Cisco 806 - Beginner questions

Unanswered Question
Feb 21st, 2007

Hi,

First please excuse my lack of knowledge, today is my 2nd day ever touching a Cisco equipment.

I got this router, and i want to use it at home for my 8 static IPs. I will have one firewall behind this router, which connects me to the corporate VPN, I will have another wireless router behind the cisco for my home network, and a few servers, mail www, etc. All these on a different static IP.

I established a Console connection to the 806, and I am able to log in, etc. I believe that Factory Default would enable DHCP service, and allow me to manage through the Web on 10.10.10.1 . Now, when I reset it to factory (I hope I did), I wasnt able to connect through the web, so went back to the console, and I see that the setting is completely blank, no default settings applied. How can I get it back to real factory default? Being a beginner, a web interface would help me a lot I believe.

Through the console I managed to set up IP addresses for both interfaces, and DHCP on eth0, and I am able to reach the router via Web, but it isnt working. It loads, asks a username and password. I supply the password I gave with "enable secret" command, and it goes on, then says router is not connected, check cables, etc. I am able to see the Cisco opening site, so I am 100% sure the connection is live, however it wouldnt let me do anything there. Also I noted that when I connect via web, it asks for username and password, although I only have a password I think.

I am sure my post is full of nonsense, again, please excuse this for me.

Thanks a lot for any help,

Ben

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.

Ben,

Log into the Router via the console, do a SHOW INTERFACE to see if your interfaces are UP & UP. If they are not, this will be some indication of what is wrong (i.e. wrong cable, etc). If they are UP & UP, make sure you have an access-list that allows your inside network to get out.

If you want to reset to factory default you can run the SETUP command from enable or config T mode. This will prompt you for IP address and other info about protocols. Good luck.

bence8810 Wed, 02/21/2007 - 09:01

Hi

Yes, the interface is up, as I am able to log in with Telnet, and also with Web, and I am even prompted for login, just it isnt letting me on for some reason. There is no auth error in IE either. I also tried a wrong password, it then re-prompts me for credentials, and when I enter my secret password with no username, it goes through, and then drops me. But like I said, I can even see the Web-UI of the Cisco router, so the connection is evident.

Thanks for any help,

Ben

ahmednaas Wed, 02/21/2007 - 10:02

Ben,

Can you post your current config? Obfuscate any real IP addresses before you post.

bence8810 Wed, 02/21/2007 - 10:42

Hi

This is the running-config currently. As I was playing with it, now its a bit different than how it was when I first posted. I did a reset to Factory Defaults, and I went through the initial configuration. The only difference I can see is that now HTTP is disabled. When it was enabled, I had the login problem.

Do you see anything obvious?

Also, if I find a good configuration example on the internet, how do I upload it to the router?

Thanks

Ben

router#show running-config

Building configuration...

Current configuration : 589 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router

!

enable secret 5 scrambled password here

enable password unscrambled password here

!

ip subnet-zero

!

!

!

!

interface Ethernet0

ip address 192.168.1.254 255.255.255.0

hold-queue 100 out

!

interface Ethernet1

ip address xxx.xxx.xxx.xxx 255.255.248.0

!

ip classless

no ip http server

!

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

!

line con 0

stopbits 1

line vty 0 4

password unscrambled password here

login

!

scheduler max-task-time 5000

end

bence8810 Wed, 02/21/2007 - 13:20

Hi

Thanks for the link, but it didnt really help me. I am not trying to set up VPN, and I already found a good configuration which will work for me, I just dont know how to upload a config file to the router, or do I have to add the entries one by one?

As for HTTP access, I added the entries to the Console:

ip http server

ip http access-class 24

access-list 24 allow any

The access-class and access-list I copied from your link. Still the same, router is managable through Telnet, but not HTTP. If telnet works, I can safely state I guess that the Ethernet interface is fine. Is there anything I can do about this?

Thanks

Ben

ahmednaas Wed, 02/21/2007 - 13:52

You can copy and paste your config. Edit the config file you have to your liking and then:

- connect to the router via console.

- enter global config mode

router>en

router#config t

router(config)#

- now copy your config file and paste it at the prompt.

You can also copy the file via tftp but try the copy&paste first.

vaisharm Wed, 02/21/2007 - 21:06

Ben, the web interface that you are referring to is CRWS.

The following document is a good read:

Cisco Router Web Setup 3.3 Troubleshooting Guide

http://www.cisco.com/en/US/products/sw/netmgtsw/ps2076/prod_troubleshooting_guide09186a0080132c3c.html

Try creating a user.

Router#conf t

username < > password < >

Now, every time you login using the web interface, provide the username/password specified above.

If this does not work, you may add try the following in addition to the above step:

Router#conf t

line vty 0 4

login local

Now, even for telnet the same username and password would be used.

If this works, do rate it.

-Vaibhav

bence8810 Thu, 02/22/2007 - 09:09

Ahmednaas,

Thanks copy paste works like a charm.

Vaisharm,

The user was created, but it wont let me in. Is it by default a level 15 access? What I see in the config after creating the user:

username (xzy) password 0 (xyz)

Does it mean a level 0 access, or I am mistaken?

I will read the documentation when I get home, hoping I can advance further.

Thanks, and any suggestions are still welcome. What is strange, that now with the username I created it bounces the prompt back, and after 3 tries, it says Authentication Failure. If I try it without a username, and use my secret password, it lets me in, but it never loads properly. It still complains that the browser is unable to talk to the router.

Ben

vaisharm Thu, 02/22/2007 - 09:37

Ben,

The 0 after password is "encryption-type". It

defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.

Also, the default privilege level is '1'. Level 15 is the level of access permitted by the enable password.

If you are successfully authenticated using just the password then it could be a browser related problem due to some java components may be. I feel that the document that I included in my last post should be helpful.

- Vaibhav

bence8810 Thu, 02/22/2007 - 10:28

Hi

Thanks for your answer. I went through the whole documentation, and all seems well. The files are in the webflash, and all other looks good too. I can only imagine this point that the IOS is bad, or corrupt. Do you think that sounds reasonable?

Other than that, here is the portion of the config file which relates to the vty line, could you verify that its correct?

As for browsers I tried it from 2 PC, one with Windows and IE and Firefox, and from a Debian linux with Firefox. Same goes for all.

Thanks

Ben

line con 0

stopbits 1

line vty 0 4

exec-timeout 0 0

password pass

login local

length 0

vaisharm Fri, 02/23/2007 - 00:37

Ben,

The vty line here is configured for local authentication. So, the username and password configured in global configuration mode would be used. The password specified under vty 0 4 is not used. Also, can you please copy and paste the exact error message that you get along with show run.

- Vaibhav

ahmednaas Thu, 02/22/2007 - 10:05

The 0 in this case indicates a clear text password.

If your password was included in the copy&paste operation, then there might be an extra space unintentionally tagged onto the end of the password. So try to login with an extra space character at the end.

bence8810 Fri, 02/23/2007 - 01:00

Hi

I have reset the router to factory defaults by rommon1>confreg 0x142 and used the copy-paste to upload a configuration which has no password protection. Now I am able to log in to the router, but the 2 day effort for getting this to work doesnt seem to pay back. I find the web interface less useful than it is in a $50 Linksys router :( Is this normal that the web interface is lacking?

On top, when I clicked on Router Features, and Firewall beneath it, I got a "Feature is not supported" message.

Does it mean that Firewall is not supported by this router?

Thanks

Ben

vaisharm Fri, 02/23/2007 - 01:20

Ben,

The CLI on Cisco routers is definetely more powerful and the best mode for configuration and troubleshooting. The GUI is much newer and does not have the same level of control/capabilities as the CLI.

Please provide the complete filename for the IOS image that you are using and I can check if it has firewall feature.

-Vaibhav

bence8810 Fri, 02/23/2007 - 01:38

Hi

This is what I currently have:

Router>enable

Router#show flash

System flash directory:

File Length Name/status

1 2678124 c806-y6-mz.122-2.XK.bin

[2678188 bytes used, 5710420 available, 8388608 total]

8192K bytes of processor board System flash (Read/Write)

Router#

The memory of the router:

CISCO C806 (MPC855T) processor (revision 0x202) with 14848K/1536K bytes of memor

y.

128K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)

I dont know what IOS will fit, but this is what I am looking for if possible:

I would like to use it for my 8 static IPs, one for the router, one for a VPN equipment (Juniper Netscreen), one for my WiFi router and the rest for some servers. I hope that this Cisco will take care of the routing for the 8 IPs.

I would also like a firewall feature, where I can open and or block ports to specific static IPs from the 8 I have, and also if possible, to set up a VPN to my home. VPN can be missed if have to.

Do you think this is possible? If so, with which IOS?

Thanks for your help,

Ben

ahmednaas Fri, 02/23/2007 - 02:05

This image has FW features and can fit in the memory you have:

c806-oy6-mz.12.2-11.T11.bin

If you want the latest image ( see my other post), then you have to upgrade your RAM to 32MB.

bence8810 Fri, 02/23/2007 - 07:45

Hi

I would like to download it, I already have the TFTP server. Where do I find it? I am on Cisco's site, but unable to locate the same IOS. Do I need a logon to Cisco? I think I am not registered, thus dont have a login.

Thanks

Ben

bence8810 Fri, 02/23/2007 - 23:14

Hi

Thanks, yes, that I dont have, I mean the login. So I guess I stay with current firmware.

