I have limited knowledge with Cisco Routers.. I understand simple Point to point Single T1 configs on 2600's but I have a more complicated Set up I need to deal with on a 3600.... the config is this:
no ip finger
ip name-server 126.96.36.199
ip name-server 205.21
crypto isakmp policy 1
crypto xxxx key xxxx address xxxxx
crypto xxx key xxx address xxxx
crypto ipsec transform-set gbi esp-des esp-md5-hmac
crypto map gbivpn 1 ipsec-isakmp
set peer 188.8.131.52
set transform-set gbi
match address 110
cns event-service server
ip address 192.168.50.2 255.255.255.252
tunnel source Ethernet0/1
tunnel destination 184.108.40.206
crypto map gbivpn
ip address 10.0.0.5 255.255.0.0
ip nat inside
ip address 220.127.116.11 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map gbivpn
router eigrp 1
network 10.0.0.0 0.0.255.255
no eigrp log-neighbor-changes
ip kerberos source-interface any
ip nat inside source route-map nonat interface Ethernet0/1 overload
ip nat inside source static udp 10.0.0.30 4900 18.104.22.168 4900 extendable
ip nat inside source static udp 10.0.0.30 4901 22.214.171.124 4901 extendable
ip route 0.0.0.0 0.0.0.0 126.96.36.199
ip route 188.8.131.52 255.255.0.0 184.108.40.206
ip route 220.127.116.11 255.255.0.0 18.104.22.168
ip route 22.214.171.124 255.255.0.0 126.96.36.199
ip route 188.8.131.52 255.255.0.0 184.108.40.206
ip route 192.168.12.0 255.255.254.0 Tunnel1
ip route 192.168.50.1 255.255.255.255 220.127.116.11
ip route 18.104.22.168 255.255.255.0 22.214.171.124
ip route 126.96.36.199 255.255.255.0 188.8.131.52
ip route 184.108.40.206 255.255.255.0 220.127.116.11
no ip http server
access-list 110 permit gre host 18.104.22.168 host 22.214.171.124
access-list 111 permit ip 10.0.0.0 0.0.255.255 any
access-list 120 deny ip 10.0.0.0 0.0.255.255 172.20.252.0 0.0.3.255
access-list 120 deny ip 10.0.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 120 deny ip 10.0.0.0 0.0.255.255 192.168.9.0 0.0.0.255
access-list 120 deny ip 10.0.0.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 120 deny ip 10.0.0.0 0.0.255.255 0.0.0.0 255.255.254.0
access-list 120 permit ip 10.0.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 120
dial-peer cor custom
The VPN is dead...the office it talked to is long gone.... and the unit is running NAT.
I want to leave the 10.0.0.5 address alone but I need to change the IP on the out side interface away from 126.96.36.199 (Slow DSL Line) to the new T1 address of 188.8.131.52/255.255.255.248
I am unsure of the commands I need to enter and I am unsure of the commands I need to enter to update the static routes...
can some one help?
I am also unsure of why the Name server /DNS info is also in the config.
You wont need any of the ipsec (vpn) commands if the vpn is not any more used.
To remove the commands, use the no form of the command under the appropriate router mode.
Router(config)#no crypto isakmp policy 1
Router(config)#no crypto isakmp key cisco123 address 184.108.40.206
Router(config)#no crypto isakmp key cisco123 address 220.127.116.11
Router(config)#no crypto ipsec transform-set gbi esp-des esp-md5-hmac
Router(config)#no crypto map gbivpn 1 ipsec-isakmp
Router(config)#int tunnel 1
Router(config)#no crypto map gbivpn
Router(config)#no crypto map gbivpn
The above will remove the vpn configs. Repeat the same on other end to remove the vpn configs.
Do you have a serial interface on the router on to which, the T1 line is terminated ? If so configure the new ip address on to that serial interface.
Router(config)#interface serial 0
Router(config)#ip address 18.104.22.168 255.255.255.248
To remove a, previously entered static route, just copy the command from the config, and paste it into hyperterminal, with a "no" keyword in the front.
Router(config)#no ip route
To add a route use the above command with the "no" removed. When you specify the gateway, specify the remote end ip address as your gateway.
To further clean up the vpn, you can also remove the tunnel, the static route and the access list that were used:
no ip route 192.168.12.0 255.255.254.0 Tunnel1
no access-list 110
no interface Tunnel1
The T1 is already terminated in a 2600 that I configured a few days ago.. this router only has Ethernet interfaces... the T1 is running and passing packets... there are 3 other Private lines that run into 2600's that sit infront of the 3600... the 3600 does NAT so the PC's only see one gateway. but depending on who they want to talk to the 3600 takes the route it needs.
There is no way for me to remove the the VPN from the other side..that office has been closed for 14 months.. and the router is long gone...
First, the easy question: The name server is in the configuration so the router can resolve host names for various commands. Now, as to the rest.....
Is the nat running towards the internet? I assume it is, so you need to keep running that, correct? Instead of connecting to the internet through e0/1, you want to connect through some serial port, which is to be connected to some isp, I think?
So, if this is the case, you can:
-- Remove the crypto map with no crypto isakmp policy 1.
-- Remove the crypto transform stuff with no crypto ipsec transform-set gbi esp-des esp-md5-hmac.
-- Remove the other crypto map with no crypto map gbivpn 1 ipsec-isakmp.
-- Remove the interface tunnel1, with no int tunnel1.
-- Remove the crypto information from e0/1, with no crypto map gbivpn under ethernet 0/1 configuration mode.
-- Remove access-list 110, no access-list 110.
-- Do no ip kerberos source-interface any.
-- Do no ip route 192.168.12.0 255.255.254.0 Tunnel1.
-- Remove access list 111, I don't see it being used anyplace?
I think there are probably a couple of other static routes you can kill as well, but I don't know with this much information. Im not certain what 22.214.171.124 is, or what those static routes using that address coule be? My impression is that must be the ip address on the other end of the DSL link someplace (?). If that's so, then:
-- Remove all the static routes that point to 126.96.36.199 as their next hops.
-- Add tehm back, with their next hops pointing to the new serial interface (serial
Now, the second part--where is this serial link to be connected? Is it to some device that is still connected off of e0/1, or is there a serial port on this router that we don't see? I'll assume there's a serial port on this router we don't see? If so:
-- Add the ip address to the serial port, 188.8.131.52 255.255.255.248.
-- Remove ip nat inside source route-map nonat interface Ethernet0/1 overload, by doing a no.
-- Add ip nat inside source route-map nonat interface serial
-- Remove ip nat inside source static udp 10.0.0.30 4900 184.108.40.206 4900 extendable.
-- Add ip nat inside source static udp 10.0.0.30 4900 220.127.116.11 4900 extendable
-- Remove ip nat inside source static udp 10.0.0.30 4901 18.104.22.168 4901 extendable.
-- Add ip nat inside source static udp 10.0.0.30 4901 22.214.171.124 4901 extendable.
-- Remove ip route 0.0.0.0 0.0.0.0 126.96.36.199.
-- Add ip route 0.0.0.0 0.0.0.0 serial
I think that's the steps you'd need to take, just typing them up off the top of my head.
yes..the NAT is running towards the Internet.. but The part I think every one is missing is the fact that there is no serial interfaces in this 3600.... ony Ethernet. the 10.0.0.5 is the Gateway that every Client see's in the office.... the ethernet interface with the Valid IP on the out side is an IP that belongs to the DSL Pipe... THE T1 DOES NOT COME INTO THIS ROUTER. It is currently connected to a 2600 with IP of 188.8.131.52...
All I really need to do is replace the IP on the out side of the NAT with an IP of 184.108.40.206/255.255.255.248
and update my Static routes... OR AM I OVER SIMPLIFYING THIS AND I NEED HELP?
I think that all you need to do is to point your internet traffic to the new T1 , so you will not need to change the nat config, all you need to do is remove your current route to 0.0.0.0 and add one that points to the next hop from the 3600 to the 2600
if the 2600 connects to the 3600 via an ethernet segment and the ip of e0 on the 2600 is 10.1.1.1 then add the route
ip route 0.0.0.0 0.0.0.0 10.1.1.1
this will forward all your traffic to the 2600.
you need to do the same thing on the 2600 you need to add a static that directs the traffic to your clients to the e0 of the 3600
if the e0 on the 3600 is 10.1.1.2 and the nat you are using is 220.127.116.11 then add a route
ip route 18.104.22.168 10.1.1.2
this will direct the traffic coming back to the clients that sit behind the 3600