Sunday, 19 May 2013

Configuration Example for Cisco 857/877W Config for Bigpond or Telstra Internet Direct


This config is straight out of a Cisco 857W router running on Bigpond. It has Wifi enabled with WPA2 AES encription. The Cisco is running IOS version 12.4.


service password-encryption
service internal
!
hostname <hostname>
!
enable secret <your enable password>
!
no aaa new-model
!
dot11 ssid <Your SSID>
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii <Your Wireless Key>
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.138 10.0.0.254
!
ip dhcp pool LocalNet
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.138
   domain-name internet.local
   dns-server 10.0.0.138
   lease 365
!
ip cef
ip domain name internet.local
ip name-server <nameserver 1>
ip name-server <nameserver 2>
!
username admin secret <admin password>
!
bridge irb
!
interface ATM0
no shutdown
no ip address
atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
no shutdown
!
interface FastEthernet1
no shutdown
!
interface FastEthernet2
no shutdown
!
interface FastEthernet3
no shutdown
!
interface Dot11Radio0
no shutdown
no ip address
!
encryption vlan 1 mode ciphers aes-ccm
!
ssid <Your SSID>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
world-mode dot11d country AU both
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
ip virtual-reassembly
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname <ISP Username>
ppp chap password <ISP Password>
!
interface BVI1
description LAN & WLAN Bridge
ip address 10.0.0.138 255.255.255.0
ip nat inside
ip virtual-reassembly
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 23 permit 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
end
Posted by at No comments:

Wednesday, 15 May 2013

Enabling SNMP and Netflow for Solarwinds NPM and NTA on Cisco ISR, ASR and ASA firewalls

This assumes that your Solarwinds collector and Netflow analyser are on 192.168.0.55.

For Cisco ASR's or ISR's with Flexible Netflow:

Firstly, lets create an ACL for our Solarwinds Server:

ip access-list standard Solarwinds
  permit host 192.168.0.55
!

Now we can enable SNMP:

snmp-server community tceo RO Solarwinds
snmp-server location Mario's Pizza Shop
snmp-server contact Mario Bros

Now to enable NetFlow:

flow record NETFLOW_RECORD
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect interface output
 collect counter bytes
 collect counter packets
!
flow exporter NETFLOW_EXPORT
 destination 192.168.0.55
 transport udp 2055
!
flow monitor NETFLOW_MONITOR
 exporter NETFLOW_EXPORT
 record NETFLOW_RECORD
Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking GigabitEthernet0/0/0

interface GigabitEthernet0/0/0
 ip flow monitor NETFLOW_MONITOR input
 ip flow monitor NETFLOW_MONITOR output
!

 To check if all is working as expected, you can type the following command:


sh flow monitor

For Cisco ISR's without Flexible Netflow:


Firstly, lets create an ACL for our Solarwinds Server:


ip access-list standard Solarwinds
  permit host 192.168.0.55
!

Now we can enable SNMP:

snmp-server community public RO Solarwinds
snmp-server location Marios Pizza Shop
snmp-server contact Mario Bros
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

Now to enable NetFlow:

ip flow-export version 9
ip flow-export destination 192.168.0.55 2055

Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking Gi0/0

interface GigabitEthernet0/0
  ip flow ingress
  ip flow egress
!

 To check if all is working as expected, you can type the following command:


sh ip cache flow

If you just want to use Netflow without the export to a Netflow collector, just negate the "ip flow-export" commands.

For ASA Firewalls:


This process is a bit more complicated on a Cisco ASA firewall that the above Cisco configuration.

Firstly we name our Solarwinds Server:

name 192.168.0.55 Solarwinds

Enable SNMP:

snmp-server host dmz Solarwinds community public
snmp-server location Marios Pizza Shop
snmp-server contact Mario Bros
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

Now to enable Netflow - first we create an ACL for what traffic you wish to monitor - typically everything:

access-list netflow-export extended permit ip any any

Now we set the Netflow parameters:

flow-export destination <output interface name> Solarwinds 2055
flow-export template timeout-rate 3
flow-export delay flow-create 10

Configure our Netflow Classes:

class-map netflow-export-class
 match access-list netflow-export
!

