Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Basic Router SSH Access

Hello Cisco Experts,

I need to configure a 2921 ISR.  Basic config below.  Nothing elaborate as far as config goes.  Inside traffic routing outside.  GE0/0 - External IP and GE0/1 - Internap IP.  I'm trying to telnet to the GE0/0 interface, but it's not working.  Did I miss something?  This is a brand new router I received this afternoon.  Ultimately I need to enable SSH and restrict access to two remote IP addresses (x.x.x.244 & x.x.x.246)

Any assistance would be greatly appreciated.

Thanks,

Michael

Basic Configuration Below

*************************************************************************************************

Current configuration : 5325 bytes
!
! Last configuration change at 22:47:28 UTC Mon Jun 18 2012 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cv_router_2921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 *******.
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!        
!
!
!
!
ip domain name corp.local
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3184049427
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3184049427
revocation-check none
rsakeypair TP-self-signed-3184049427
!
!
crypto pki certificate chain TP-self-signed-3184049427
certificate self-signed 01

Current configuration : 5325 bytes
!
! Last configuration change at 22:47:28 UTC Mon Jun 18 2012 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cv_router_2921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 *******.
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!        
!
!
!
!
ip domain name corp.local
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3184049427
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3184049427
revocation-check none
rsakeypair TP-self-signed-3184049427
!
!
crypto pki certificate chain TP-self-signed-3184049427
certificate self-signed 01
          quit
license udi pid CISCO2921/K9 sn FGL161612S2
!
!
username my_username privilege 15 secret 4 *******
!
redundancy
!
!
!        
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Transit Network
ip address x.x.x.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Internal Transit Network
ip address x.x.x.225 255.255.255.224
duplex auto
speed auto
!        
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 x.x.x.133
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Removed

-----------------------------------------------------------------------
^C
!        
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet ssh
!        
scheduler allocate 20000 1000
end

cv_router_2921#

        quit
license udi pid CISCO2921/K9 sn FGL161612S2
!
!
username username privilege 15 secret 4 *******
!
redundancy
!
!
!        
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Transit Network
ip address x.x.x.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Internal Transit Network
ip address x.x.x.225 255.255.255.224
duplex auto
speed auto
!        
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 x.x.x.133
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Removed

-----------------------------------------------------------------------
^C
!        
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password 7 *******
login local
transport input telnet ssh
!        
scheduler allocate 20000 1000
end

cv_router_2921#

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Basic Router SSH Access

Michael

Thanks for the additional explanation. That does help.

Am I correct that the ping problem was just a transposition of octets in the address? Or is there still some problem with pinging?

HTH

Rick

32 REPLIES

Basic Router SSH Access

Michael,

You'll need to remove the default acl on the line:

line vty 0 4

no access-class 23 in

That'll get you into the router with telnet.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Basic Router SSH Access

Hello John,

Thank you for the post.  I've left for the day and will try that in the am.  Also as mentioned, ultimately, I want to remove telnet and enable ssh with an ACL to the outside interface of the router.  I'm going to review that this evening at home so that I can try out my config when I get into the office in the morning.

I'll let you know how it goes tomorrow,

Michael

VIP Purple

Re: Basic Router SSH Access

Hi,

additionally to removing the acess-class, you should always configure all vty-lines:

line vty 0 15

xxxx

That way you'l have the same config on all lines and not what is in your config where some lines are enabled for SSH, but some are not. Probably that's not intended?

Regards, Karsten

Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Basic Router SSH Access

Hello Karsten,

I found it odd that it showed up that way as I entered the command as you included in your post.  Any idea why that would be? 

Michael

New Member

Re: Basic Router SSH Access

Enable *only* SSH on all VTY lines:

conf t

line vty 0 15

transport input ssh

exit

crypto key generate rsa general-keys modulus 1024

The last command is needed to generate a crypto key, which is used in each SSH session.

I'd also recommend setting a new username and enable secret:

username USER privilege 15 secret 0 PASSWORD

enable secret 0 PASSWORD

VIP Purple

Re: Basic Router SSH Access

HI Try this:

Config t

line con 0

login local

line aux 0

line vty 0 4

login local

transport input telnet ssh

transport output all

!

scheduler allocate 20000 1000

Regards

please rate if it helps.

