Cisco 831 3

[thetdz]

Bought a new Cisco 831 but I don't know how to configure.
I can't connect to CRWS at 10.10.10.1. Can't connect to internet (broadband modem).

I need to configure it for home use with more 2 computers attached on it. I have access to console interface thought putty.

ip settings from Netgear FVS114:
IP Address 85.139.xxx.xxx
Subnet Mask 255.255.254.0
Default Gateway 85.139.xxx.xxx
DHCP Server 212.113.164.25
DNS Server 212.113.164.26
212.113.164.27
Lease Obtained Sat, 2000-01-01 00:00:28
Lease Expires Sat, 2000-01-01 02:00:28

Please help

Thanks

 

[burtsbees]

Connect to the console of the 831...what does it say? Does it ask for username/password? If so, you can do a password recovery...
While consoled in,power cycle the router. Within 20 seconds or so after it is powered back on, send a break (shift/pause or ctrl/pause), and you get the
rommon1>
prompt. Then...
rommon1>confreg 2142
rommon2>reset
When it comes back up, answer no to the first question, and yes to the second (if it asks a second question---can't remember exactly what it asks---something like to enter configuration, and then to terminate auto-install). Then you get
router>
so...
router>en
router#erase start
router#conf t
router(config)#line vty 0 4
router(config-line)#password bla
router(config-line)#login
router(config-line)#exit
router(config)#line con 0
router(config-line)#password bla
router(config-line)#login
router(config-line)#exit
router(config)#enable password bla
router(config)#config-register 0x2102
router(config)#exit
router#wr
Then you can download SDM from Cisco.com and install it on your computer. You can then configure an IP address on the interface of the router, in the same subnet of the computer. Let's say your computer is 192.168.1.11...
router#conf t
router(config)#int e0
router(config-if)#ip add 192.168.1.12 255.255.255.0
router(config-if)#no shut
router(config-if)#end
router#wr
Like that. Then connect a straight-thru ethernet cable to your computer into any of the four ethernet ports on the back. You should then be able to use SDM to configure it (pretty simple---SDM is all GUI based).

Burt

 

[thetdz]

thanks but doesn't work.
I can't connect with SDM.

Router version:
Router>sh ver
Cisco Internetwork Operating System Software
IOS (tm) C831 Software (C831-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 00:10 by ealyon
Image text-base: 0x800131E8, data-base: 0x80AE5398

ROM: System Bootstrap, Version 12.2(11r)YV1, RELEASE SOFTWARE (fc1)
ROM: C831 Software (C831-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Router uptime is 2 minutes
System returned to ROM by power-on
System image file is "flash:c831-k9o3y6-mz.123-2.XC2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

CISCO C831 (MPC857DSL) processor (revision 0x401) with 44237K/4915K bytes of memory.
Processor board ID FOC08500VQQ (1993943556), with hardware revision 0000
CPU rev number 7
Bridging software.
2 Ethernet/IEEE 802.3 interface(s)
4 FastEthernet/IEEE 802.3 interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102


ipconfig command shows me this:
C:\Users\ThePt>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Default Gateway . . . . . . . . . :

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

C:\Users\ThePt>

Thanks

 

[burtsbees]

post a sh run from the router

Burt

 

[thetdz]

Router>en
Password:
Router#sh run
Building configuration...

Current configuration : 923 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
enable password 3232
!
no aaa new-model
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet1
no ip address
shutdown
duplex auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
ip classless
no ip http server
no ip http secure-server
!
!
line con 0
password 3232
login
no modem enable
line aux 0
line vty 0 4
password 3232
login
!
scheduler max-task-time 5000
!
end

Router#

thanks

 

[burtsbees]

I'm not sure about those, but can you put an IP address on fa1-4? Also, what is the IP address on your computer?

Burt

 

[thetdz]

What do you mean with fa1-4? how I can do that?
My computer IP address is obtained thought my cable modem.
(Obtain an IP address automatically on TCP/IP)
I've installed the new Vista, if that helps.

Thanks a lot for your help. I recognize the effort and greatly appreciate it.

 

[burtsbees]

So it goes router-cable modem-pc???

It should go modem--router--pc, with a dhcp config to hand out IP addresses to your network, not the other way around...

Let's say the router interface that connects to the modem is interface e1...
router(config)#int e1
router(config-if)#ip add dhcp
router(config-if)#no shut
router(config-if)#end
router#
then verify after a minute with this...
router#sh int e1
or
router#sh ip route
then when the router e1 interface gets an IP address, do this for dhcp...
router#conf t
router(config)#int e0
router(config-if)#ip add 192.168.1.1 255.255.255.0
router(config-if)#no shut
router(config-if)#exit
router(config)#ip dhcp pool my_pool
router(config-dhcp)#net 192.168.1.0 255.255.255.0
router(config-dhcp)#default-router 192.168.1.1
router(config-dhcp)#dns-server x.x.x.x

this will be the dns server for your cable modem

router(config)#ip name-server x.x.x.x

this will also be the dns server for your cable modem

router(config)#exit
router#wr

then do this on the pc...

C:\Users\ThePt>ipconfig /release
C:\Users\ThePt>ipconfig /renew

then...

C:\Users\ThePt>ipconfig

see what the IP address is...you still need this config in the router as well for sdm to work...

router#conf t
router(config)#username bla priv 15 password blabla
router(config)#ip http server
router(config)#ip http authentication local
router(config)#do wr
router(config)#exit

Burt

 

[burtsbees]

Let me know when the router can communicate with the modem---the only other thing to do is NAT, and usually this is done in the router with this set up---the modem would need to be in bridge mode. I can help after you have done everything else---you can use sdm to secure the router with a firewall config and more acl entries, like denying RFC 1918 addresses as the source, no service tcp-small-servers, no service udp-small-servers, no service finger, etc.

Burt

 

[thetdz]

Sorry, but I can't get any communication with router with this config entries. Entered the information twice but didn't work. After some time the router computer light goes off.

I've entered another config entries that you have written in someone else thread and now I can communicate using SDM.
thread:

http://www.tek-tips.com/viewthread.cfm?qid=1404056

The problems now is I don't have internet.

I've contacted my ISP and they told me that modem will get automatically the DNS server and IP.
The dns server is not always the same and the IP address is static.
The DNS-server can be 212.113.164.26 to 212.113.164.36
DHCP server is always 212.113.164.25

Thank you for your help.
I'm really newbie with Cisco routers.

 

[burtsbees]

Put the modem in bridge mode. Then you need a NAT config in the router...
int e1
ip nat outside
int e0
ip nat inside
ip nat inside source list 117 int e1 overload
access-list 117 permit ip 192.168.1.0 0.0.0.255

Burt

 

[burtsbees]

This will work, if the interface that connects to the modem is e1, and the interface with the switchports connecting to your LAN is e0.

Burt

 

[thetdz]

I got this error when I entered this command:
access-list 117 permit ip 192.168.1.0 0.0.0.255
% Incomplete command.

one question.

I've entered this values:
dns-server 212.113.164.26
ip name-server 212.113.164.26

Is that correct?


Thank you very much.

 

[thetdz]

Burt,
I did it!!!

Building configuration...

Current configuration : 1797 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
no logging buffered
enable secret 5 $1$L..2$wMQhZ/PzUn.RNfas96VSU.
enable password mypass
!
username CRWS_Sangeetha privilege 15 password 0 $1$W1fA$o1oSEpa1092723769
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool thept_router
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.113.164.26
!
ip dhcp pool CLIENT
import all
default-router 192.168.1.1
lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
no ip redirects
ip nat outside
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source list 117 interface Ethernet1 overload
ip classless
ip http server
no ip http secure-server
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
line con 0
password mypass
logging synchronous
login
no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end


Please take a look on my config file and please say if it is ok.


I could not have done this without your help.
Thank you very much.
Paulo

 

[burtsbees]

Yes, but clean the unnecessary files...

Router>en
Router#conf t
Router(config)#no ip nat inside source list 102 int e1 overload
Router(config)#no ip nat inside source list 117 int e1 overload

and add the dns server so that the router can use it...

Router(config)#ip name-server 212.113.164.26

The nat acl is fine---the extended list I gave...

access-list 117 permit ip 192.168.1.0 0.0.0.255

was supposed to be

access-list 117 permit ip 192.168.1.0 0.0.0.255 any

but that's okay---you're using acl 1, so everything looks good so far. Now just secure it with a few more access-lists and a firewall config, like this...

Router(config)#access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
Router(config)#access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
Router(config)#access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
Router(config)#access-list 103 deny ip 127.0.0.0 0.255.255.255 any log
Router(config)#access-list deny ip 224.0.0.0 7.255.255.255 any log
Router(config)#access-list 103 deny ip host 0.0.0.0 any log
Router(config)#access-list 103 deny ip 255.0.0.0 0.255.255.255 any log
Router(config)#access-list 103 permit ip any any
Router(config)#int e1
Router(config-if)#ip access-group 103 in
Router(config-if)#exit
Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers
Router(config)#no service finger
Router(config)#no service nagle
Router(config)#no ip source-route
Router(config)#no service bootp
Router(config)#logging buffered 64000 debugging
Router(config)#service tcp-keepalives-in
Router(config)#service tcp-keepalives-out
Router(config)#security authentication failure rate 2 log

Also, reduce the MTU on the incoming interface...this should be done on broadband connections...

Router(config)#int e1
Router(config-if)#ip mtu 1492
Router(config-if)#ip tcp adjust-mss 1452
Router(config-if)#end
Router#wr

Post a sh ver like this...

Router#sh ver

and post what it says---if you have an advanced firewall feature set, I can post a complete firewall config also (CBAC and maybe TCP Intercept, but I doubt your router supports TCP Intercept). Or, you can configure the firewall via SDM.

Burt

 

[thetdz]

I've got an error:
no service bootp (error)

Router#sh ver
Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.4(12c), RELEASE SOFTWARE (fc1)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 13-Jul-07 11:16 by prod_rel_team

ROM: System Bootstrap, Version 12.2(11r)YV1, RELEASE SOFTWARE (fc1)

Router uptime is 22 minutes
System returned to ROM by reload
System image file is "flash:c831-k9o3sy6-mz.124-12c.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco C831 (MPC857DSL) processor (revision 0x401) with 44237K/4915K bytes of memory.
Processor board ID FOC08500VQQ, with hardware revision 0000
CPU rev number 7
3 Ethernet interfaces
4 FastEthernet interfaces
128K bytes of NVRAM.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

Router#

Yes, I've a advanced firewall option but I don't know what I should to do with it.

Thanks,
Paulo

 

[thetdz]

I forgot to put here the latest config-file:

Router#sh run
Building configuration...

Current configuration : 2449 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
logging buffered 64000 debugging
enable secret 5 $1$L..2$wMQhZ/PzUn.RNfas96VSU.
enable password mypass
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool thept_router
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.113.164.26
!
ip dhcp pool CLIENT
import all
default-router 192.168.1.1
lease 0 2
!
!
ip cef
!
!
!
username CRWS_Sangeetha privilege 15 password 0 $1$W1fA$o1oSEpa1092723769
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 103 in
no ip redirects
ip mtu 1492
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
no cdp enable
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
access-list 103 deny ip 127.0.0.0 0.255.255.255 any log
access-list 103 deny ip 224.0.0.0 7.255.255.255 any log
access-list 103 deny ip host 0.0.0.0 any log
access-list 103 deny ip 255.0.0.0 0.255.255.255 any log
access-list 103 permit ip any any
access-list 117 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
control-plane
!
!
line con 0
password mypass
logging synchronous
login
no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end

Router#disable
Router>

Thanks,
Paulo

 

[burtsbees]

For the firewall, i would be a lot quicker to use SDM. To see what your image can do, go here...

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

and select "Search by Image", and enter your image name, which is this...

c831-k9o3sy6-mz.124-12c.bin

And it gives you a complete list of all the features that IOS image supports, with links to explanations of each feature.

Burt

 

[addiction]

Burt,

first I would like to thank you for this post. I'm a total cisco newbie, and I've had the Cisco 831 for 6 months and didn't know what to do with it. After reading your post, I now have a nice router that was just a doorstop in my room. I know this post is old and didn't want to drug it up, but I just wanna thank you!

Now I have a simple question. How do I find out the name of my "dhcp pool"? I know I have a dhcp pool working because my PCs can acquire IP, but I just don't know its name!

 

[burtsbees]

router>en
router#sh ip dhcp pool

Mine is named "yo"

Pool yo :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.68.68.1 10.68.68.1 - 10.68.68.254 0


Burt