07-10-2006 08:24 AM - edited 03-03-2019 01:17 PM
I have an 837 ADSL router. I'd like to get the VPN server going as advertised on the SDM. Currently it is telling me the IOS does not support VPN Server. Memory being an issue can anyone tell me which IOS i could use that will support this and take up the least amount of memory.
Also if anyone has good links for setting up easyVPN Server they would be much appreciated.
Regards
J Mac
Solved! Go to Solution.
07-12-2006 03:24 AM
Hey,
Here is the trick with the 837's and uploading a new image.
First delete all files in flash
#del flash:(filename)
do this with all files
then
# squeeze flash
when this is done DO NOT Reset the router. use tftp to upload image to new router.
#copy tftp flash
etc...
when the new image is uploaded you may then restart the router for the new image to take effect.
If the 12.2.8(T), just download the latest, but use one where the file size is about 6-8 Megs. Take up to much flash and you risk the router bottoming out.
Also, with the latest SDM, I am not in the habbit of installing SDM on the router. It takes up flash space and it maybe a security risk.
With the new SDM installer you can install SDM on your Laptop. This will then allow you to conect to a Router that supports SDM without having it installed on the router.
Now!!! an 871 is not an ADSL router... it is and Ethernet router. You may connect it's ethernet WAN port to and ADSL modem/bridge.
I hope this helps. Let me know if i can be of any more assisitance.
Regards
Stephen
07-10-2006 11:36 PM
Could anyone kindly give me some info on this?
07-11-2006 12:19 AM
Hi johnnymac,
If it is easy VPN server you want to use... then check your IOS version. (show version)
Post you show version here and we will see if your ios supports easy VPN.
Thanks
Stephen
07-11-2006 02:27 AM
Cisco IOS Software, C837 Software (C837-K9O3Y6-M), Version 12.3(4)T6, RELEASE S
OFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Wed 05-May-04 21:41 by eaarmas
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
Router uptime is 2 hours, 47 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3y6-mz.123-4.T6.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco C837 (MPC857DSL) processor (revision 0x500) with 44237K/4915K bytes of mem
ory.
Processor board ID AMB0828054T (588535814), with hardware revision 0000
CPU rev number 7
1 Ethernet interface
1 ATM interface
128K bytes of NVRAM.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Configuration register is 0x2102
Many Thanks
07-11-2006 03:47 AM
Firstly, two good links for configuring easyVPN
Now, It appears that you IOS support easyVPN, you can check this here.http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
can you post the exact error that SDM gives you. Also, can you post the version of SDM that you are using.
Thanks
Stephen
07-11-2006 03:48 AM
Sorry, here is the second link
http://www.cisco.com/en/US/products/ps6635/products_data_sheet09186a00801541d5.html
07-11-2006 05:24 AM
Thanks for all your help.
I'm runnung SDM version 2.0
this is the error i get
Easy VPN Server and related features unavailable
The IOS image in your router does not support the requested feature. To configure this feature, you need to go to the Software Center on Cisco.Com and upgrade you IOS Image to one that supports this feature set.
Here is the flash content. I wonder if anything is a miss here?
System flash directory:
File Length Name/status
1 6305272 c837-k9o3y6-mz.123-4.T6.bin
2 16264 sdm.shtml
3 16264 sdm.shtml.hide
4 1462 home.html.hide
5 1463 home.html
6 1613 sdmconfig-83x.cfg
7 93095 attack-drop.sdf
8 270848 home.tar
9 1187840 ips.tar
10 3883008 sdm.tar
11 5272 conf
[11783112 bytes used, 537656 available, 12320768 total]
12288K bytes of processor board System flash (Read/Write)
07-12-2006 12:14 AM
Any Ideas?
07-12-2006 01:43 AM
Hi,
I think you may want to use SDM v2.3, This is the latest SDM.
http://www.cisco.com/en/US/products/sw/secursw/ps5318/index.html
but you need a CCO account with correct priviliges to download it.
Also try upgrading the image on your router to a 'plus image'. this is always denoted with and 's' in the image name. i.e.
c837-k9o3sy6-mz.123-8.T8.bin
Note how it differs slight from your image name. Again you need to have a CCO account with correct privilages to download.
You can also Buy the Plus image from your distributor.
I hope this helps
Regards
Stephen
07-12-2006 03:01 AM
hi,
Thanks again for your help, i've got the latest SDM and a plus IOS, unfortunately i can't can't tftp it all as i don't have enough memory. I tried to get 12.2.8(T) from cisco but they don't seem to offer it any more. I guess we're going to have to buy a new router.
I need an ADSL router for a small office of around 10 -15 people, that will terminate VPNS for 4- 5 staff, I read some info on the 871, would that be a good choice.
Cheers
J Mac
07-12-2006 03:24 AM
Hey,
Here is the trick with the 837's and uploading a new image.
First delete all files in flash
#del flash:(filename)
do this with all files
then
# squeeze flash
when this is done DO NOT Reset the router. use tftp to upload image to new router.
#copy tftp flash
etc...
when the new image is uploaded you may then restart the router for the new image to take effect.
If the 12.2.8(T), just download the latest, but use one where the file size is about 6-8 Megs. Take up to much flash and you risk the router bottoming out.
Also, with the latest SDM, I am not in the habbit of installing SDM on the router. It takes up flash space and it maybe a security risk.
With the new SDM installer you can install SDM on your Laptop. This will then allow you to conect to a Router that supports SDM without having it installed on the router.
Now!!! an 871 is not an ADSL router... it is and Ethernet router. You may connect it's ethernet WAN port to and ADSL modem/bridge.
I hope this helps. Let me know if i can be of any more assisitance.
Regards
Stephen
07-12-2006 05:49 AM
Stephen thanks a lot, this works great. VPN Server is accessible on the SDM. Have an up to date config etc.
If i could be cheeky and ask one more thing. I tftp'd in the previous config,
!username admin password 7 xxxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
no ip domain lookup
ip name-server 195.92.195.95
ip name-server 195.92.195.94
ip dhcp excluded-address 192.168.2.254
ip dhcp excluded-address 192.168.2.2
!
ip dhcp pool CLIENT
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server 195.92.195.95 195.92.195.94
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.2.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
ip address 81.xxx.xxx.xxx 255.255.255.248
ip access-group 112 in
ip mtu 1452
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxx.btclick.com
ppp chap password 7 xxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxx.btclick.com password 7 xxxxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.2.3 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.2.3 5632 interface Dialer1 5632
ip nat inside source static tcp 192.168.2.3 5631 interface Dialer1 5631
ip nat inside source static tcp 192.168.2.2 25 interface Dialer1 25
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.9.0.0 255.255.255.0 192.168.2.253
no ip http server
no ip http secure-server
!
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 23 permit 212.135.216.64 0.0.0.15
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 deny ip 192.168.2.0 0.0.0.255 any
access-list 112 permit icmp any any administratively-prohibited
access-list 112 permit icmp any any echo
access-list 112 permit icmp any any echo-reply
access-list 112 permit icmp any any packet-too-big
access-list 112 permit icmp any any time-exceeded
access-list 112 permit icmp any any traceroute
access-list 112 permit icmp any any unreachable
access-list 112 permit tcp any host 81.138.200.254 eq smtp
access-list 112 permit tcp any host 81.138.200.254 eq 5631
access-list 112 permit udp any host 81.138.200.254 eq 5632
access-list 112 permit tcp any host 81.138.200.254 eq 3389
access-list 112 permit ip 212.135.216.64 0.0.0.15 any
access-list 112 deny ip any any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
password 7 xxxxxxxxxxxx
login local
length 0
!
scheduler max-task-time 5000
!
end
But when i do that i can no longer access the SDM, i can ping and telnet to the router.
The E-message either
router not reachable
or
Http/https needs to be enabled.
Could you give me any pointers on this.
Thanks Again
J Mac
07-13-2006 12:17 AM
Any thoughts?
07-13-2006 01:50 AM
Hey JMac,
No problems to help.... Looks like you have two things slightly amiss, in your config.
Fisrt under you default route, you have 'no ip http server' command. You need to enable by going to global config mode and typing 'ip http server'
Leave 'no ip http secure-server' alone. Also you should set an access rule on the HTTP access to the box.
IP http access-class 2 (i think)
!
Access-list 2 permit 192.168.0.0 0.0.0.255
The other thing is that i personally always set the user account to have privilige level 15
User admin priviliage 15 password XXXXXXX
I can't remeber if this directly affects SDM access, but IMO it is good practice.
Hope this helps.
Stephen
PS are you Irish?
07-13-2006 03:42 AM
Hi,
No English.
I tried the above commands which went in fine, but i'm still getting the same message. Any other ideas.
Regards
J mac
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide