cisco 1711

[Ryan]

i just bought a cisco 1711 secuirty access router from ebay. i installed sdm on there but because of some issues with java i can't use sdm. therefore i need help configuring it. i am using optimum online with dhcp. i need to set up the router to use dchp from my isp and i also need it to act as a dchp server. and i need to forward the xbox live ports and maybe set up ipsec for vpn.

[decepticon_eazy_e]

i just bought a cisco 1711 secuirty access router from ebay. i installed sdm on there but because of some issues with java i can't use sdm. therefore i need help configuring it. i am using optimum online with dhcp. i need to set up the router to use dchp from my isp and i also need it to act as a dchp server. and i need to forward the xbox live ports and maybe set up ipsec for vpn.

Wow, that's quite a list of requirements. Let's start with the basics.

Did it come with all this?

Includes: 32 MB Flash, 64 MB DRAM, 4-Port 10/100BASE-T Switch with VLAN, 10/100 WAN & Analog Modem Backup, VPN Hardware Module, Cisco IOS IP Plus/ADSL/Firewall/IDS/IPsec 3DES, embedded Web-based SDM

Dump the "show version" and "show diag" output and post it, if you don't know.

I highly recommend you figure out the java problem and use SDM. Downgrade Java to 1.5, 1.6(newest) has been known to mess up cisco GUIs.

I'm not going to write your config for you, I get $165/hr for that. I'll get you started though.

[Ryan]

Wow, that's quite a list of requirements. Let's start with the basics.

Did it come with all this?

Includes: 32 MB Flash, 64 MB DRAM, 4-Port 10/100BASE-T Switch with VLAN, 10/100 WAN & Analog Modem Backup, VPN Hardware Module, Cisco IOS IP Plus/ADSL/Firewall/IDS/IPsec 3DES, embedded Web-based SDM

Dump the "show version" and "show diag" output and post it, if you don't know.

I highly recommend you figure out the java problem and use SDM. Downgrade Java to 1.5, 1.6(newest) has been known to mess up cisco GUIs.

I'm not going to write your config for you, I get $165/hr for that. I'll get you started though.

yea that's the one . the reason why it's so complicated is for space reasons. i need to get cracking on the CCNA exams but i don't have the space for a seperate set of equipment so what i did was buy two used switches and this router, i wi'll run two vlans one for regular use and the other for lab use.

Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version 12.4(23), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright © 1986-2008 by Cisco Systems, Inc.

Compiled Sat 08-Nov-08 18:42 by prod_rel_team

ROM: System Bootstrap, Version 12.2(7r)XM4, RELEASE SOFTWARE (fc1)

Alisa uptime is 6 hours, 52 minutes

System returned to ROM by power-on

System image file is "flash:c1700-advsecurityk9-mz.124-23.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 1711 (MPC862P) processor (revision 0x101) with 86081K/12223K bytes of memory.

Processor board ID FOC09224BVU (2086749733), with hardware revision 0000

MPC862P processor: part number 7, mask 0

1 Ethernet interface

5 FastEthernet interfaces

1 Serial interface

1 terminal line

1 Virtual Private Network (VPN) Module

32K bytes of NVRAM.

32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

i get to where it says loading Cisco SDM.. Please wait and then nothing. i downgraded to the older version of Java like you said. still no change

[decepticon_eazy_e]

yea that's the one . the reason why it's so complicated is for space reasons. i need to get cracking on the CCNA exams but i don't have the space for a seperate set of equipment so what i did was buy two used switches and this router, i wi'll run two vlans one for regular use and the other for lab use.

Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version 12.4(23), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright © 1986-2008 by Cisco Systems, Inc.

Compiled Sat 08-Nov-08 18:42 by prod_rel_team

ROM: System Bootstrap, Version 12.2(7r)XM4, RELEASE SOFTWARE (fc1)

Alisa uptime is 6 hours, 52 minutes

System returned to ROM by power-on

System image file is "flash:c1700-advsecurityk9-mz.124-23.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 1711 (MPC862P) processor (revision 0x101) with 86081K/12223K bytes of memory.

Processor board ID FOC09224BVU (2086749733), with hardware revision 0000

MPC862P processor: part number 7, mask 0

1 Ethernet interface

5 FastEthernet interfaces

1 Serial interface

1 terminal line

1 Virtual Private Network (VPN) Module

32K bytes of NVRAM.

32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

i get to where it says loading Cisco SDM.. Please wait and then nothing. i downgraded to the older version of Java like you said. still no change

Thanks for the output there.

Reinstall the SDM package on the router, maybe you're missing some java files.

http://www.cisco.com/en/US/products/sw/sec...00803e4727.html

You get wizards to do all the complicated tasks you are requesting.

http://www.cisco.com/en/US/docs/routers/ac...e/SDM25UGD.html

or get started on the CLI...

Here are the basics

http://www.icalvyn.com/cisco-router-basic-configuration/

(skip the serial port, AUX, and bandwidth junk)

Configure NAT:

http://www.cisco.com/en/US/tech/tk648/tk36...080094e77.shtml

DHCP server:

http://www.cisco.com/en/US/docs/ios/12_0t/...de/Easyip2.html

Once you have NAT done, forward ports through it:

http://www.beyondweblogs.com/post/How-to-e...forwarding.aspx

[Ryan]

Thanks for the output there.

Reinstall the SDM package on the router, maybe you're missing some java files.

http://www.cisco.com/en/US/products/sw/sec...00803e4727.html

You get wizards to do all the complicated tasks you are requesting.

http://www.cisco.com/en/US/docs/routers/ac...e/SDM25UGD.html

or get started on the CLI...

Here are the basics

http://www.icalvyn.com/cisco-router-basic-configuration/

(skip the serial port, AUX, and bandwidth junk)

Configure NAT:

http://www.cisco.com/en/US/tech/tk648/tk36...080094e77.shtml

DHCP server:

http://www.cisco.com/en/US/docs/ios/12_0t/...de/Easyip2.html

Once you have NAT done, forward ports through it:

http://www.beyondweblogs.com/post/How-to-e...forwarding.aspx

Thanks. well i finally got SDM to work and the router is mostly configured but i can't pass any traffic from the inside interface to the outside interface. i get an ip from my isp and the internal dhcp server is assigning IPs but no connection to the internet. i think it may have something to do with the routing table or maybe and ACL but i'm not sure which one it might bet. I think next i will set a default route and hope that does the trick. any suggestions?

[decepticon_eazy_e]

Thanks. well i finally got SDM to work and the router is mostly configured but i can't pass any traffic from the inside interface to the outside interface. i get an ip from my isp and the internal dhcp server is assigning IPs but no connection to the internet. i think it may have something to do with the routing table or maybe and ACL but i'm not sure which one it might bet. I think next i will set a default route and hope that does the trick. any suggestions?

Default route should always be set, since the IP address could potentially change, use the the "ip route 0.0.0.0 0.0.0.0 ethernet0/0" command instead. That way it won't matter what your ISP changes the IPs to. NAT needs to be configured for any traffic to pass. 192.168.x.x or 10.x.x.x or whatever type addresses are not route able to the outside world.

"show ip nat trans" will verify that NAT is working properly.

[Ryan]

Default route should always be set, since the IP address could potentially change, use the the "ip route 0.0.0.0 0.0.0.0 ethernet0/0" command instead. That way it won't matter what your ISP changes the IPs to. NAT needs to be configured for any traffic to pass. 192.168.x.x or 10.x.x.x or whatever type addresses are not route able to the outside world.

"show ip nat trans" will verify that NAT is working properly.

thanks for your help but i still can't pass any traffic. here is the config

Building configuration...

Current configuration : 8041 bytes

!

version 12.4

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Alisa

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$J7Bp$znwULUkOZIxJTsOSlqN0z/

enable password strictly1

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

no ip routing

no ip cef

!

!

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW esmtp

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip dhcp use vrf connected

ip dhcp excluded-address 172.168.0.1 172.168.11.99

ip dhcp excluded-address 172.168.11.255 172.168.255.254

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.1.254

!

ip dhcp pool vlan1

import all

network 172.168.0.0 255.255.0.0

domain-name homnet.net

default-router 172.168.11.2

netbios-name-server 172.168.11.147

dns-server 172.168.11.147

!

ip dhcp pool sdm-pool1

network 192.168.1.0 255.255.255.0

dns-server 172.168.11.147

default-router 192.168.1.1

netbios-name-server 172.168.11.147

!

!

ip domain name homenet.net

!

!

!

crypto pki trustpoint TP-self-signed-2086749733

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2086749733

revocation-check none

rsakeypair TP-self-signed-2086749733

!

!

crypto pki certificate chain TP-self-signed-2086749733

certificate self-signed 01

3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32303836 37343937 3333301E 170D3032 30333031 30313033

35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30383637

34393733 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B598 F04D316D 341C59BD 529A0FD9 AC1050C6 42ADC3EE ADB22567 0A8EA948

024C25EB C8B474B1 6A8E6C9B D0737F3E D9B1D920 14812EFE 56A0690A 1BCA0628

96A4736A 084EC239 059DFD65 F8E1F0CC 80576069 0777296E 74D83E66 48A22CF6

8ABF66F4 46AFF393 9A83C709 FB7CED13 566F5134 AA3B1D7F C66848B9 3D880076

2F8F0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603

551D1104 09300782 05416C69 7361301F 0603551D 23041830 168014A1 A9DA9D80

447DDA41 8A4D99F9 0E3C5829 17936F30 1D060355 1D0E0416 0414A1A9 DA9D8044

7DDA418A 4D99F90E 3C582917 936F300D 06092A86 4886F70D 01010405 00038181

003D25CA F6EFBC9F B1C751EB 3648317B A2431B11 CC0E7652 1686A3EF 162FD1E2

BE03794B DE71F770 254912FA 88D6825A 5329A6A9 3D993835 C78D1CCC 210746A4

AE800F71 2BCFC4D2 0AFFBD94 8BC54044 BF94E3D7 7BDD8969 79EA5B1C 4A6AD8FE

827B32CE EDD6E858 991C39C9 D8C35EFD 196B1640 241AD142 7BB51FFE 0CBBC571 31

quit

username root privilege 15 secret 5 $1$jnHg$6PjF6YCuWyQHMMBMqhzBY0

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

interface FastEthernet0

description $ETH-WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet0

ip access-group 104 in

ip inspect SDM_LOW in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

no ip route-cache

speed auto

full-duplex

no cdp enable

!

interface FastEthernet1

no cdp enable

!

interface FastEthernet2

no cdp enable

!

interface FastEthernet3

switchport access vlan 4

no cdp enable

!

interface FastEthernet4

switchport access vlan 4

no cdp enable

!

interface Vlan1

description $FW_INSIDE$

ip address 172.168.11.2 255.255.0.0

ip access-group 102 in

ip inspect SDM_LOW out

ip nat inside

ip virtual-reassembly

no ip route-cache

!

interface Vlan4

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 103 in

ip inspect SDM_LOW out

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

no ip route-cache

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source static udp 172.168.11.148 88 interface FastEthernet0 88

ip nat inside source static udp 172.168.11.148 3074 interface FastEthernet0 3074

ip nat inside source static tcp 172.168.11.148 3074 interface FastEthernet0 3074

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 172.168.0.0 0.0.255.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 permit udp any eq 3074 host 172.168.11.148 eq 3074

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip 172.168.0.0 0.0.255.255 any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit udp any eq 3074 host 172.168.11.148 eq 3074

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 permit ip any any log

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip host 172.168.0.0 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip any any

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 deny ip 172.168.0.0 0.0.255.255 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

access-list 104 remark auto generated by SDM firewall configuration

access-list 104 remark SDM_ACL Category=1

access-list 104 permit tcp any eq 3074 host 172.168.11.148 eq 3074

access-list 104 permit udp any host 172.168.11.148 eq 3074

access-list 104 permit udp any eq 88 host 172.168.11.148 eq 88

access-list 104 permit ip 192.168.1.0 0.0.0.255 any

access-list 104 permit ip 172.168.0.0 0.0.255.255 any

access-list 104 permit udp any eq bootps any eq bootpc

access-list 104 permit icmp any any echo-reply

access-list 104 permit icmp any any time-exceeded

access-list 104 permit icmp any any unreachable

access-list 104 deny ip 10.0.0.0 0.255.255.255 any

access-list 104 deny ip 172.16.0.0 0.15.255.255 any

access-list 104 deny ip 192.168.0.0 0.0.255.255 any

access-list 104 deny ip 127.0.0.0 0.255.255.255 any

access-list 104 deny ip host 255.255.255.255 any

access-list 104 deny ip any any log

!

control-plane

!

banner login ^CKCCS Homenet Router. Authorized users only^C

!

line con 0

exec-timeout 0 0

login authentication local_authen

line 1

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

login authentication local_authen

line vty 0 4

password

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

no process cpu extended

no process cpu autoprofile hog

end

[decepticon_eazy_e]

thanks for your help but i still can't pass any traffic. here is the config

Building configuration...

Current configuration : 8041 bytes

end

172.168.x.x is not an address you can use. That range happens to be owned by America Online, so your packets never come back home, they get routed out to AOL. :)

Thanks for making it easy on me!!