Re: config for new router - Page 2

itsmetaso · ‎02-18-2012

I bought a new router I am having trouble configuring. I am including the config for the new router and the old router that I am currently using. I replaced my ip address with 99.999.999.99. I would appreciate any help as to what I am doing wrong I'm not that familiar with networking.

NEW ROUTER
Building configuration...

Current configuration : 4963 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco861
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-525585330
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-525585330
revocation-check none
rsakeypair TP-self-signed-525585330
!
!
crypto pki certificate chain TP-self-signed-525585330
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35323535 38353333 30301E17 0D393330 33303130 30303034
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4363 72746966 69636174 652D3532 35353835
33333020 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9DD3F71D 66FBCBCA 77E853E1 641EB2BE 4A6D97A7 8169081D 8423A7F7 FA3CEF93
256CE7FC DA15A0DD 8042E40D D90D1DD4 AC666956 533D7B83 5F32D9FD 585F1278
1718C435 78FE255F CCEE3005 B4422AAA B1AC8317 15BC1BDF 99ECF344 96D69FFD
EF7CBAC4 94CFD8E9 35A166F4 3B223A84 EDD7642E 0191DCFD 775B8D31 84F7612F
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821763 6973636F 3836312E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 16801471 9DE4ECA9 60650E3F EDA2A0E1 70881C03 964D0830
1D060355 1D0E0416 0414719D E4ECA060 650E3FED A2A0E170 881C0396 4D08300D
06092A86 4886F70D 01010405 00038181 00300F37 1DE53839 D5161E12 1B973CAF
1543141D 77C6B1F7 B8C25FD9 C11D2724 5840F1AF 260B2C44 2367171A D155254A
7563F1FC ACFE1A85 879D7E56 0DE86DDD 6050D9B2 6CE318B8 CDB31C79 61FC4DC9
DA080F14 5123D58B 9B47A66A 1DFD173F E5FF8924 B75A2535 2C2F0575 5E665E61
4D099519 4C7A1875 E979C4B8 C5E64B53 28
   quit
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
!
license udi pid CISCO861-K9 sn FTX151500JL
!
!
username admin privilege 15 secret 5 $1$T0..$OCK4MPkiofZWFy.h43X0k1
!
!
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 99.999.999.99 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.30.254.240 255.255.0.0
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run

!
control-plane
!
alias exec sr show run
alias exec s show ip int br
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
exec-timeout 0 0
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

cisco861#

OLD ROUTER

show running-config
Building configuration...

Current configuration : 3810 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname nmm831
!
logging monitor errors
enable secret 5 FAKECHARACTERS
enable password FAKECHARACTERS
!
username admin privilege 15 secret 5 FAKECHARACTERS
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip domain lookup
!
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description Internal Lan$ETH-LAN$$FW_INSIDE$
ip address 172.30.254.240 255.255.0.0
ip access-group 104 in
ip access-group sdm_ethernet0_out out
ip nat inside
!
interface Ethernet1
description ISP$FW_OUTSIDE$
ip address 99.999.999.99 255.255.255.252
ip access-group 105 in
ip access-group sdm_ethernet1_out out
ip verify unicast reverse-path
ip nat outside
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
ip nat inside source list 100 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 99.999.999.98 permanent
ip route 10.4.2.0 255.255.255.0 172.30.254.3
ip route 172.29.0.0 255.255.0.0 172.30.254.254 permanent
ip route 172.31.0.0 255.255.0.0 172.30.254.252 permanent
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended sdm_ethernet0_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_ethernet1_out
remark SDM_ACL Category=1
permit ip any any
logging facility local1
logging 172.30.1.3
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 96.56.206.0 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 172.29.254.0 0.0.0.255 any
access-list 101 permit icmp any host 96.56.206.2 echo-reply
access-list 101 permit icmp any host 96.56.206.2 time-exceeded
access-list 101 permit icmp any host 96.56.206.2 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip any any log
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 99.999.999.97 0.0.0.3 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit icmp any any
access-list 105 permit ip any any
access-list 105 deny   ip any any log
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password FAKECHARACTERS
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end

nmm831#

viswamin · ‎02-26-2012

Just curious.

I hope the interface fa4 is connected to the outside world. But is the IP configured correctly?? or is it just a typo??

interface FastEthernet4

ip address 99.999.999.99 255.255.255.252

ip access-group 105 in

ip access-group sdm_ethernet1_out out

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

-Vijay

itsmetaso · ‎02-28-2012

I purposefully put all 9's to cover my ip address. I put 99.999.999.98 for one of the ip route statements b/c the original config has my current ip address -1 and 99.999.999.97 for one of the remark statements b/c on the orignal it has my ip-2

Jason Dance · ‎02-27-2012

Hi Taso.

Did the debug show anything?

-Jason

itsmetaso · ‎02-28-2012

I haven't tried it yet. I have users who are here real early and some who do leave until late and I cant disconnect my current router until the office is empty. I will probably have to come in on the weekend to try.

Jason Dance · ‎02-28-2012

You don't have to have an internet connection to try it, just connect a host to FA0 - FA3 and configure a valid ip address, make sure the port you connect to is on vlan 1, enable the debug, and attempt to ping something on the outside. The debug should hopefully show nat translations taking place, even though the ping will be unsuccessful.

itsmetaso · ‎03-01-2012

I see on the consol IP NAT Debugging is on. I pinged yahoo.com and I didnt see anything else after IP NAT Debugging is on

Jason Dance · ‎03-01-2012

Ok. I don't see some of the basics in the rest of this conversation so lets start with them.

What is the IP address, subnet mask, and default gateway of the PC connected to FA0-FA3?

From that PC, can you ping 172.30.254.240?

-Jason

jimmysands73_2 · ‎03-01-2012

I hear that Jason...can I get a ping to the gateway please? lol

itsmetaso · ‎03-02-2012

From that pc i can't ping 172.30.254.240 i get request timed out.

PC is using:

IP -> 172.30.4.21

Subnet mask -> 255.255.255.0

Default Gateway -> 172.30.254.3

Mandlenkosi Nkiwane · ‎03-02-2012

How come your Default Gateway and the PC ip are in different subnets?

Maybe you should change your subnet mask ont he PC to 255.255.0.0

Jason Dance · ‎03-02-2012

According to the config you posted, you will need to set your PC details to:

IP -> 172.30.4.21

Subnet mask -> 255.255.0.0 <=CHANGED!

Default Gateway -> 172.30.254.240 <=CHANGED!

Please make these changes on the PC, verify that you can ping 172.30.254.240, and then repeat the debug nat + ping outside host test.

-Jason

itsmetaso · ‎03-02-2012

I am now getting Reply from 172.30.254.240: Destination host unreachable. This is the same message i got when i temporarily swapped the new router in. On my office pc my current ipconfig shows:

default gateway: 172.30.254.3

subnet mask: 255.255.0.0

I'm gonna do a new show running config on my current 831 router not sure why the gateway doesnt match

itsmetaso · ‎03-02-2012

When I ping 172.30.254.240 from my office computer I get a response. I think that is the ip address of the switch that my current router is connected to. the description reads: description Internal Lan$ETH-LAN$$FW_INSIDE$

from the running config.

Jason Dance · ‎03-02-2012

Correct. The default gateway on your office PC is set to 172.30.254.240, correct?

If so, thats what you need to change the default gateway on the PC connected to the new router. Don't forget to correct the subnet mask on this computer also, it needs to match the mask assigned to vlan 1 on the new router.

itsmetaso · ‎03-02-2012

The default gateway on my office pc is 172.30.254.3