09-17-2018 04:26 PM - edited 09-17-2018 04:28 PM
Folks.....I'm a real beginner at this and using a Command Line Interface has not made in inexperience any easier!
Basically I would like to get this unit a Cisco c881-k9 (and NOT Cisco 881-k9) configured for LAN access from my laptop and also PUTTY access from the WAN (FastEthernet4) interface and from a LAN port.
At this point I seem to have FastEthernet4 configured as I can ping it from our test LAN.
I have created a VLAN2 which is associated with FastEthernet0. When I connect to FastEthernet0 it assigns an IP address from the DHCP pool. Eventually I want separate DHCP pools for each VLAN, but for now this is working. As far as I can tell, my pool is not associated with any particular VLAN.
Vlan1 seems to be special and I was not able to do any configuring with it.
I have access for configuring using the CLI via the serial port cable to my laptop. This is not very convenient, so access via the Vlan2 or the WAN port is desired.
Attached is my current configuration, much of which was the default when I booted up the c881.
This router will eventually be connected to the Internet via an IP address supplied by our ISP, so any additional modifications/suggestions would be appreciated.
Thanks.....RDK
Solved! Go to Solution.
09-18-2018 07:24 AM
So to keep it short, I'll just provide answers point by point.
1- Yes, give VLAN1 an IP address and enable the FE ports. At least one of the ports needs to be up for the VLAN interface to come up.
2- OK
3- See your next comment.
4- Correct, but keep in mind you cannot have the same network in two different VLANs. Each VLAN will be it's own network.
5- So when your PC is connected to an FE port and gets a valid DHCP address, try to ping the associated VLAN interface IP. If successful, then bring up a Putty window, put the IP address of the VLAN interface and select "Telnet" as the connection type, then select "Open". See if that works.
6- OK
7- OK
Regards
09-19-2018 07:09 AM
The 881 will need the default route pointing to the 2620:
ip route 0.0.0.0 0.0.0.0 10.0.1.1
IP routing should be enabled by default.
If all you are trying to do at this point is to SSH to the WAN interface from the outside, and the default route is configured, I don't think it may be the 881 at this point, but quite possibly the 2620 config performing the translation and port forwarding.
You could verify if the 881 is getting the SSH request by typing:
"term mon" (in case you're connected to a vty line)
then "debug ip ssh detail".
Once you have enabled these commands and then have someone try to SSH from the outside, the router will output information if it sees an SSH attempt. If not, it probably isn't reaching the 881.
Be sure to disable the debug when done with the "undebug all" command.
You can also connect a laptop directly to the WAN interface of the 881, give it the IP of 10.0.1.1 and try to SSH to the router WAN IP just to verify it can be done that way.
09-19-2018 11:19 AM
…..2620 Router gremlins ;-(
Changed port numbers and now it all works. Grrr
Sorry to have wasted your time, but your comments about "IP Route 0.0.0.0 …" were instrumental in getting this working.
Thanks again and I hope there are no more issues for a while.....RDK
09-18-2018 05:39 AM
Hello,
Just going to give you a list of points and questions:
1- VLAN1 is the default VLAN. So by default, without an access VLAN specified on ports F0-3, it is automatically in VLAN1
2- Your DHCP excluded addresses overlap. The .2 thru .30 encompasses .3 thru .20.
3- The DHCP pool is named VLan1Pool, but in reality it is providing IPs to VLAN 2. Cosmetic I know, but just an observation.
4- Any DHCP pool created will assign addresses based on the interface the bootp request is received. So if you had two VLANs and two networks with two scopes built. Any DHCP request coming in, will be assigned an IP based on the network assigned to that VLAN.
5- Have you tried to telnet or ssh to the router from VLAN2? If so what was the result?
6- You should also be able to connect to router via the WAN interface, but if it is internet facing that is somewhat dangerous as it could open you up to attack and compromise. You could secure it to some degree, but you need to be careful.
7- When you do connect it to the internet you will probably have to NAT (network address translation) the hosts on the VLANs so they can get out. The link below should give you and idea and get you started.
Hope this is of some help.
09-18-2018 07:06 AM
chrihussey...Many thanks for your reply. I will address each of your points below.
First, however, I would like to figure out how to access this c881 box via PUTTY but not through the serial interface. So as I go through your list, please keep this goal in mind.
I have attached my current running-conf which includes some changes from what I posted yesterday. Looking forward to more of your thoughts and suggestions, especially how to get PUTTY working to the c881 via an IP address and not the serial port.
