Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with Router Reconfigure.....

I have limited knowledge with Cisco Routers.. I understand simple Point to point Single T1 configs on 2600's but I have a more complicated Set up I need to deal with on a 3600.... the config is this:

ip subnet-zero

!

!

no ip finger

ip name-server 205.214.51.16

ip name-server 205.21

!

!

!

crypto isakmp policy 1

authentication pre-share

crypto xxxx key xxxx address xxxxx

crypto xxx key xxx address xxxx

!

!

crypto ipsec transform-set gbi esp-des esp-md5-hmac

!

crypto map gbivpn 1 ipsec-isakmp

set peer 12.38.129.82

set transform-set gbi

match address 110

!

call rsvp-sync

cns event-service server

!

!

!

!

!

!

!

!

interface Tunnel1

ip address 192.168.50.2 255.255.255.252

tunnel source Ethernet0/1

tunnel destination 12.38.129.82

crypto map gbivpn

!

interface Ethernet0/0

ip address 10.0.0.5 255.255.0.0

ip nat inside

half-duplex

!

interface Ethernet0/1

ip address 68.213.209.44 255.255.255.248

ip nat outside

no ip route-cache

no ip mroute-cache

half-duplex

crypto map gbivpn

!

!

router eigrp 1

network 10.0.0.0 0.0.255.255

network 192.168.50.0

no auto-summary

no eigrp log-neighbor-changes

!

ip kerberos source-interface any

ip nat inside source route-map nonat interface Ethernet0/1 overload

ip nat inside source static udp 10.0.0.30 4900 65.82.190.154 4900 extendable

ip nat inside source static udp 10.0.0.30 4901 65.82.190.154 4901 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 68.213.209.41

ip route 161.15.0.0 255.255.0.0 65.82.190.153

ip route 162.15.0.0 255.255.0.0 65.82.190.153

ip route 162.66.0.0 255.255.0.0 65.82.190.153

ip route 170.16.0.0 255.255.0.0 65.82.190.153

ip route 192.168.12.0 255.255.254.0 Tunnel1

ip route 192.168.50.1 255.255.255.255 65.82.190.153

ip route 192.216.177.0 255.255.255.0 65.82.190.153

ip route 198.178.33.0 255.255.255.0 65.82.190.153

ip route 198.178.47.0 255.255.255.0 65.82.190.153

no ip http server

!

!

!

!

!

!

!

!

!

access-list 110 permit gre host 65.82.190.154 host 12.38.129.82

access-list 111 permit ip 10.0.0.0 0.0.255.255 any

access-list 120 deny ip 10.0.0.0 0.0.255.255 172.20.252.0 0.0.3.255

access-list 120 deny ip 10.0.0.0 0.0.255.255 192.168.8.0 0.0.0.255

access-list 120 deny ip 10.0.0.0 0.0.255.255 192.168.9.0 0.0.0.255

access-list 120 deny ip 10.0.0.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 120 deny ip 10.0.0.0 0.0.255.255 0.0.0.0 255.255.254.0

access-list 120 permit ip 10.0.0.0 0.0.255.255 any

route-map nonat permit 10

match ip address 120

!

!

!

dial-peer cor custom

!

!

!

!

!

The VPN is dead...the office it talked to is long gone.... and the unit is running NAT.

I want to leave the 10.0.0.5 address alone but I need to change the IP on the out side interface away from 68.213.209.44 (Slow DSL Line) to the new T1 address of 63.172.166.154/255.255.255.248

I am unsure of the commands I need to enter and I am unsure of the commands I need to enter to update the static routes...

can some one help?

I am also unsure of why the Name server /DNS info is also in the config.

thanks James

6 REPLIES

Re: Help with Router Reconfigure.....

You wont need any of the ipsec (vpn) commands if the vpn is not any more used.

To remove the commands, use the no form of the command under the appropriate router mode.

Router>enable

Router#configure terminal

Router(config)# no ===== removes the command from the config.

Router(config)#no crypto isakmp policy 1

Router(config)#no crypto isakmp key cisco123 address 167.206.105.38

Router(config)#no crypto isakmp key cisco123 address 12.38.129.82

Router(config)#no crypto ipsec transform-set gbi esp-des esp-md5-hmac

Router(config)#no crypto map gbivpn 1 ipsec-isakmp

Router(config)#int tunnel 1

Router(config)#no crypto map gbivpn

Router(config)#int e0/1

Router(config)#no crypto map gbivpn

The above will remove the vpn configs. Repeat the same on other end to remove the vpn configs.

Do you have a serial interface on the router on to which, the T1 line is terminated ? If so configure the new ip address on to that serial interface.

Router(config)#interface serial 0

Router(config)#no shut

Router(config)#ip address 63.172.166.154 255.255.255.248

To remove a, previously entered static route, just copy the command from the config, and paste it into hyperterminal, with a "no" keyword in the front.

Router(config)#no ip route

To add a route use the above command with the "no" removed. When you specify the gateway, specify the remote end ip address as your gateway.

Bronze

Re: Help with Router Reconfigure.....

To further clean up the vpn, you can also remove the tunnel, the static route and the access list that were used:

no ip route 192.168.12.0 255.255.254.0 Tunnel1

no access-list 110

no interface Tunnel1

New Member

Re: Help with Router Reconfigure.....

The T1 is already terminated in a 2600 that I configured a few days ago.. this router only has Ethernet interfaces... the T1 is running and passing packets... there are 3 other Private lines that run into 2600's that sit infront of the 3600... the 3600 does NAT so the PC's only see one gateway. but depending on who they want to talk to the 3600 takes the route it needs.

There is no way for me to remove the the VPN from the other side..that office has been closed for 14 months.. and the router is long gone...

Gold

Re: Help with Router Reconfigure.....

First, the easy question: The name server is in the configuration so the router can resolve host names for various commands. Now, as to the rest.....

Is the nat running towards the internet? I assume it is, so you need to keep running that, correct? Instead of connecting to the internet through e0/1, you want to connect through some serial port, which is to be connected to some isp, I think?

So, if this is the case, you can:

-- Remove the crypto map with no crypto isakmp policy 1.

-- Remove the crypto transform stuff with no crypto ipsec transform-set gbi esp-des esp-md5-hmac.

-- Remove the other crypto map with no crypto map gbivpn 1 ipsec-isakmp.

-- Remove the interface tunnel1, with no int tunnel1.

-- Remove the crypto information from e0/1, with no crypto map gbivpn under ethernet 0/1 configuration mode.

-- Remove access-list 110, no access-list 110.

-- Do no ip kerberos source-interface any.

-- Do no ip route 192.168.12.0 255.255.254.0 Tunnel1.

-- Remove access list 111, I don't see it being used anyplace?

I think there are probably a couple of other static routes you can kill as well, but I don't know with this much information. Im not certain what 65.82.190.153 is, or what those static routes using that address coule be? My impression is that must be the ip address on the other end of the DSL link someplace (?). If that's so, then:

-- Remove all the static routes that point to 65.82.190.153 as their next hops.

-- Add tehm back, with their next hops pointing to the new serial interface (serial ).

Now, the second part--where is this serial link to be connected? Is it to some device that is still connected off of e0/1, or is there a serial port on this router that we don't see? I'll assume there's a serial port on this router we don't see? If so:

-- Add the ip address to the serial port, 63.172.166.154 255.255.255.248.

-- Remove ip nat inside source route-map nonat interface Ethernet0/1 overload, by doing a no.

-- Add ip nat inside source route-map nonat interface serial overload.

-- Remove ip nat inside source static udp 10.0.0.30 4900 65.82.190.154 4900 extendable.

-- Add ip nat inside source static udp 10.0.0.30 4900 63.172.166.155 4900 extendable

-- Remove ip nat inside source static udp 10.0.0.30 4901 65.82.190.154 4901 extendable.

-- Add ip nat inside source static udp 10.0.0.30 4901 63.172.166.155 4901 extendable.

-- Remove ip route 0.0.0.0 0.0.0.0 68.213.209.41.

-- Add ip route 0.0.0.0 0.0.0.0 serial .

I think that's the steps you'd need to take, just typing them up off the top of my head.

Russ.W

New Member

Re: Help with Router Reconfigure.....

yes..the NAT is running towards the Internet.. but The part I think every one is missing is the fact that there is no serial interfaces in this 3600.... ony Ethernet. the 10.0.0.5 is the Gateway that every Client see's in the office.... the ethernet interface with the Valid IP on the out side is an IP that belongs to the DSL Pipe... THE T1 DOES NOT COME INTO THIS ROUTER. It is currently connected to a 2600 with IP of 63.172.166.153...

All I really need to do is replace the IP on the out side of the NAT with an IP of 63.172.166.154/255.255.255.248

and update my Static routes... OR AM I OVER SIMPLIFYING THIS AND I NEED HELP?

Silver

Re: Help with Router Reconfigure.....

I think that all you need to do is to point your internet traffic to the new T1 , so you will not need to change the nat config, all you need to do is remove your current route to 0.0.0.0 and add one that points to the next hop from the 3600 to the 2600

if the 2600 connects to the 3600 via an ethernet segment and the ip of e0 on the 2600 is 10.1.1.1 then add the route

ip route 0.0.0.0 0.0.0.0 10.1.1.1

this will forward all your traffic to the 2600.

you need to do the same thing on the 2600 you need to add a static that directs the traffic to your clients to the e0 of the 3600

if the e0 on the 3600 is 10.1.1.2 and the nat you are using is 163.38.50.1 then add a route

ip route 163.38.50.1 10.1.1.2

this will direct the traffic coming back to the clients that sit behind the 3600

178
Views
0
Helpful
6
Replies