Configuring site-to-site IPSEC tunnel on Cisco IOS

This post outlines how to set up a site-to-site VPN on a Cisco router. Both sides need to match crypto iskamp policy and transform set.

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key SecureComputing! address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set MYVPN esp-3des esp-md5-hmac
!
crypto map MYVPN 10 ipsec-isakmp
 set peer xxxx.xxxx.xxxx.xxxx
 set transform-set MYVPN
 match address 110

access-list 110 remark MYVPN TO REMOTEVPN
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 (Where 192.168.2.0 is the remote network your trying to get to.)

interface atm1.0
crypto map MYVPN


access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255  (This denys NAT)
access-list 111 permit ip 192.168.1.0 any

ip nat inside source list 111 interface atm0.1 overload

Port Fowarding on Cisco IOS

a) We have a webserver on port 80 and we wish to forward port 80 from outside back to internal

ip nat inside source static tcp 10.108.1.6 80 interface Dialer1 80

b) A torrent type port forward:

ip nat inside source static tcp 10.108.1.1 61437 interface Dialer1 61437

Enabling Secure Shell (SSH) in Cisco IOS

It is recommended that Secure Shell (SSH) is used for remote administration of Cisco Routers and Switches.

To see if SSH is already enabled

CISCO877# show ip ssh%SSH has not been enabled

To enable SSH on your Cisco Switch or Router, do the following from the global configuration mode:

Configure the Hostname on the Switch or Router

Router(config)# hostname CISCO877

Configure the Domain name for the Cisco Switch or Router

CISCO877(config)# ip domain-name my.domain.com

Generate a RSA Key Pair

CISCO877(config)# crypto key generate rsa

This enables SSH on the Cisco switch or the router.

The following optional commands are recommended but are not mandatory:

Set the SSH Negotiation phase timeout interval (in seconds)

CISCO877(config)# ip ssh time-out 120

This sets the time period for the Cisco Router or Switch to wait for 120 seconds before timing out the client during the SSH Negotiation phase.

Set the Maximum retry attempts

CISCO877(config)# ip ssh authetication-retries 3

This sets the maximum number of the Authentication retires to be 3 times before the interface (vty) is reset.

To change the default port for SSH (default is 22) connection

CISCO877(config)# ip ssh port 3536

This sets the port number to listen for SSH connections to be 3536.

Try to logon and logoff the Cisco IOS Router or switch to ensure it works OK and then disable Telnet access to the switch. This can be done by making SSH as the only transport agent.

CISCO877(config)# line vty 0 4
CISCO877(config)# transport input ssh

This makes SSH as the only way to connect to the Cisco Routers or Switches remotely.

Write the config changes to the startup-config:

MyCISCO877# wr mem

To see the status of the SSH on the Cisco switch or the router

MyCISCO877# show ip ssh

SSH Enabled – version 1.5

Authentication timeout: 120 secs; Authentication retries: 3

To view the status of SSH connections

MyCISCO877# show ssh

Connection      Version     Encryption State   Username

 0                1.5       3DES    Session Started  guest

If at any time, you want to disable SSH on the Cisco Router or Switch, from the Global Configuration

CISCO877(config)# crypto key zeroize rsa

This deletes the RSA key-pair. Once you delete the RSA key-pair, it disables the SSH server.

In this case, if you had ssh as the only transport mode then this needs to be changed to default

CISCO877(config)# line vty 0 4
CISCO877(config)# transport input telnet
 

Configuring a Cisco 877 Router for Be/O2 Broadband

This post is an amended version of this guide detailing how to set up a Cisco 877 router for BE Broadband or O2 Broadband in the UK. If you’d like to see the full config, just leave a comment and I’ll send it over.

This article covers the following router models:

  • CISCO877-K9 (Wired)
  • CISCO877W-G-A-K9
  • CISCO877W-G-E-K9
  • CISCO877W-G-J-K9

Before we begin, it’s important to point out that Be Broadband uses RFC1483 Bridge mode instead of PPPoA used my most UK ISPs. Additionally, they use PVC 0/101 instead of the standard 0/38.

Hardware Setup

Connect your PC with the router via a console attached to your router’s console port and PC’s serial port. Open a serial connection using Putty.

Configuration

Once logged in, you’ll want to create a user so you can log in after copying your running-config to your startup-config at the end of this process.

username myusername privilege 15 secret 5 mypassword

Next, set up a local DHCP server (if required):

no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.24.0 192.168.24.10
ip dhcp excluded-address 192.168.24.250 192.168.24.254
!
ip dhcp pool lanpool
   network 192.168.24.0 255.255.255.0
   default-router 192.168.24.1
   lease 0 2
 

Next, enable Integrated Routing and Bridging (IRB) on your router.

Enter the following command in global configuration mode:

bridge irb

Create your bridge:

bridge 1 protocol ieee
bridge 1 route ip

and configure IP:

interface BVI1
description my local range
ip address 192.168.24.1 255.255.255.0 <-- Change as appropriate
ip nat inside
ip virtual-reassembly!

Link your local interfaces to the bridge:

interface Vlan1
no ip address
bridge-group 1
!

Configure DSL interface from global mode:

!
interface ATM0mac-address [MAC of original BeBox/o2 Router]
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
no shut
!
interface ATM0.1 point-to-point
description Link to BE/O2 Broadband
ip address 87.194.X.X 255.255.252.0 <----- IP/Mask of Be/O2 Broadband
ip pim sparse-dense-mode
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/101
encapsulation aal5snap
oam-pvc manage
!

Configure routing and NAT:

create access-list
access-list 1 permit 192.168.24.0 0.0.0.255 <-- Change as above
ip nat inside source list 1 interface ATM0.1 overload
 

setup your default route:

ip route 0.0.0.0 0.0.0.0 87.194.220.1 <--- Change to details supplied by BE Broadband

To commit everything to your startup config, issue:

copy running-config startup-config

Debugging

If you have problems, you can debug the ATM interface by issuing the following command:

debug atm event
debug atm errors

These combined with the usual show interface commands will give CRC and header error counts which can be useful.
 

Thanks for the tips, Sebastian @ http://www.seba-online.net/