cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
648
Views
5
Helpful
0
Replies

Cisco c897 running config

Luca Pecchiari
Beginner
Beginner

Hello guys,

 

i have looked for cisco VDSL ppoe config over internet they are always incomplete or with "no i route-cache" or other stuff.

 

This is what i dig during my Cisco adventure for my home router, there is a good level of research here.

 

It works, just adapt your parameter.

 

may be you don't need ssl-vpn just skip that part.

 

if you need a conf test this and have fun.

 

 

 

version 15.8
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
service internal
!
hostname C897VA-K9
!
boot-start-marker
boot system flash:/c800-universalk9-mz.SPA.158-3.M6.bin
warm-reboot
boot-end-marker
!
!
logging buffered 40000 informational
enable secret 9 xxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sslvpn local
aaa authentication ppp default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
process cpu threshold type total rising 75 interval 5 falling 20 interval 5
clock timezone Rome 1 0
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki server IOS-CA
 database level complete
 no database archive
 grant auto
!
crypto pki trustpoint IOS-CA
 revocation-check crl
 rsakeypair IOS-CA
!
crypto pki trustpoint TEST
 enrollment url http://192.168.1.1:80
 serial-number
 subject-name CN=#your ddns hostname#
 subject-alt-name #your ddns hostname#
 revocation-check none
 rsakeypair TEST
!
!
crypto pki certificate chain IOS-CA
 certificate ca 01
....
  	quit
crypto pki certificate chain TEST
 certificate 02
.....
  	quit
 certificate ca 01
...
  	quit
no vlan accounting
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!
!
!
!
!


ip port-map user-teamviewr_udp port udp 5938
ip port-map user-teamviewr_tcp port tcp 5938
!
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.1.2 192.168.1.4
ip dhcp excluded-address 192.168.1.11
!
!

!
ip dhcp pool Master
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 208.67.222.222 208.67.220.220
 update arp
!

!
!
!
no ip bootp server

ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect WAAS flush-timeout 10
ip ddns update method ddns
 HTTP
  add http:/#USER#:#PASSWORD#@update.dyndns.it/nic/update?system=dyndns&hostname=<h>&myip=<a>
  remove http://#USER#:#PASSWORD#@update.dyndns.it/nic/update?system=dyndns&hostname=<h>&myip=<a>
 interval maximum 28 0 0 0
 interval minimum 28 0 0 0
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license feature MEM-8XX-512U1GB
license udi pid C897VA-K9 sn xxxxxxxxxxx
license boot module c800 level advipservices
!
!
archive
 path flash:/archive/$h$t
 maximum 12
 write-memory
memory reserve critical 4096
memory reserve console 4096
memory free low-watermark processor 20000
memory free low-watermark IO 20000
!
no spanning-tree vlan 1
no spanning-tree vlan 10
no spanning-tree vlan 11
username xxxxx privilege 15 secret 9 xxxxxx
!
redundancy
 no keepalive-enable
 notification-timer 120000
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-4.3.02039-k9.pkg sequence 1
!
!
!
!
!
controller VDSL 0
 firmware filename flash:VA_A_39m_B_38u_24o_rc1_SDK_4.14L.04A-J.bin.V2
 sra
no cdp run
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
!
class-map match-any work
 match access-group 114
 match access-group 117
 match access-group 116
 match protocol teamviewer
 match protocol ssh
 match protocol outlook-web-service
class-map match-any management
 match protocol dns
 match protocol ntp
 match protocol dhcp
 match protocol imap
 match protocol kerberos
 match protocol ldap
 match protocol secure-imap
 match protocol secure-ldap
 match protocol snmp
 match protocol socks
 match protocol syslog
class-map match-any qos-voice
 match ip dscp ef
class-map match-any qos-scavenger
 match ip dscp cs1
class-map match-any Transactional
 match protocol citrix
 match protocol finger
 match protocol notes
 match protocol novadigm
 match protocol pcanywhere
 match protocol secure-telnet
 match protocol sqlnet
 match protocol sqlserver
 match protocol ssh
 match protocol telnet
 match protocol xwindows
class-map match-any Signaling
 match protocol h323
 match protocol rtcp
 match protocol sip
class-map match-any video
 match access-group 118
 match protocol whatsapp
 match protocol facetime
class-map match-any voice
 match access-group 115
 match protocol rtp audio
class-map match-any qos-critical-data
 match ip dscp cs6
 match ip dscp af21  af22
 match ip dscp cs2
class-map match-any qos-call-signalling
 match ip dscp cs3
 match ip dscp af31
!

policy-map QoS-Out-child-test
 class voice
  priority 600
 class work
  bandwidth percent 30
 class management
  bandwidth percent 5
 class Signaling
  bandwidth percent 5
 class video
  bandwidth percent 10
 class class-default
  fair-queue
policy-map QoS-Out-parent-test
 class class-default
  shape average #your outgoing bandwidth#
   service-policy QoS-Out-child-test
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface Ethernet0
 description **  VDSL2 **
 no ip address
!
interface Ethernet0.835
 description **  Tag PPPoE (VDSL 0) **
 encapsulation dot1Q 835
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly in
 pppoe enable group global
 pppoe-client dial-pool-number 1
 service-policy output QoS-Out-parent-test
!
interface GigabitEthernet0
 description **  RETE INTERNA **
 no ip address
!
interface GigabitEthernet1
 description **  RETE INTERNA **
 no ip address
!
interface GigabitEthernet2
 description **  RETE INTERNA **
 no ip address
!
interface GigabitEthernet3
 description **  RETE INTERNA **
 no ip address
 speed 100
!
interface GigabitEthernet4
 description **  RETE INTERNA **
 no ip address
!
interface GigabitEthernet5
 description **  RETE INTERNA **
 no ip address
!
interface GigabitEthernet6
 description **  RETE INTERNA **
 no ip address
!
interface GigabitEthernet7
 description **  RETE INTERNA **
 no ip address
!
interface GigabitEthernet8
 description **  WAN GigabitEthernet **
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1
 description **  VPN - Virual Template  **
 mtu 1406
 ip unnumbered Dialer0
!
interface Vlan1
 description ** VLAN - RETE INTERNA **
 ip address 192.168.1.1 255.255.255.0
 ip nbar protocol-discovery ipv4
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-self-ping
 ip tcp adjust-mss 1452
!
interface Dialer0
 mtu 1492
 ip ddns update hostname #your ddns hostname#
 ip ddns update ddns host #your ddns hostname#
 ip address negotiated
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp mtu adaptive
 ppp authentication chap callin
 ppp chap hostname #your chap username#
 ppp chap password 7 #your chap passsword#
 ppp ipcp address accept
!
ip local pool VPN-POOL 192.168.69.10 192.168.69.30
ip forward-protocol nd
ip http server
ip http access-class 81
ip http authentication local
ip http secure-server
ip http secure-port 1443
ip http timeout-policy idle 180 life 86400 requests 10000
!
ip flow-top-talkers
 top 10
 sort-by packets
 cache-timeout 250
!
no ip ftp passive
ip tftp blocksize 8192
ip dns server
ip nat translation timeout 500
ip nat translation tcp-timeout 500
ip nat translation pptp-timeout 30
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation routemap-entry-timeout 30
ip nat translation icmp-timeout 30
ip nat translation port-timeout tcp 85 5
ip nat translation port-timeout udp 90 5
ip nat translation port-timeout tcp 5228 never