I got the router home, here I have an ADSL line. I configured the router with PPPOE login, or at least I think so. The IP address is set to negotiated, and when I connect with console, I do get the IP address, which is good. However, I am unable to ping anything outside. So I guess it isnt fully working. My goal is to have the first IP in my pool of 8 (6 useable), and the rest can be obtained from the router without DHCP.

This is what my config looks like, if you could suggest a change, I would appreciate any help. I am also lost in terms of the PPP authentication, but i guess since I get the ISPs IP, it might be good?

p.s. In the config you will see many incorrect things, like ETH0 is not yet configured, but I will do that after ETH1 is up and running. Also there are some entries commented out, I left them as they might be useful later.

Thanks

Ben

!

version 12.2

no parser cache

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname router

!

logging buffered 4096 informational

!

ip subnet-zero

!

!!!!!!!!!!!!! This is the ISP's DNS IP addresses

ip name-server isp dns

ip name-server isp dns

!!!!!!!!!!!!!

!

!!!!!!!!!!!!! Configuring the router as DHCP server

!ip dhcp excluded-address 10.10.10.1

!

!ip dhcp pool hubud1bfrankpool01

!network 192.168.1.0 255.255.255.0

!default-router someip

!dns-server 1.1.1.2 1.1.1.3

!dns-server 192.168.1.254

!!!!!!!!!!!!!

!

!no ip dhcp-client network-discovery

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

!

!

!!!!!!!!!!!! This is the LAN side

interface Ethernet0

!!!!!!!!!!!! The IP address for the router

ip address 192.168.1.254 255.255.255.0

!!!!!!!!!!!!

ip nat inside

ip tcp adjust-mss 1452

no cdp enable

hold-queue 32 in

!

!!!!!!!!!!!! Note that e1 has no IP address

interface Ethernet1

no ip address

!!!!!!!!!!!!

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

!!!!!!!!!!!! The ISP's given IP address will be configured via d1

interface Dialer1

ip address negotiated

!!!!!!!!!!

ip mtu 1492

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

!ppp chap hostname *********

!ppp chap password 7 *******

ppp pap sent-username [email protected] password 0 mypassword

ppp ipcp route default

!

ip nat inside source list 102 interface Dialer1 overload

!

!!!!!!!!! This is the important part:

!!!!!!!!! The server is an FTP running generic FTP software

!!!!!!!!! The FTP server is in inside network using IP address 10.10.10.2

!!!!!!!!! This configuration uses PAT (Port Address Translation) which deploys

!!!!!!!!! port 20 and 21 (standard ports for FTP)

!!!!!!!!!

!!!!!!!!! The "ip nat inside source static" is the actual PAT command for running servers with Cisco router

!!!!!!!!!

!!!!!!!!! Note that the word "extendable" is automatically added by the router

!!!!!!!!! You don't have to enter the word when you configure the router

!!!!!!!!!

!ip nat inside source static tcp 10.10.10.2 20 1.0.0.13 20 extendable

!ip nat inside source static tcp 10.10.10.2 21 1.0.0.13 21 extendable

ip classless

!!!!!!!!! This command is to make the router configurable using web browser

!!!!!!!!! such as Internet Explorer or Netscape, which is totally optional.

!!!!!!!!! You can turn the feature off by entering "no ip http server"

!!!!!!!!!

ip http server

!!!!!!!!!

!

!access-list 102 permit ip 10.10.10.0 0.0.0.255 any

!dialer-list 1 protocol ip permit

no cdp run

!

line con 0

exec-timeout 120 0

stopbits 1

line vty 0 4

exec-timeout 0 0

login local

length 0

!

scheduler max-task-time 5000

end

bence8810 Sun, 02/25/2007 - 12:15

Hi

I hope everyone had a good weekend.

I am also getting closer to completion. I now know there is no way for me to upgrade the IOS, as I have no account at Cisco, so I just try to live with no firewall support for now.

The thing I am stuck on, besides that I dont have a working network behind my router, is that I would like to take use of the 8 IPs I have. First, I need one IP on the wan side. The second IP will be on the LAN side I imagine, the third IP will be my corp firewall, 4th IP my home wireless router, and the rest will be used at my servers.

How do I configure this router to actualy take control of this 8 IPs?

Thanks

Ben

ahmednaas Fri, 02/23/2007 - 01:23

The web interface in Cisco router is not the best. I guess most net admins use the CLI.

The fact that firewall features are sipported or not is dependents about the feature set you have loaded in the router. What version do you have loaded? Use "show version" and paste the output here. This one supports Firewall features:

c806-o3sy6-mz.12.3-14.T7.bin

And this one does not: c806-sy6-mz.12.3-14.T7.bin

Actions

This Discussion