Thanks again….RDK
09-18-2018 07:24 AM
So to keep it short, I'll just provide answers point by point.
1- Yes, give VLAN1 an IP address and enable the FE ports. At least one of the ports needs to be up for the VLAN interface to come up.
2- OK
3- See your next comment.
4- Correct, but keep in mind you cannot have the same network in two different VLANs. Each VLAN will be it's own network.
5- So when your PC is connected to an FE port and gets a valid DHCP address, try to ping the associated VLAN interface IP. If successful, then bring up a Putty window, put the IP address of the VLAN interface and select "Telnet" as the connection type, then select "Open". See if that works.
6- OK
7- OK
Regards
09-18-2018 07:42 AM
chrihussey.....Happiness is!!!! That works from the Vlan2 port and also from our test LAN using the 192.168.60.19 address.
Now, I guess I need to look into setting up SSH on this box improve security. Any comments along these lines?
I really appreciate your time and comments, they, for now, have me around the corner in this project...RDK
09-18-2018 08:29 AM
Glad it was of some help. To enable ssh:
1- Give the router a domain name "ip domain name your_company.com"
2- Create a local user account "username rdk1 password cisco"
3- Enable local login on the vty lines "login local"
4- Generate a crypto key "crypto key gen mod gen rsa 2048"
Once complete, from putty, select SSH and hopefully you'll connect. Enter the username and password and if I didn't forget anything you should be in.
09-18-2018 10:58 AM
chrihussey....Working, almost? This generates the key "crypto key gen rsa" and then it prompts for the length. But that change with the rest of your steps worked no issues.
So now it is working when attached to the router via Vlan2, ie SSH into 10.0.2.1 (Yes I changed the subnet from before). However, it is not working when I try to access from our test network via the FastEthernet4 (WAN) port which is now 10.0.1.2. The config for VTY is:
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 1062080B041A1B0E
login local
transport input all
What have I done wrong? Thanks....RDK
09-18-2018 01:07 PM
09-18-2018 01:29 PM
Just logged in to respond and saw your last post. Good deal.
09-18-2018 02:21 PM
chrihussey…..Well, things were going along pretty good until we opened up a port on our Firewall so I could work from home. We set up port forwarding for that port's traffic to port 22 on the router WAN port (10.0.1.2). That is not working, although the same firewall code to a different device listening for SSH does work. This makes us think the router is deny-ing this traffic for some reason, although when I come in directly from that LAN address is does work.
Any ideas? Here is my WAN port code:
interface FastEthernet4
ip address 10.0.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
Thanks....RDK
09-18-2018 04:23 PM
Might be best if you just post the full router config, just remove any public IP addresses or non relevant identifying information.
09-18-2018 04:30 PM
09-19-2018 04:06 AM
So you are trying to get to the WAN interface from the internet. Is the next hop on the router's WAN interface the firewall which I is on the same network?
If that is the case, you just need to add a default route to the router:
ip route 0.0.0.0 0.0.0.0 x.x.x.x (IP of the firewall)
09-19-2018 06:02 AM
chrihussey….Does this command also enable ip routing? I read a bit about this command and they say that IP routing has to be enabled. Not sure if it is enabled in my configuration.
Also, our firewall is a Cisco 2620 which is connected to our ISP via this IP 1.2.3.4. The LAN that I have connected the c881's WAN to is 10.0.1.1 using the address 10.0.1.2.
I've tried just the IP route 0.0.0.0 0.0.0.0 with both addresses without success. Do I need something else?
Thanks....RDK
09-19-2018 07:09 AM
The 881 will need the default route pointing to the 2620:
ip route 0.0.0.0 0.0.0.0 10.0.1.1
IP routing should be enabled by default.
If all you are trying to do at this point is to SSH to the WAN interface from the outside, and the default route is configured, I don't think it may be the 881 at this point, but quite possibly the 2620 config performing the translation and port forwarding.
You could verify if the 881 is getting the SSH request by typing:
"term mon" (in case you're connected to a vty line)
then "debug ip ssh detail".
Once you have enabled these commands and then have someone try to SSH from the outside, the router will output information if it sees an SSH attempt. If not, it probably isn't reaching the 881.
Be sure to disable the debug when done with the "undebug all" command.
You can also connect a laptop directly to the WAN interface of the 881, give it the IP of 10.0.1.1 and try to SSH to the router WAN IP just to verify it can be done that way.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide