Solved: Re: Configuring a c881-k9 - basics

rdk_cisco1 · ‎09-17-2018

Folks.....I'm a real beginner at this and using a Command Line Interface has not made in inexperience any easier!

Basically I would like to get this unit a Cisco c881-k9 (and NOT Cisco 881-k9) configured for LAN access from my laptop and also PUTTY access from the WAN (FastEthernet4) interface and from a LAN port.

At this point I seem to have FastEthernet4 configured as I can ping it from our test LAN.

I have created a VLAN2 which is associated with FastEthernet0. When I connect to FastEthernet0 it assigns an IP address from the DHCP pool. Eventually I want separate DHCP pools for each VLAN, but for now this is working. As far as I can tell, my pool is not associated with any particular VLAN.

Vlan1 seems to be special and I was not able to do any configuring with it.

I have access for configuring using the CLI via the serial port cable to my laptop. This is not very convenient, so access via the Vlan2 or the WAN port is desired.

Attached is my current configuration, much of which was the default when I booted up the c881.

This router will eventually be connected to the Internet via an IP address supplied by our ISP, so any additional modifications/suggestions would be appreciated.

Thanks.....RDK

chrihussey · ‎09-18-2018

So to keep it short, I'll just provide answers point by point.

1- Yes, give VLAN1 an IP address and enable the FE ports. At least one of the ports needs to be up for the VLAN interface to come up.

2- OK

3- See your next comment.

4- Correct, but keep in mind you cannot have the same network in two different VLANs. Each VLAN will be it's own network.

5- So when your PC is connected to an FE port and gets a valid DHCP address, try to ping the associated VLAN interface IP. If successful, then bring up a Putty window, put the IP address of the VLAN interface and select "Telnet" as the connection type, then select "Open". See if that works.

6- OK

7- OK

Regards

View solution in original post

chrihussey · ‎09-19-2018

The 881 will need the default route pointing to the 2620:

ip route 0.0.0.0 0.0.0.0 10.0.1.1

IP routing should be enabled by default.

If all you are trying to do at this point is to SSH to the WAN interface from the outside, and the default route is configured, I don't think it may be the 881 at this point, but quite possibly the 2620 config performing the translation and port forwarding.

You could verify if the 881 is getting the SSH request by typing:

"term mon" (in case you're connected to a vty line)

then "debug ip ssh detail".

Once you have enabled these commands and then have someone try to SSH from the outside, the router will output information if it sees an SSH attempt. If not, it probably isn't reaching the 881.

Be sure to disable the debug when done with the "undebug all" command.

You can also connect a laptop directly to the WAN interface of the 881, give it the IP of 10.0.1.1 and try to SSH to the router WAN IP just to verify it can be done that way.

View solution in original post

rdk_cisco1 · ‎09-19-2018

…..2620 Router gremlins ;-(

Changed port numbers and now it all works. Grrr

Sorry to have wasted your time, but your comments about "IP Route 0.0.0.0 …" were instrumental in getting this working.

Thanks again and I hope there are no more issues for a while.....RDK

View solution in original post

chrihussey · ‎09-18-2018

Hello,

Just going to give you a list of points and questions:

1- VLAN1 is the default VLAN. So by default, without an access VLAN specified on ports F0-3, it is automatically in VLAN1

2- Your DHCP excluded addresses overlap. The .2 thru .30 encompasses .3 thru .20.

3- The DHCP pool is named VLan1Pool, but in reality it is providing IPs to VLAN 2. Cosmetic I know, but just an observation.

4- Any DHCP pool created will assign addresses based on the interface the bootp request is received. So if you had two VLANs and two networks with two scopes built. Any DHCP request coming in, will be assigned an IP based on the network assigned to that VLAN.

5- Have you tried to telnet or ssh to the router from VLAN2? If so what was the result?

6- You should also be able to connect to router via the WAN interface, but if it is internet facing that is somewhat dangerous as it could open you up to attack and compromise. You could secure it to some degree, but you need to be careful.

7- When you do connect it to the internet you will probably have to NAT (network address translation) the hosts on the VLANs so they can get out. The link below should give you and idea and get you started.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-addr-consv.html

Hope this is of some help.

rdk_cisco1 · ‎09-18-2018

chrihussey...Many thanks for your reply. I will address each of your points below.

First, however, I would like to figure out how to access this c881 box via PUTTY but not through the serial interface. So as I go through your list, please keep this goal in mind.

"VLAN1 is the default VLAN." => OK, I get it now, just "no shutdown" for each of the FE ports and they will start working?
"Your DHCP excluded addresses overlap." => Yes, I noticed that and fixed it.
"The DHCP pool is named VLan1Pool, but in reality it is providing IPs to VLAN 2." => OK, I understand. Initially when I could not get vlan1 to work I had planned to use that pool for it. Then when I got vlan2 to work and it seemed to automatically used that pool I just did not go back to change it. So, how do I specify a specific DHCP pool for a specific vlan?
"Any DHCP pool created will assign addresses based on the interface the bootp request is received. So if you had two VLANs and two networks with two scopes built. Any DHCP request coming in, will be assigned an IP based on the network assigned to that VLAN." => Hmmm, maybe this is the answer to the above DHCP pool question. So, if I have two vlans both in the 10.0.1.* subnet, then VLan1Pool would be used. If they are different subnets, then I would have to create a new DHCP pool for the second one?
"Have you tried to telnet or ssh to the router from VLAN2? If so what was the result?" => Now we're getting to a major issue. I can PUTTY into the box via the serial interface. But, not via either the FE4 or Vlan2 interfaces. In the two later cases when I specify the external address (192.168.60.19) or the address I get from Vlan2 (10.0.1.31), I get "network error: Connection Refused". Do I need to add something to the running-conf to enable PUTTY access via an IP address? I also have the "Cisco Configuration Assistant" but I also can not get it to connect, either via the serial or IP ports.
"You should also be able to connect to router via the WAN interface, but if it is internet facing that is somewhat dangerous" => Yes. For now the WAN (FE4) is on our test LAN which is not Internet connected. I will eventually want to have it on the Internet.
"When you do connect it to the internet you will probably have to NAT (network address translation) the hosts on the VLANs " => OK, I'll study this reference.

I have attached my current running-conf which includes some changes from what I posted yesterday. Looking forward to more of your thoughts and suggestions, especially how to get PUTTY working to the c881 via an IP address and not the serial port.

Thanks again….RDK

chrihussey · ‎09-18-2018

So to keep it short, I'll just provide answers point by point.

1- Yes, give VLAN1 an IP address and enable the FE ports. At least one of the ports needs to be up for the VLAN interface to come up.

2- OK

3- See your next comment.

4- Correct, but keep in mind you cannot have the same network in two different VLANs. Each VLAN will be it's own network.

5- So when your PC is connected to an FE port and gets a valid DHCP address, try to ping the associated VLAN interface IP. If successful, then bring up a Putty window, put the IP address of the VLAN interface and select "Telnet" as the connection type, then select "Open". See if that works.

6- OK

7- OK

Regards

rdk_cisco1 · ‎09-18-2018

chrihussey.....Happiness is!!!! That works from the Vlan2 port and also from our test LAN using the 192.168.60.19 address.

Now, I guess I need to look into setting up SSH on this box improve security. Any comments along these lines?

I really appreciate your time and comments, they, for now, have me around the corner in this project...RDK

chrihussey · ‎09-18-2018

Glad it was of some help. To enable ssh:

1- Give the router a domain name "ip domain name your_company.com"

2- Create a local user account "username rdk1 password cisco"

3- Enable local login on the vty lines "login local"

4- Generate a crypto key "crypto key gen mod gen rsa 2048"

Once complete, from putty, select SSH and hopefully you'll connect. Enter the username and password and if I didn't forget anything you should be in.

rdk_cisco1 · ‎09-18-2018

chrihussey....Working, almost? This generates the key "crypto key gen rsa" and then it prompts for the length. But that change with the rest of your steps worked no issues.

So now it is working when attached to the router via Vlan2, ie SSH into 10.0.2.1 (Yes I changed the subnet from before). However, it is not working when I try to access from our test network via the FastEthernet4 (WAN) port which is now 10.0.1.2. The config for VTY is:

line con 0
no modem enable
line aux 0
line vty 0 4
password 7 1062080B041A1B0E
login local
transport input all

What have I done wrong? Thanks....RDK

rdk_cisco1 · ‎09-18-2018

My bad. Both working now....RDK

chrihussey · ‎09-18-2018

Just logged in to respond and saw your last post. Good deal.

rdk_cisco1 · ‎09-18-2018

chrihussey…..Well, things were going along pretty good until we opened up a port on our Firewall so I could work from home. We set up port forwarding for that port's traffic to port 22 on the router WAN port (10.0.1.2). That is not working, although the same firewall code to a different device listening for SSH does work. This makes us think the router is deny-ing this traffic for some reason, although when I come in directly from that LAN address is does work.

Any ideas? Here is my WAN port code:

interface FastEthernet4
ip address 10.0.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

Thanks....RDK

chrihussey · ‎09-18-2018

Might be best if you just post the full router config, just remove any public IP addresses or non relevant identifying information.

rdk_cisco1 · ‎09-18-2018

chrihussey…..OK, the config is attached.....RDK

chrihussey · ‎09-19-2018

So you are trying to get to the WAN interface from the internet. Is the next hop on the router's WAN interface the firewall which I is on the same network?

If that is the case, you just need to add a default route to the router:

ip route 0.0.0.0 0.0.0.0 x.x.x.x (IP of the firewall)

rdk_cisco1 · ‎09-19-2018

chrihussey….Does this command also enable ip routing? I read a bit about this command and they say that IP routing has to be enabled. Not sure if it is enabled in my configuration.

Also, our firewall is a Cisco 2620 which is connected to our ISP via this IP 1.2.3.4. The LAN that I have connected the c881's WAN to is 10.0.1.1 using the address 10.0.1.2.

I've tried just the IP route 0.0.0.0 0.0.0.0 with both addresses without success. Do I need something else?

Thanks....RDK

chrihussey · ‎09-19-2018

The 881 will need the default route pointing to the 2620:

ip route 0.0.0.0 0.0.0.0 10.0.1.1

IP routing should be enabled by default.

If all you are trying to do at this point is to SSH to the WAN interface from the outside, and the default route is configured, I don't think it may be the 881 at this point, but quite possibly the 2620 config performing the translation and port forwarding.

You could verify if the 881 is getting the SSH request by typing:

"term mon" (in case you're connected to a vty line)

then "debug ip ssh detail".

Once you have enabled these commands and then have someone try to SSH from the outside, the router will output information if it sees an SSH attempt. If not, it probably isn't reaching the 881.

Be sure to disable the debug when done with the "undebug all" command.

You can also connect a laptop directly to the WAN interface of the 881, give it the IP of 10.0.1.1 and try to SSH to the router WAN IP just to verify it can be done that way.