ip nat translation arp-ping-timeout 30
no ip nat service nbar
!ip nat inside source static tcp 192.168.1.11 85 interface Dialer0 85
!ip nat inside source static udp 192.168.1.11 90 interface Dialer0 90
!above static nat Example
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 255.255.255.0 Null0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.255.255.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip ssh version 2
!
logging history size 250
logging source-interface Vlan1
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
access-list 80 remark #  traffico accesso ssh - line vty 0 4 in
access-list 80 permit 192.168.1.0 0.0.0.255
access-list 80 permit 192.168.69.0 0.0.0.255
access-list 80 deny   any
access-list 81 remark #  traffico accesso WEB
access-list 81 permit 192.168.1.0 0.0.0.255
access-list 81 permit 192.168.69.0 0.0.0.255
access-list 81 deny   any
access-list 100 remark #  traffico NAPT - NAT overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 remark # Regole antispofing - dialer 0 in
access-list 105 deny   icmp any any echo
access-list 105 deny   icmp any any echo-reply
access-list 105 deny   udp any any eq echo
access-list 105 deny   udp any eq echo any
access-list 105 permit ip any any
access-list 114 remark #  VPN
access-list 114 permit ip any host xxxx
access-list 114 permit ip any host xxx
access-list 114 permit ip any host xxx
access-list 114 permit ip any host xxx
access-list 115 remark # TEAMS AUDIO
access-list 115 permit tcp any range 50000 50019 any
access-list 115 permit udp any range 50000 50019 any
access-list 116 remark # TEAMS VIDEO
access-list 116 permit tcp any range 50020 50039 any
access-list 116 permit udp any range 50020 50039 any
access-list 117 remark # TEAMS SCREEN SHARING
access-list 117 permit tcp any range 50040 50059 any
access-list 117 permit udp any range 50040 50059 any
access-list 118 remark # WHATSAPP e FACETIME VIDEO
access-list 118 permit tcp any any eq 5223
access-list 118 permit udp any any range 3478 3947
access-list 118 permit udp any any range 16384 16387
access-list 118 permit udp any any range 16393 16402
access-list 119 remark # WHAZZUP TEXT
access-list 119 permit tcp any any eq 5222
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
alias exec bw show interface | include protocol|BW
alias exec memory show mem stat
alias exec process show process cpu
alias exec ip show ip int brief
alias exec ntp show ntp associations
alias exec vdsl sh controller vdsl 0
alias exec proto sh ip nbar protocol-discovery top 20
alias exec cpu show proc cpu sorted 1min | exclude 0.00%__0.00%__0.00%
alias exec temperature show environment
alias exec qos show policy-map interface ethernet 0.835
alias exec cpu2 sh proc cpu his
alias exec nat show ip nat statistics
alias exec natver show ip nat translations verbose
!
line con 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 80 in
 exec-timeout 30 0
 transport preferred ssh
 transport input ssh
 transport output telnet
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 3
scheduler max-sched-time 2000
scheduler isr-watchdog
scheduler allocate 20000 1000
ntp source Dialer0
ntp server 1.it.pool.ntp.org
ntp server 2.it.pool.ntp.org
ntp server 0.it.pool.ntp.org
!
!
!
!
!
!
!
!
webvpn gateway #NAME#
 ip interface Virtual-Template1 port 443
 ssl trustpoint TEST
 logging enable
 inservice
 !
webvpn context #NAME#
 title "Private VPN"
 color #004080
 secondary-color #0062ee
 title-color #002f80
 !
 acl "webvpn-acl"
   permit ip 192.168.69.1 255.255.255.0 192.168.1.0 255.255.255.0
   permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0
   deny ip any any
   deny ip any any syslog
 login-message "Unauthorized Access Is Prohibited"
 virtual-template 1 tunnel
 aaa authentication list sslvpn
 gateway #NAME# domain #NAME#
!domain and  #name# is optional
 logging enable
 !
 ssl authenticate verify all
 inservice
 !
 policy group #your policy#
   functions svc-enabled
   timeout idle 6000
   timeout session 10800
   filter tunnel webvpn-acl
   svc address-pool "VPN-POOL" netmask 255.255.0.0
   svc default-domain "your domain"
   svc keep-client-installed
   svc dpd-interval client 30
   svc dpd-interval gateway 40
   svc keepalive 300
   svc rekey method new-tunnel
   svc split include 192.168.69.0 255.255.255.0
   svc split include 192.168.1.0 255.255.255.0
   svc dns-server primary 192.168.1.1
   hide-url-bar
 default-group-policy #your policy#
!
end

 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: