1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help required on Cisco 877

Discussion in 'Routing & Switching' started by jimworley, Mar 13, 2009.

  1. jimworley

    jimworley New Member

    3
    0
    1
    Hi everyone

    Have never used Cisco kit before :oops:

    I have recently been handed a small SBS 2003 network to look after. Looking at the way it's been set up, I want to change a few things, one of which is the way the firewall (ISA Server) is configured. Despite the Dell server having 2 NIC's, one is disabled so we have internal/external traffic on the same network.

    I want to enable the second NIC, reconfigure ISA to use both network cards and change the IP address on the 877 accordingly (It's on the same network as the server at present). I think this is a sensible way of doing things?

    I can't ping or connect to the 877 using SDM. Presumably it's been configured to drop ping requests? The only way I can talk to the router is by the serial connection / IOS. Is there a way to configure the 877 via IOS that will enable SDM? Also, is there a way that I can back up the 877's config before I start to mess about with it? If I change the IP of the 877, what else would I need to change on it to get it to work?

    At present it is all working fine :eek: but I do feel I should set the firewall up properly.

    Any help would be much appreciated.
     
  2. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    re connecting to the router - can you get on using telnet??
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  3. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    There could be a number of things that is making the router behave this way management vlan, acl blocking traffic or even http not being enabled but you really need to get the config off the box to give us a little carrot, google "Cisco config via tftp" or click here, click the third link. Make sure remove all the sensitive bits before posting it up here.
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  4. jimworley

    jimworley New Member

    3
    0
    1
    Hi, I can't telnet to the router, can't ping it, can't get on it via HTTP, just have access via the serial cable. How would I get a dump of the config off it via this route?

    Many thanks!
     
  5. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    I'm still learning all this myself but try typing "copy running-config tftp:" without the quotes into your console window and then enter the IP address of your tftp server when asked.

    if that doesn't work then do a "sh config" your looking for something similar to below

    Code:
    ip http server
    ip http access-class 3
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    
    access-list 3 remark HTTP Access-class list
    access-list 3 remark SDM_ACL Category=1
    access-list 3 permit a.b.c.d w.x.y.z
    access-list 3 deny any 
    
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    You might want to put some more planning into this before making some changes mate, just to be on the safe side.

    For a start I take it the firewall is enabled on the Cisco box and there is a one-to-one NAT rule in place with the required firewall rules in place?

    Also how many published IPs do you have? If you only have one then you are going to have to bridge the IP onto the external NIC of the SBS. I haven’t had to do this with a Cisco device before as I’ve had a published range of IPs to play with so I could configure the external interface on the Cisco and the ISA server with its own published IP.

    Finally does the SBS have decent enough spec to start using ISA? Make sure it has enough RAM or else it will grind to a halt.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. jimworley

    jimworley New Member

    3
    0
    1
    Thank you all for your responses. Here is the running-config. I could not get this via tftp as the tftp server reported timeouts (Tried 3 different tftp servers). The target file was created and you could see it trying to send it but the file always stayed at 0 bytes. I also tried the FTP server method, although I'd entered an FTP username/password and configured this in the FTP server I had no luck with this either - I could see the router trying to connect but the FTP server kept reporting "no username/password". In the end I used the "show running-config" command and captured the output to a file.

    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname [deleted]
    !
    boot-start-marker
    boot-end-marker
    !
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    aaa authorization exec default local
    aaa authorization network default local
    !
    aaa session-id common
    !
    resource policy
    !
    ip subnet-zero
    ip cef
    !
    !
    ip ftp username [deleted]
    ip ftp password [deleted]
    no ip domain lookup
    ip domain name [deleted]
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    !
    !
    username [deleted]
    username [deleted]
    username [deleted]
    !
    !
    !
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
    ip unnumbered Vlan1
    ip mroute-cache
    peer default ip address pool VPNPOOL
    no keepalive
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2
    !
    interface Vlan1
    ip address 10.0.140.254 255.255.255.0
    ip access-group V1-IN in
    ip nat inside
    ip viretual-reassembly
    ip tcp adjust-mss 1452
    !
    interface Dialer1
    ip address negotiated
    ip access-group D1-IN in
    ip access-group D1-OUT out
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname [deleted]
    ppp chap password 0 [deleted]
    !
    ip local pool VPNPOOL 10.0.140.164 10.0.140.191
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list NAT interface Dialer1 overload
    ip nat inside source static tcp 10.0.140.224 3389 interface Dialer1 3389
    !
    ip access-list extended D1-IN
    permit udp any eq isakmp any eq isakmp
    permit esp any any
    permit gre any any
    permit tcp any eq ftp-data any gt 1023
    permit tcp any eq ftp any gt 1023
    permit tcp any gt 1023 any eq 22
    permit tcp any gt 1023 any eq 1723
    permit tcp [deleted] 0.0.0.7 gt 1023 any eq 3389 log
    permit tcp [deleted] 0.0.0.7 gt 1023 any eq 5ts900 log
    permit tcp [deleted] 0.0.0.7 gt 1023 any eq 5900 log
    permit tcp [deleted] 0.0.0.7 gt 1023 any eq 3389 log
    evaluate D1-REFLEX
    ip access-list extended D1-OUT
    permit gre any any
    permit esp any any
    permit ip any any reflect D1-REFLEX
    permit ip 192.168.254.0 0.0.0.255 any reflect D1-REFLEX
    permit ip 10.0.140.0 0.0.0.255 any reflect D1-REFLEX
    ip access-list extended NAT
    permit ip 192.168.254.0 0.0.0.255 any
    permit ip 10.0.140.0 0.0.0.255 any
    ip access-list extended V1-IN
    permit gre any any
    permit tcp host 10.0.140.224 gt 1023 any eq pop3
    permit tcp host 10.0.140.224 eq 1723 any gt 1023
    permit tcp host 10.0.140.224 eq 3389 any gt 1023
    permit tcp host 10.0.140.224 eq 5900 any gt 1023
    permit tcp host 10.0.140.224 gt 1023 any eq www
    permit tcp host 10.0.140.224 gt 1023 any eq 443
    permit tcp host 10.0.140.224 gt 1023 any eq ftp-data
    permit tcp host 10.0.140.224 gt 1023 any eq ftp
    permit tcp host 10.0.140.224 gt 1023 any eq smtp log
    permit udp host 10.0.140.224 gt 1023 any eq domain log
    permit tcp host 10.0.140.224 gt 1023 any eq pop3 log
    permit tcp host 10.0.140.224 gt 1023 any eq 1723 log
    permit tcp 10.0.140.0 0.0.0.255 gt 1023 any eq 8000 log
    deny ip any any log
    ip access-list extended VTY-IN
    permit tcp 10.0.140.0 0.0.0.255 gt 1024 host 0.0.0.0 eq 22 log
    permit tcp [deleted] 0.0.0.7 gt 1024 host 0.0.0.0 eq 22 log
    permit tcp [deleted] 0.0.0.7 gt 1024 host 0.0.0.0 eq 22 log
    deny ip any any log
    !
    !
    control-plane
    !
    !
    line con
    0
    exec-timeout 0 0
    no modem enable
    line aux 0
    line vty 0 4
    access-class VTY-IN in
    transport preferred ssh
    transport input ssh
    transport output ssh
    !
    scheduler max-task-time 5000
    end

    In answer to the questions re. published IP's, there is only one. The SBS/ISA server has 4Gb RAM and seems to be running OK. We only have 8 users with Internet access :)
     
  8. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    Here is your problem

    Code:
    no ip http server
    no ip http secure-server
    
    This is telling the box No SDM Access via HTTP/HTTPS, where as my example

    Code:
    ip http server
    ip http access-class 3
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    
    access-list 3 remark HTTP Access-class list
    access-list 3 remark SDM_ACL Category=1
    access-list 3 permit 10.10.10.0 0.0.0.255
    access-list 3 deny any
    
    Would allow HTTP/HTTPS access from the 10.10.10.0/24 network , what experience of Cisco CLI/SDM/ADSM do you have?
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  9. mark@ccierack.co.uk

    mark@ccierack.co.uk New Member

    2
    0
    13
    Hi

    You need the following for SDM to work.

    ip http server
    ip http secure-server
    username anamehere privilege 15 password apasswordhere

    Int f0
    ip address x.x.x.x x.x.x.x

    So if you have a http server enabled and an IP addy bound to an interface the only thing you need is a privilege 15 user and it should work.

    Cheers

    Mark
     
    Certifications: CNE, MCSE, CCNP

Share This Page

Loading...