cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5317
Views
0
Helpful
16
Replies

Config cisco 890 for cisco config professional discovery on LAN

skinnerkelly
Level 1
Level 1

Been going through the configuration guide for the Cisco 890....

http://cisco.biz/en/US/docs/routers/access/800/860-880-890/software/configuration/guide/SCG860_880_890.pdf

I am trying to enable http management on the LAN side so discovery will work using Cisco Configuration Professional...

Anyone know where I can get information to acheive this task?

16 Replies 16

cadet alain
VIP Alumni
VIP Alumni

Hi,

go to CLI and then:

1) configure a local user with privilege 15:  user localuser privilege 15 secret localpass

2)enable http service:  ip http server

3) authenticate http with the local user: ip http authentication local

4) if you've got no IP address on LAN interface then configure one

5) you should be good to go.

Regards.

Alain.

Don't forget to rate helpful posts.

Thanks for your help....

FastEthernet ports 1-7 are configured:

interface Vlan100
description $FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone

So, all I should really need to do is config a local user with privilege 15, enable the http service, and authenticate http with the local user?

I suppose one problem is that, this router was sent to me preconfigured.....  Aside from the username and password that I use to console in, the enable password is also known to me.  So, how can I determine if they have already configured a local user with priviledge 15, but neglected to enable http services?

I wouldn't have to interface with vlan1 when preforming this procedure? Or with any of the FE interfaces?

Hi,

You log into CLI with a console cable and then you enter username/password combination and then issue the command show privilege

you'll then know which privilege this configured user has.

For http just do show run | i http and you should see if http is enabled and local authentication also.

Regards.

Alain.

Don't forget to rate helpful posts.

The router in question is at another location already in production.... God only knows why it wasn't configured for remote admin both on the WAN and LAN side.... Anyway....

FE1 - FE7 are tied to vlan1.  For some reason, FE0 is configured on a network I don't even use, but, I am able to plug my laptop into FE0 rather than the console port to make changes....

My question I am sure is elementary.....  I ran the commands you mentioned earlier for creating the user and enabling the http and so forth, but, I am still unable to discover the router.  I am sure this is due to not being in the correct interface when configuring the services.  I did all of the following from the config terminal on FE0....

1) configure a local user with privilege 15:  user localuser privilege 15 secret localpass 2)enable http service:  ip http server

3) authenticate http with the local user: ip http authentication local

4) if you've got no IP address on LAN interface then configure one

5) you should be good to go.

I still can't see the router on my LAN side for the network I NEED to see it from (tied to FE1-FE7).... so, do I need to repeat the steps from the vlan1 interface where my 192.168.77.1 network is configured?

Bah....

The CCP only discovers machines in the LAN.

So you've got to  connect a machine to one of your ports in VLAN 100 with an ip in same subnet:

Just verify if dhcp is turned on for this VLAN or not: sh ip dhcp pool and then put your host nic for dhcp otherwise put a static in the vlan 100 subnet

interface Vlan100
description $FW_INSIDE$
ip address 192.168.77.1 255.255.255.0

Regards.

Alain.

Don't forget to rate helpful posts.

The 891 is in production.... I have over 40 machines pulling addresses from it currently, in fact, the machine I am typing on is leasing from it.  FE interfaces 1-7 are tied to VLAN100 which is configured:

interface Vlan100
description $FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone

when I try to discover the 891 on this LAN, I get the following:

Connection to the device could not be established. Either the device is not reachable or the HTTP service is not enabled on the device.

So, when I console into the 891, I guess my question would be... where do I run the command you originally gave me to enable http services on my LAN?

go to CLI and then:

1) configure a local user with privilege 15:  user localuser privilege 15 secret localpass 2)enable http service:  ip http server

3) authenticate http with the local user: ip http authentication local

4) if you've got no IP address on LAN interface then configure one

5) you should be good to go.

Or, which interface do I run them on?

Sorry to be such a newb.

Jason

Connection to the device could not be established. Either the device is not reachable or the HTTP service is not enabled on the device.

The question is which one is it?

So in privileged mode( after typing enable followed by the enable password): show run | i http and you'll see if it is really not enabled.

If it isn't then in global config( after typing config t) you can enter ip http server( or better ip http secure-server for https) and then ip http authentication local

Regards.

Alain.

Don't forget to rate helpful posts.

yes....the http services are up and running on FE0.  However, nothing is connected to that interface.

The instructions for CCP say first to:

Step 1:  Log on to the router through an Ethernet port.

I am guessing this would be the port that feeds the uplink to my switches at that location.  But, when I connect to that port, putty refuses connection to the routers gateway address of 192.168.77.1

So, I probably need to enable something else... just to be able to log on to the router from the LAN side.  Would this be an ACL feature?

The people who did the initial config on the router said they ran the username name privilege 15 secret 0 password command on the FE0 interface.  This means that it needs to be done on the other Ethernet interfaces as well?

Does running the ip http server command in global config enable this service on all ehternet interfaces simultaneously?

Does running the ip http server command in global config enable this service on all ehternet interfaces simultaneously?

this is a global command so it enables http connections to the router from all routed interfaces.

Would this be an ACL feature?

maybe an access-class  for http or an ACL on inside interface:  ---> post output of sh run | i http and also sh access-list, sh ip int Vlan100

Log on to the router through an Ethernet port.

This means you must have IP connectivity with the router: from where are you trying to communicate with the router with CCP? can you post a diagram?

Regards.

Alain.

Don't forget to rate helpful posts.

I'm affraid it is the most simplistic of network topologies.

FiberSwitch-------->Cisco 891 (Gateway)----------->48 port gigabit switch------->nodes

Router IP (LAN side) on FE1 = 192.168.77.1/24

DHCP reserved 192.168.77.1-99

I am able to lease an ip, I can ping the router and everything else on the network (static devices, etc....), but I cannot telnet to the router or interface with it via CCS.

Hi,

So you can connect via console if I remember well ,  am I right? ok if so then in privileged mode do a show run | be line vty and show run | i ip http

and post output here.

Regards.

Alain.

Don't forget to rate helpful posts.

show run | be line vty
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler max-task-time 5000
end


show run | i ip http
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000

I also believe that I should probably do the following:

Set Access Class on HTTP Server Service

Security Audit enables the HTTP service on the router with an access  class whenever possible. The HTTP service permits remote configuration and  monitoring using a web browser, but is limited in its security because it sends  a clear-text password over the network during the authentication process.  Security Audit therefore limits access to the HTTP service by configuring an  access class that permits access only from directly connected network nodes.

The configuration that will be delivered to the router to enable  the HTTP service with an access class is as follows:

ip http server 
ip http access-class  
! 
!HTTP Access-class:Allow initial access to direct connected subnets ! 
!only 
access-list  permit  
access-list  deny any 

Hi,

show run | be line vty
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet

you have a restriction on the machines which can access this router via telnet.

And the same goes for http:

show run | i ip http
ip http server
ip http access-class 23
ip http authentication local

You'll have to edit  access-list 23 : access-list 23 permit x.x.x.x  y.y.y.y where x.x.x.x is the subnet your PC belongs to and y.y.y.y is the inverse mask calculated as such: each 255 in subnet mask becomes a 0 and inversely so eg mask 255.255.255.0 gives inverse mask of 0.0.0.255 and if in an octet the value is not 255 or 0 then you do 255 minus this value eg 255.255.252.0 gives 0.0.3.255

Regards.

Alain.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: