Help! Cisco n00b!
- Thread starter Kingy
- Start date
Soldato
Kingy said:
Nope, not unless you want telnet access to the command line of your router from outside.
I don't see anything obviously wrong, but I've only had a couple of hours sleep since Monday night so my brain isn't functioning too well.
Do you really have a /24 from your ISP? The IP address assigned to Di0 has a 255.255.255.0 subnet.. that isn't the cause of your problems but I'd suggest correcting it.
Soldato
Kingy said:I haven't got the foggiest
They said I should be using 255.255.255.248, but the router wouldn't accept it, so they said try the one above and it worked.
What's a /24 when it's at home?
What ISP is it? That's pretty daft advice.
An /24 is CIDR notation for a block of 256 IP addresses
255.255.255.248 would make sense if you had a /29.
For what it's worth, my 877 has Di1 set to ip address negotiated - to get an IP from the ISP.
It certainly does accept 255.255.255.248 for me, though I remember having issues getting my 837 to swallow it when I migrated to Zen. IIRC it fixed after a reload.
For what it's worth, my 877 has Di1 set to ip address negotiated - to get an IP from the ISP.
It certainly does accept 255.255.255.248 for me, though I remember having issues getting my 837 to swallow it when I migrated to Zen. IIRC it fixed after a reload.
Soldato
- Joined
- 18 Oct 2002
- Posts
- 2,714
tolien said:
Aye you can crack even enable passwords on cisco routers. Had to resort to that in the past when a password was lost.
You can crack actual PIX passwords as far as I am aware tho, well not easily at least anyways.
Soldato
CIDR = Classless Inter-Domain Routing (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)
tolien said:
/cries I'm so confused.
What a /29?
Do you have a static IP address with the above config?
I have a block of 8 fixed IP's (that I'm not using) and the static IP I've been using is the 'framed IP' that leads onto my range, apparently.
Soldato
/29 = 255.255.255.248 in CIDR notation.
You're using the right IP address for Di0 on your router (otherwise you'd have no connectivity), but the subnet is wrong. The following commands typed into the command line of the router will sort that:
conf t
int di0
no ip address 62.3.253.44 255.255.255.0
ip address 62.3.253.44 255.255.255.248
end
end
wr mem
You're using the right IP address for Di0 on your router (otherwise you'd have no connectivity), but the subnet is wrong. The following commands typed into the command line of the router will sort that:
conf t
int di0
no ip address 62.3.253.44 255.255.255.0
ip address 62.3.253.44 255.255.255.248
end
end
wr mem
Burbleflop said:
Actually, the router wouldn't let me enter the /29 subnet mask against an IP of 82.103.105.240 (the first of my 8 IP's). It's allowed me to use the subnet you recommended on my framed IP via the GUI, which is hopefully a little more idiot-proof.
Incidentally, I've run a port scanner on my external IP address from home, and it says only port 21 is open! I haven't opened port 21!
Any thoughts?
tolien said:
It wouldn't connect to the internet at all when I set it as IP assigned.
tolien said:
The router GUI lets me enter a subnet mask of 255.255.255.248 against the IP of 82.103.105.241, and I get an internet connection, but it fails the 'Test connection' test. When I ran the port scanner from home, it still said the only port open was 21 though.
I'll try resetting the router to factory defaults, and using the wizard to configure it with the new IP address/subnet mask as I think the firewall configuration will be different.
Right, I've updated SDM to version 2.3.1, and reset the router to factory settings, and gone through the set-up wizard again using 82.133.105.241 and 255.255.255.248. I have an internet connection, although it doesn't work straight away. On completing the wizard, I set the signalling to European, and the CD light comes on, but I can't get an internet connection using the above credentials unless I change them to 62.3.253.44 & 255.255.255.0. If I do that, the PPP light comes on on the router, and I can get on the internet. If I change the settings back to 82.133.105.241 & 255.255.255.248, the internet is fine, but unfortunatley, none of the ports seem to be open.
Any thoughts?
All help appreciated.
Any thoughts?
All help appreciated.
Code:
Current configuration : 5624 bytes
!
! Last configuration change at 17:28:49 PCTime Thu Jun 22 2006 by *removed*
! NVRAM config last updated at 17:09:05 PCTime Thu Jun 22 2006 by *removed*
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco878
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 *removed*
!
username *removed* privilege 15 secret 5 *removed*
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name sbsonline.co.uk
ip name-server 213.208.106.212
ip name-server 213.208.106.213
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 82.133.105.241 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname *removed*
ppp chap password 7 *removed*
ppp pap sent-username *removed* password 7 *removed*
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.10 2326 interface Dialer0 2326
ip nat inside source static tcp 192.168.0.1 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 82.133.105.240 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark PING-ECHO
access-list 101 permit icmp any any log
access-list 101 remark SMTP
access-list 101 permit tcp any host 192.168.0.1 eq smtp log
access-list 101 remark OWA
access-list 101 permit tcp any host 192.168.0.1 eq www log
access-list 101 remark RAdmin(Ad)
access-list 101 permit tcp any host 192.168.0.10 eq 2326 log
access-list 101 permit udp host 213.208.106.213 eq domain host 82.133.105.241
access-list 101 permit udp host 213.208.106.212 eq domain host 82.133.105.241
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 82.133.105.241 echo-reply
access-list 101 permit icmp any host 82.133.105.241 time-exceeded
access-list 101 permit icmp any host 82.133.105.241 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
endtolien said:I'm confused now (not helped that it's been one of those days) - where's the two different IP ranges coming from?
I'm told by Nildram that 62.3.253.44 is a framed IP that refers to our range of 8 fixed IP's which is 82.133.105.240 - 82.133.105.247.
Edit: As I mentioned earlier, the PPP light doesn't come on with the 82.133.105.241/255.255.255.248 configuration, unless I change it to 62.3.253.44/255.255.255.0. The PPP light then remains lit if I change it back to 82.133.105.241/255.255.255.248. However, last night the internet connection appeared to drop overnight, and the PPP light was out on the router when I arrived this morning. A quick change of the IP config to 62.3.253.44/255.255.255.0, and the internet connection and PPP light came back online. I've changed it back again now to 82.133.105.241/255.255.255.248 and things are working.
So, using one of the range of IP's instead of the framed IP appears to have stability issues, while running a port scan from home on the 82.133.105.241 IP address still says that only the FTP port is open, which I haven't opened.
I'm so lost.
Appreciate everyone's input
Last edited: