Viewing/ Modifying Cisco 1760 Router Configs 1

[robertsIT]

Hope i have the right forum...

Anyway i am really new to all this and as you will note quite inexperienced...

I am running a Win 2000 Server, which i am using mainly as a mail server, connected to the internet through a cisco router 1760.To cut the long story short - the guy who did the configs has long disappeared off the face of this earth...

The thing is i am trying to set up VPN Tunnel and will obviously need to access the configurations on the router...

Q1. How can i do this? Is there a software i can download that has a user friendly interface to get me in there...

Q2. I will also need to make modifications to the access lists etc and same question applies...Is there a software/ or how ca i do this.

Info on this, reference websites etc would be highly appreciated as i am trying to learn all this so that i can run my VPN tunnel...

 

[robertsIT]

Yes i did...but i was unable to download it...i tried looking for the smartnet contract but could not find it...so i could not egt the login info.

The rest of it looks like this...

User Access Verification

Password:
my Router>enable
Password:
Zambia#show run
Building configuration...

Current configuration : 4210 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Zambia
!
boot-start-marker
boot-end-marker
!
enable secret
enable password
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name FOFW tcp
ip inspect name FOFW udp
ip inspect name FOFW ftp
ip inspect name FOFW realaudio
ip inspect name FOFW smtp
ip inspect name FOFW streamworks
ip inspect name FOFW vdolive
ip inspect name FOFW tftp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key ipsec57 address xx.xxx.xx.x
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set single esp-des esp-sha-hmac
crypto ipsec transform-set triple esp-3des esp-sha-hmac
!
crypto map singlemap 10 ipsec-isakmp
set peer 12.111.50.4
set transform-set single
match address 110
!
crypto map triplemap 10 ipsec-isakmp
set peer 12.111.50.4
set transform-set triple
match address 110
!
!
!
interface Ethernet0/0
ip address
ip nat outside
ip virtual-reassembly
half-duplex
no cdp enable
!
interface FastEthernet0/0
ip address
ip access-group block_worm in
ip nat inside
ip virtual-reassembly
speed auto
no cdp enable
!
interface Serial1/0
no ip address
shutdown
!
interface Serial1/1
no ip address
shutdown
!
ip classless
ip route
no ip http server
no ip http secure-server
ip nat inside source list browse interface Ethernet0/0 overload
ip nat inside source route-map ipsec57 pool nataddr overload
ip nat inside source static
!
!
!
ip access-list extended block_worm
deny udp any any eq netbios-ns
deny udp any any eq netbios-ss
deny tcp any any eq 137
deny tcp any any eq 139
deny udp any any eq 135
deny tcp any any eq 135
deny udp any any eq 1434
deny tcp any any eq 1434
deny tcp any any eq 901
deny udp any any eq 901
deny udp any any eq 445
deny tcp any any eq 445
deny tcp any any eq 1080
deny udp any any eq 1080
permit icmp any
permit icmp any
permit icmp
permit icmp
permit icmp
permit icmp
permit icmp
deny icmp any any
permit ip any any
ip access-list extended browse
deny ip host xx.xx.x.x any
permit ip xx.xx.0.0 0.0.0.xxx any
access-list 23 permit
access-list 23 permit
access-list 23 permit
access-list 23 permit
access-list 23 permit
access-list 103 permit ip
access-list 103 permit udp xxx any eq isakmp
access-list 103 permit esp xxx any
access-list 103 permit ahp xxx any
access-list 103 permit icmp any any
access-list 103 deny ip xxx any
access-list 103 permit udp any any eq bootpc
access-list 103 permit udp any any eq bootps
access-list 110 permit xxx
access-list 110 permit ip xxx
access-list 110 permit ip xxx
access-list 120 deny ip xxx
access-list 120 deny ip xxx
access-list 120 permit ip xxx any
!
route-map ipsec57 permit 10
match ip address 120
!
!
control-plane
!
!
line con 0
password
login
line aux 0
password
login
modem InOut
transport input all
autoselect arap
stopbits 1
speed 57600
flowcontrol hardware
line vty 0 4
password
login
line vty 5 15
password
login
!
end

 

[JOAMON]

Have a couple of observations for you.

See the reason one policy is only des and one 3des is that there is a cryptomap for each one. One thing I did not see is the cryptomap applied to any interface. I beleive you are right the access-list 23 is not used. Typically this list would be for assigning telnet access on the vty lines. I also see IP firewall configurations without having them applied either. A person would need to now your goals for your network, services you want enabled on the router, ip addressing for the networks involved (substitute made up addresses for real info and then you change to you network), type of wan connections between sites, remote site equipment. Is this router in service right now? There are some things in your config that dont need to be there.

You should contact the Cisco contract center and they can lookup your router serial number to see if there is a smartnet contract. If none they can also tell you if it qualifies for smartnet. You can get a smartnet contract for a few hundred and it will be well worth it. It will give you access to IOS downloads and other software downloads like SDM and most importantly to TAC for assistance.