Configure our Policies:

policy-map global_policy
 class netflow-export-class
  flow-export event-type all destination Solarwinds
!


Posted by at 16 comments:

The simplest way to setup a Cisco router for Australian ADSL using PPPOA

This tutorial assumes that you are using an ISP which supports PPPOA. Bigpond and Telstra Internet Direct support this.

In this example I am configuring a Cisco 2811 with a HWIC-1ADSL WIC in Slot 0. This gives it an interface of "atm0/0/0".


interface ATM0/0/0
 description ADSL Physical Interface
 no ip address
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!

 Next we can configure our Dialer interface. This is used to initiate authentication to your ISP.

interface Dialer0
 description ADSL Dialer Interface
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname username@bigpond.com
 ppp chap password your_password
!

Now we can configure our internal LAN interface

interface FastEthernet0/0
 description LAN Interface
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!

Create a standard ACL ready for NAT

ip access-list standard LAN
  permit 192.168.0.0 0.0.0.255
!

Allow NAT for the above ACL

ip nat inside source list LAN interface Dialer0 overload

Finally we set our default route out of the Dialer0 interface

ip route 0.0.0.0 0.0.0.0 Dialer0

Now with any luck you should have a working internet connection.

To configure DNS and DHCP services on the router please refer to my blog about enabling DHCP and DNS services.
Posted by at 1 comment:

Setting up DHCP and DNS services on Cisco Routers


In this blog I will explain how to setup a DHCP and DNS server on your Cisco router.

The network subnet is as follows:

Network Address: 192.168.0.0
Subnet Mask: 255.255.255.0
Router: 192.168.0.1
Dynamic Range: 192.168.0.10 - 192.168.0.254
ISP DNS Server: 8.8.8.8
Subnet Domain Name: mylan.local

These commands specify the DNS server and local domain to the router:


ip domain name mylan.local
ip name-server 8.8.8.8

This command enables the Cisco DNS Service

ip dns server


Before we create our DHCP server, we should specify which IP's are not to be assigned. This being 192.168.0.1 to 192.168.0.9

ip dhcp excluded-address 192.168.0.1 192.168.0.9

Now we specify our DHCP Pool:

ip dhcp pool MyLAN
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 192.168.0.1
   domain-name mylan.local
   lease 7
!

You may now wish to assign statically assigned IP addresses to various hosts on your network. You can do this by creating another DHCP pool

ip dhcp pool MyLaptop
   host 192.168.0.10 255.255.255.0
   client-identifier 0100.0430.52c7.88
!

Note: The client identifier is NOT the MAC address of the client. The easiest way to find the client identifier is to connect the machine to the network and wait for it to be assigned an IP by the router.

In enable mode, type in:

show ip dhcp binding

Match the client identifier with the IP address you were dynamically assigned then create your static pool like the one mentioned above.
Posted by at No comments:

Bi-directional NAT/SNAT with Cisco Routers

Some of you may be familiar with either Microsoft Forefront TMG or ISA Server.

It had an option when publishing ports to the outside world of "Requests appear to come from the ISA Server computer" or "Requests appear to come from the Forefront TMG computer".

This was handy for instance if you were publishing ports to the internet on WAN servers/local servers which didn't have that particular ISA or TMG box as it's default gateway.

This can be particularly handy if you wanted to load balance traffic across two links or simply as a backup way of getting into your network remotely if your primary link fails.

It basically modified the source address of any incoming connections so that it appears to the internal client as coming from the routers internal side IP.

This guide below shows exactly how to achieve this with a Cisco router running IOS 12.4.

In a typical scenario, you might have a router configured with ADSL and a Dialer interface with "ip nat outside" and a "Fa0/0" or "G0/0" LAN interface with "ip nat inside"

It may look like the following:


interface Dialer0
 description ISP ADSL2+ Interface
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname username@isp.com
 ppp chap password 7 06675F141A1F064F25
!
interface FastEthernet0/0
 description LAN Interface
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
ip nat inside source list 1 interface Dialer0 overload
!
ip nat inside source static tcp 192.168.0.15 25 interface Dialer0 25
!
ip route 0.0.0.0 0.0.0.0 Dialer0

The problem with the above configuration is that the NAT only travels one way. What we want to achieve is a bi-directional NAT.

We need to remove the "ip nat inside" and "ip nat outside" lines from both the Dialer0 and FastEthernet0/0 interfaces and replace with "ip nat enable". This means now that we can configure NAT to work both inbound and outbound.

For the below example, we assume that my ISP has assigned me a static IP of 200.200.200.200.

The server I want to publish is a Web Server on IP 192.168.0.55

Assuming that your current configuration is like the above, we would type the following:


interface FastEthernet0/0
 no ip nat inside
 ip nat enable
!
interface Dialer0
 no ip nat outside
 ip nat enable
!
no ip nat inside source list 1 interface Dialer0 overload
!
no access-list 1 permit 192.168.0.0 0.0.0.255
!
ip access-list extended NAT_OUT
 permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended NAT_IN
 permit ip any host 200.200.200.200
!
ip nat source list NAT_IN interface FastEthernet0/0 overload
ip nat source list NAT_OUT interface Dialer0 overload
!
ip nat source static tcp 192.168.0.55 80 interface Dialer0 80


And that's it! Now when connections are made to the public IP, they are translated internally to the web server but the source address appears as 192.168.0.1 - the IP address bound the the Fa0/0 interface.
Posted by at No comments:

Friday, 10 May 2013

Policy Based Source Routing over two WAN Links with NAT

The scenario is that I have two Internet links. One over Ethernet and the other over ADSL. I want to push particular hosts on my internal LAN out through the ADSL and the others out through the Ethernet link.

192.168.0.0/24 = LAN Subnet
FastEthernet0/0 = LAN Interface
FastEthernet0/1 = Internet Connection 1 (Fibre/Cable)
Dialer1 = Internet Connection 2 (ADSL)


interface FastEthernet0/0
 ip policy route-map PBR
The above defines the internal LAN interface to be assigned to the "PBR" route-map which we will define below.
 ip nat inside
!
ip nat inside source route-map ADSL-Only interface Dialer1 overload
Specifies that all NAT must adhere to the ADSL-Only and LAN route-maps defined later
ip nat inside source route-map LAN interface FastEthernet0/1 overload
!
ip access-list extended ADSL-Only
My two hosts that I want to go out over ADSL
 permit ip host 192.168.0.15 any
 permit ip host 192.168.0.10 any
!
ip access-list extended LAN
My LAN subnet
 permit ip 192.168.0.0 0.0.0.255 any
!
route-map ADSL-Only permit 10
Match this Route-Map to the ADSL-Only ACL above and match it to outbound interface Dialer1. This is for the NAT aspect of routing.
 match ip address ADSL-Only
 match interface Dialer1
!
route-map LAN permit 20
Match this Route-Map to the LAN ACL above and match it to outbound interface F0/1. This is for the NAT aspect of routing.
 match ip address LAN
 match interface FastEthernet0/1
!
route-map PBR permit 10
Our PBR route-map bound to our internal LAN interface to match ADSL-Only ACL and pump all traffic out thought Dialer1. Since my ADSL does not have a static default or next-hop IP, the "set interface Dialer1" is used instead of "set ip next-hop <ip>"
 match ip address ADSL-Only
 set interface Dialer1
!
route-map PBR permit 20
 match ip address LAN
 set ip next-hop 10.112.8.1
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10.112.8.1
Route Maps dont apply to the router itself. Specifying an ip route here means that the router itself has a default route to use.
Posted by at 1 comment:
Subscribe to: Posts (Atom)