New Member

Basic Router SSH Access

After reviewing posts, I've made recommended changes.  Removing the ACL did no allow me to telnet to the router.  'm taking this one step at a time and will start with telnet access.  Once that's resolved, I'll move on to ssh access, and then finally on to ACLs.

Below is the snipet from the config around the VTY usage.  Any insight into the "line 2" part of the config?  The telnet config is very basic and I've configured telnet on other devices in the past.  Not sure why I'm having difficulty now.

This is how I've set up the devices:

[My Laptop - RJ-45]  --  Cross-Over Cable  -->  [Router E0/0]

xx.xx.xx.133 255.255.255.252                        xx.xx.xx.134 255.255.255.252

[My Laptop - Serial]  --  Serial Cable          -->  [Router Console Port]

line con 0

exec-timeout 0 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

password 7 1313030B341E0B3F3F213A616C7042

login local

transport input telnet

transport output all

line vty 5 15

privilege level 15

password 7 06101B38735C060C1112005955567B

login local

transport input telnet

transport output all

!

scheduler allocate 20000 1000

end

VIP Purple

Basic Router SSH Access

the "line 2" config is typically used for modules in the router, so that is probably not relevant for this problem.

The "line vty" looks ok. Do you have any interface-ACLs at the moment?

Do you have basic connectivity? I.E. you can ping your router or if not do you see the other device in the ARP-Cache?

And: How far do you get with your test? Telnet-Access can go wrong in multiple ways.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Basic Router SSH Access

Up until about 5 minutes ago I had console access.  I enter username/password that I created and I am receiving invalid login.

Username: Root

Password:

% Login invalid

Any ideas?  If needed, I'll need to reset to default.

Regarding your other questions:

  • I had my laptop and a spare connected to E0/1 & E0/2 respectively.
  • Each laptop was configured with appropriate IP addresses for the IP addressing information configured on the connected interface.
  • From each laptop, i was able to ping the interfaces on the router as well as to the laptop on the other interface.

Michael

VIP Purple

Basic Router SSH Access

and you configured a username "Root" with a corresponding password or secret?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Basic Router SSH Access

I configured the following:

username root privilege 15 secret 0 *********

enable secret 0 ********

I just added another discussion regarding my issues with the password recovery procedure.  I need to get that resolved before proceeding with these steps.

New Member

Basic Router SSH Access

Hello Karsten,

I'm back working my telnet/ssh/acl issue.  From my laptop, I am able to ping the interface of the router.  I removed the default ACL

access-list 23 permit 10.10.10.0 0.0.0.7

no access-list 23 permit 10.10.10.0 0.0.0.7

Hall of Fame Super Silver

Basic Router SSH Access

Michael

Removing the access list 23 is a good thing. But more important is to make sure that the vty lines no longer have the access-class configured, since that is what actually controls remote access.

Is this still the accurate listing of the config for the vty lines

line vty 0 4

privilege level 15

password 7 1313030B341E0B3F3F213A616C7042

login local

transport input telnet

transport output all

If this is the configuration then I would expect that telnet to the router address from a connected device should prompt for a user name and password and should authenticate using the user name and password that you have configured on the router. Is that what is happening?

HTH

Rick

New Member

Basic Router SSH Access

Hello Rick,

That is correct.  I found my IP had an incorrect network octet.  I do get prompted for username/password now.

Is there a way to configure a network object to control access.  Here is what I'm trying to figure out.

Create an object called Allowed_SSH_IP

Add x.x.x.224 and x.x.x.246

Configure SSH on the outside interface to only allow IP addresses in this object.

Does that make sense?

Michael

New Member

Basic Router SSH Access

OK.  I'm able to SSH to the router now.  Next step is to contefigure the ACL.  I don't really see how to configure that, but I need to do some more reading.

New Member

Basic Router SSH Access

Added the following for SSH configuration.

conf t
line vty 0 15
transport input ssh
exit

crypto key generate rsa general-keys modulus 1024

Hall of Fame Super Silver

Basic Router SSH Access

Michael

I am glad that you are making good progress in achieving your requirements. It would appear that you have configured your router so that telnet no longer works and SSH is working.

