the Cisco router. It was just easier for me to do that on a Cisco router so I used the following command to accomplish this:

conf t
ip ssh port Port number (2000 to 10,000)

Now lets say if you specified port number 2222 you will not be able to ssh to your router using that port over the WAN link as well as locally.

Tags: , , ,

WordPress SEO