I am not clear from your posting whether your router is using both version 1 and version 2 of SSH (which is the default) or is using only version 2 (which is more secure and I would advocate that you use this).

Restricting access for SSH is quite easy and straightforward.The easy way to restrict remote access is to create a standard access list and to apply it to the vty using the access-class n in command (where n is the number of the standard access list or the name of the standard access list). The config might look something like this

access-list 51 permit host x.x.x.224

access-list 51 permit host  x.x.x.246

line vty 0 15

access-class 51 in

HTH

Rick

New Member

Basic Router SSH Access

Rick,

Yes I was able to get SSH working and I disabled telnet.  With regard to SSH v1 or v2, I did not explicitly set v2.  However, when I configure the SSH session, I selected v2 and was able to log in without issue.  Should I go ahead and set it to v2?

Thanks for the ACL config.  I'm out of the office tomorrow, but will try that out on Thursday.  I'll let you know how it goes.

Thanks again.

Michael

Hall of Fame Super Silver

Basic Router SSH Access

Michael

SSH version 2 is more secure than version 1. So I believe that it is a best practice to specify version 2. If you specify version 2 then the router will no longer operate with version 1. If you do not specify and someone connects using version 1 then the router will accept it. Unless you have some reason to want to continue to use version 1 on the router then I would advocate to specifying version 2.

The access list and access-class on the vty are pretty straight forward. Some people want to make the access list into an extended access list so that they can specify SSH. But it works best if you use a standard access list.

HTH

Rick

VIP Purple

Re: Basic Router SSH Access

Fine that you got it that far. How to move on:

- allowing only SSHv2 is a best practice that should be enforced. It's the same as with not allowing Telnet.

- the access-class can also use named ACLs. That makes the config more readable.

- if you need to open the SSH-access to the whole Internet, then it could help to change the SSH-Port. That will not make you any more secure, but reduces the amount of log-enties when SSH-bots try many user/pw combinations.

- management-plane protection gives you additional control which protocols are allowed over which interfaces.

- if someone tries to brute-force a login you can add delays after each unsucessfull login and also lock out user-accounts

- and if the router is part of a bigger installation, than AAA with a central TACACS+ or RADIUS-Server is the way to go.

have fun securing your router, Karsten

Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Basic Router SSH Access

What is the diefference in creating a user with both a PASSWORD and a SECRET?

As it is configured now, I can SSH to the router, and I am immediately put into User EXEC mode

    test_router_2921(config)#username testsuperuser privilege 15 password testpassword

Does the following recommendation mean when a user log in via an SSH session, they will require a password, then have to enter "enable", enter their SECRET before proceeding?

     username USER privilege 15 secret 0 PASSWORD

     enable secret 0 PASSWORD

That is my understanding.  Please let me know if I am wrong.

Thanks,

Michael

Hall of Fame Super Silver

Basic Router SSH Access

Michael

I am not clear what following recommendation you are talking about. Perhaps you can clarify?

There are many options that can be configured that influence what happens when a user logs in. The most common scenario is that when a user logs in they are placed into user mode and then must use the enable command and some enable password or secret to get to privilege mode. But there are options which can place the user directly into privilege mode. And we do not know at this point what options you have configured. To be able to give good answers we would need to know whether you have configured aaa for the router (and if so what is configured in aaa) and we would need to know whether authorization for exec is configured, and we would need to know whether any of the vty lines configure a privilege level.

HTH

Rick

New Member

Re: Basic Router SSH Access

Hello Rick,

This is what was recommended in an earlier thread.

username USER privilege 15 secret 0 PASSWORD

enable secret 0 PASSWORD

This is what I configured.

test_router_2921(config)#username testsuperuser privilege 15 password testpassword

With my configuration, when logged in, the user is placed directly into privileged mode.  Hope this clears it up for you.

I have another configuration that I am trying to understand.  It has to do with icmp.  On the router (Console port), I can ping the configured interfaces IP addresses (Gi0/1-x.x.x.225 & Gi0/2-10.1.1.234).

On Gi0/1 I have a laptop directly connected with a x.x.x.226 IP address, but I am not able to ping it.

On Gi0/2, I am connected to a local LAN (10.1.1.0).  I can ping the LAN default gateway (10.1.1.1) but I am not able to ping my system IP (10.1.1.233).

Would the fact that the router default gateway be down/down at the moment have an affect on where the router is trying to send the icmp packets?

Here's a snipet of when I try to traceroute to the 10.1.1.1 IP address:

cv_router_2921#traceroute 10.1.1.1

Type escape sequence to abort.

Tracing the route to 10.1.1.1

VRF info: (vrf in name/id, vrf out name/id)

  1  *  *  *

  2  *  *  *

  3  *  *  *

  4  *  *  *

  5  *  *  *

  6  *  *  *

This eventually just times out.

I wanted to add that from my system, I can ping through the router to the other system.

[Laptop - 10.1.1.234] can ping [Test Server - 66.238.30.226]

Thanks,

Michael

Message was edited by: Michael Reyes

Hall of Fame Super Silver

Basic Router SSH Access

Michael

Whether a user is placed into user mode or into privilege mode depends in part on how the user and passwords are configured. But it can also depend on some other parts of the router configuration. I know some parts of your config have changed since the original posts but I am assuming that some parts are the same. And in the original config it is set up so that all users are placed directly into privilege mode (regardless of how the user and password are configured). Here is part of the original config

line vty 0 4

privilege level 15

specifying privilege level 15 on the vty results in all users being placed directly into privilege mode. If you want to change the behavior then you need to change this part of the config.

There are many options of how to configure the router for access and they include:

- some routers are configured to use line passwords on vty to authenticate users when they log in. (not so good if you want to use SSH but works fine for telnet). In this case there is no need to configure user names on the router.

- some routers are configured with user names and passwords and do local authentication. This works fine for SSH.  This is the suggestion that you were asking about. It does require configuration of user names and passwords on the router.

- some routers are configured to authenticate using an aaa authentication server such as Cisco ACS. This works fine for SSH. In this case there is no need to configure user names on the router.

Each of these approaches is valid. You need to decide which is the one that fits best into your environment and then to use that one.

For your other question about being able to ping or not able to ping. When  someone has a problem about not being able to ping their laptop my first question is whether there is firewall software running on the laptop that is preventing the ping. So I suggest that you check the laptop, perhaps temporarily disable the firewall software and test again.

HTH

Rick

New Member

Basic Router SSH Access

Rick,

Thanks for the explaination.  This is a small comany, single IT resource.  Only configured a single local user on the router, No AAA or ACS in place as there is a very limited number of network infrastructure components.

Regarding the ping issue.  This is how I configured the router in order to test the configuration.

Interface     IP Address                    Connected Device                   

Gi0/1         x.x.x.134 /30                  Laptop-1 (x.x.x.133 /30)

Gi0/1         x,x,x.225/ 27                  Laptop-2 (x.x.x.226 /27)

Laptop-1 simulates the Internet provider device (Router)

Laptop-2 simulates the firewall connection separating public and private networks

  • Both Laptop-1 and Laptop-2 can ping the other Laptop, which traverses through te router
  • I was able to ping the connected router interface from each Laptop
  • The router can ping each of its interfaces (.134 & .225)
  • The router cannot ping Laptop-1 or Laptop-2

Am I missing a configuration setting with ICMP to allow reply's?

Thanks,

Michael

Hall of Fame Super Silver

Basic Router SSH Access

Michael

If each laptop can successfully ping the other laptop then this is good news. It verifies that routing between the networks/subnets is working and it verifies that the laptop firewall software is not blocking ping. So I am quite puzzled why the router can not ping the laptops. There might possibly be an issue in the router config, so perhaps you can post the config for us to check. Also would you post the output of show ip route and the output of show arp from the router?

HTH

Rick

New Member

Basic Router SSH Access

Hi Rick,

Sorry for not responding sooner.  My contract with the customer ended Thursday.  The router config was a last minute request since I had available hours still.  I've moved to a different project, but I still want to resolve or understand why this occurs.

Since I no longer have access to the configs, I used Packet Tracer and created the same setup with 2811 ISRs.  I see the same behavior and am curious to know if I'm not understanding how ICMP works correctly.

When logged into the router via console port, I enter the following commands to ping the locally assigned IP's for the two interfaces, I get the expected results:

******************************************************************************************************************************************

CV_DR_2821#ping x.x.92.133

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x,x.92.133, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/21/32 ms

CV_DR_2821#ping x.x.92.133

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x.x.92.133, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/21/32 ms

******************************************************************************************************************************************

Now if I try to ping either of the directly connected devices, ping fails:

******************************************************************************************************************************************

CV_DR_2821#ping x.x.30.134

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x.x.30.134, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

******************************************************************************************************************************************

From a command prompt on one of the laptops, I'm able to ping the other laptop which goes through the router; so as you have determined as well, routing is functioning.

******************************************************************************************************************************************

Packet Tracer PC Command Line 1.0

PC>ipconfig

IP Address......................: x,x.30.226

Subnet Mask.....................: 255.255.255.224

Default Gateway.................: x.x.30.225

PC>ping x.x.92.134

Pinging x.x.92.134 with 32 bytes of data:

Reply from x.x.92.134: bytes=32 time=9ms TTL=255

Reply from x.x.92.134: bytes=32 time=31ms TTL=255

Reply from x.x.92.134: bytes=32 time=3ms TTL=255

Reply from x.x.92.134: bytes=32 time=1ms TTL=255

Ping statistics for x.x.92.134:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 31ms, Average = 11ms

PC>

******************************************************************************************************************************************

However, if I use extended ping, it works.  See output below.

******************************************************************************************************************************************

CV_DR_2821#ping

Protocol [ip]:

Target IP address: x.x.30.226

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x.x.30.226, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms

CV_DR_2821#ping

Protocol [ip]:

Target IP address: x.x.92.133

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x.x.92.133, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/32 ms

******************************************************************************************************************************************

This is odd behavior to me.  But may just be that in order to use ping or traceroute on a externally connected device, I have to use the extended ping/traceroute command.  And "ping x.x.x.x" only works for an IP address that is configured on an internal interface.

Is my understanding correct?  I hope so as I'm stumped at this point.  I haven't read anywhere that this is the expected operational behavior.

Please let me know your thoughts.

Thank You & Best Regards,

Michael

Hall of Fame Super Silver

Basic Router SSH Access

Michael

It certainly is not the case that you need to use extended ping or traceroute to successfully get to an external device. And even though you use the extended form of ping you did not specify any parameter different from standard ping. So I am pretty confident that standard ping would have worked.

There are a couple of inconsistencies in this post that create some uncertainty in understanding the situation. But I only find one example of a ping that did not work and there is a very simple explanation for that one. Here is the one that did not work

CV_DR_2821#ping x.x.30.134

and the explanation is that 30.134 does not exist in the local subnet. 30.226 would have worked or 92.134 would have worked.

If this solves the issue then I am glad. If something still does not work as you expect then please post again including the output of show ip interface brief, and of show route, as well as any ping that does not work.

HTH

Rick

New Member

Basic Router SSH Access

Rick,

I'll try to clarify as much as possible w/o disclosing the customer's assigned IP address space.  Hope this clears up confusion.

FA0/0 is the transit network interface between the clients router and the provider's device.  Here is how it was configured (subnet mask 255.255.255.252):

  • x.x.92.132 [Network]
  • x,x,92.133 [Provider IP Address - Router or Switchport unknown]
  • x.x.92.134 [Client IP address - Router FA0/0]
  • x.x.92.135 [Broadcast]

FA0/1 is the interface connected to the Outside interface for the customer's firewall.  Here is how it is configured (subnet mask 255.255.255.224):

  • x.x.30.224 [Network]
  • x,x,30.225 [Client IP address - Router FA0/1]
  • x.x.30.226 [Client IP address - Firewall Outside Interface]


interface FastEthernet0/0

description Transit network

ip address x,x.92.134 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

description Outside network

ip address x.x.30.225 255.255.255.224

duplex auto

speed auto

Michael

8346
Views
0
Helpful
32
Replies
CreatePlease to create content