Some Configuration Tips with an IP Range of 4 or more IP addresses

Some skilful tips when you configure a Cisco Router or ASA. When you have 4 or more ip addresses in your ip range from your ISP.
In the past and present I noticed during creation of configuration that I used frequently the first IP Address fo the IP Range i got from my ISP. 

I noticed this wasn’t a good idea for some facilities you can use on your Router or ASA. For example you want to use SSL VPN on you Router or ASA, you need to open the http port and https port ( 80 & 443 ).  But when you use these ports for web services of you local network to the outer world. Like Outlook Web Access or Citrix Web Access. These web apps using port 80 and or port 443.

Now when I have an IP Range of 4 IP addresses which i can use. I start for the router or ASA only the master IP address ( the first one in the list )

Example: I have an IP range 192.168.10.1 – 192.168.10.7 255.255.255.248

1. Router IP address will be: 192.168.10.1
2. Mail IP address will be: 192.168.10.2
3. Citrix IP address will be: 192.168.10.3

I can now use my Router IP address to configure SSLVPN ( this is a web-based VPN where the first time of logon will be used to install you AnyConnect VPN Client. )  I use also this IP address to create VPN tunnels to other offices.

Via this construction I know exactly what I can use and where for. It will also prevent you from leaving IP addresses behind you will forget to use in the Future. And it will make some configuration abilities you may have to make.

This construction can also be used on Cisco IOS Routers.

Cisco Inter-vlan configuration Cisco Router 871 Cisco Catalyst 2960

Today I was busy with a configuration between a Cisco Router 871 and a Cisco Catalyst 2960. It was in an enviroment with lots of other switches ( Catalyst 3560 PoE ) So i had to create a good routing infrastructure.

Situation: Cisco Catalyst 3560 ( main infrastructure ) Cisco Catalyst 2960 ( Customer infrastructure ) Cisco Router 871 ( Customer Internet Device )

I had to create a trunk from the main infrastructure to the Customer infrastructure. This was kinda an easy part.
The main infrastructure contained a VTP domain incl. server so the Customer Infrastructure needed to be part of the main infrastructure. Since this was the easy part I created that first. second of all i had to prepare for some internet connection. I did this with the Cisco Router 871.

On the Cisco Router 871 i configured. the normal way of configuration like the other on my webblog. Except some configurations below i had to add to my Cisco Router 871.

vlan 2
 name <voice-lan>
!
vlan 181
 name <customer-name>

interface FastEthernet0
 switchport mode trunk
!
interface FastEthernet1
 switchport access vlan 181
!
interface FastEthernet2
 switchport access vlan 181
!
interface FastEthernet3
 switchport access vlan 181
 switchport voice vlan 2

A static rout to the Cisco Catalyst 2960

ip route < network > < subnet > < switch ip address >

Added VLAN interfaces on the Cisco Router 871

interface Vlan1
 description LAN < your line >
 ip address < native network id > 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 ip route-cache flow
 ip policy route-map RMP_Vlan1_NO_NAT
!
interface Vlan181
 description LAN < your own text >
 ip address < Customer network id> 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 ip route-cache flow
 ip policy route-map RMP_Vlan1_NO_NAT
!
interface Vlan2
 description LAN < your own text > 
 ip address < Voice Lan ID > 255.255.254.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 ip route-cache flow
 ip policy route-map RMP_Vlan1_NO_NAT

 On the Switch side it wasn’t that special. Just one interface for trunking.

interface GigabitEthernet0/2
 switchport mode trunk
 switchport nonegotiate

ip default-gateway < ip address route r>

make for sure a notice: use a cross-cable otherwise both ports on switch as router have the status DOWN.

Cisco Configuration Professional Tool

I would like to explain about the Cisco Configuration Professional Tool. This is what you can say a really upgraded version of a Cisco Configuration Assistant aswell the former SDM software what you found on Cisco routers.

With this configuration tool specially designed for the minor Cisco Router 28xx and up routers will work even for the lite Small Business Routers Cisco 87x / 88x /89x / 18xx series.

I am using it now for couple of weeks and I am really impressed with this tool. Especially if I want to configure the Cisco SSL VPN on a Cisco 2821 ISR or Cisco 877 router it will help a lot. Instead of configuring it from the CLI.

The Cisco configuration professional is available in to variants. A router bases flash CCP express and a standalone for the computer CCP ( with the voice module )

 

I would suggest to experiment with the tool… The tool works under windows up to Windows 7 ( i run this OS version ) and then you will need to start the program in administrative mode. otherwise you aren’t able to use the program

Info: http://www.cisco.com/en/US/products/ps9422/tsd_products_support_series_home.html

Cisco Router 877 configuration in the UK with BT internet

Few weeks back I had to do an installation for my work in the UK.
We had some problems to get the connection correct. And I had to find out which configuration I had to use.

The main problem we found was which configuration we needed. Because me and my colleague are used to configure Dutch Internet Connections with Dutch ISP’s.

But aftersome search I found the correct configuration we needed. And below is what you need to use.

interface ATM0
 description ADSL Britisch Telecom number : <telephonenumber> order nummer : <ordernumber>
 no ip address
 ip route-cache policy
 ip route-cache flow
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 10
!
 dsl operating-mode auto
!
interface Vlan1
 description LAN < network information >
 ip address < ip address> <subnetmask>
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 ip route-cache flow
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Dialer10
 description ADSL Britisch Telecom on number : < telephonenumber> order nummer : <ordernumber>
 ip address negotiated
 ip access-group ACL_DIALER10_IN in
 ip access-group ACL_DIALER10_OUT out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip inspect FW_DIALER10_IN in
 ip inspect FW_DIALER10_OUT out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache policy
 ip route-cache flow
 dialer pool 10
 dialer idle-timeout 0
 dialer-group 10
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <your BT HOSTNAME>
 ppp chap password <your BT PAssword
 ppp pap sent-username <your BT username> password < your BT password >
 ppp ipcp dns request
 ppp ipcp mask request
 ppp ipcp route default
 ppp ipcp address accept
!
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip cef
!
ip access-list extended ACL_DIALER10_IN
 remark DHCP <IPS>
 permit udp any any eq bootpc
 permit udp any any eq bootps
!

Cisco IOS Router vpn tunnel to Netscreen 5GT

Few years back  I tried to configure a cisco IOS router to a Netscreen and that didn’t work out.
New since a few days i know how I should do it. I found a weblog of some one else who go it working. Wha you need to do. See below.

Cisco IOS Router.

crypto logging session
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key < Enter shared Key > address < destination add >
!
!
crypto ipsec transform-set aes-sha esp-aes esp-md5-hmac 
!
!
!
!
crypto map < map name> 11 ipsec-isakmp 
set peer < destination add >
set transform-set aes-sha 
set pfs group2
match address << ACL Name >>

Interface Dialer 10
crypto map < map name >

ip access-list extended << ACL Name >>
permit ip < source add LAN > < destination add LAN >

Netscreen Configuration

set interface “untrust” zone “V1-Untrust”

set address “V1-Trust” “<LAN Local Name>” < source ip range / subnet >
set address “V1-Untrust” “<LAN Remote Name>” < destination ip range / subnet >

set ike p2-proposal “cisco” group2 esp aes128 md5 second 3600

set ike gateway “< GW Name >” address < destination outside add > Main outgoing-zone “V1-Untrust” preshare “< preshared key> proposal “pre-g2-3des-sha”

set vpn “< Local VPN Name >” proxy-id local-ip < local ip range/24> remote-ip < remote ip range/24> “ANY”

set vpn “< Local VPN Name >” gateway “< GW Name >” replay tunnel idletime 0 proposal “cisco”

Use the browser interface to get the policies to the first line
set policy id 26 from “V1-Trust” to “V1-Untrust” “<LAN Local Name>” ” “<LAN Remote Name>” ” “ANY” tunnel vpn “< Local VPN Name >” ” id 3 pair-policy 25

set policy id 25 from “V1-Untrust” to “V1-Trust” “<LAN Remote Name>” ” “<LAN Local Name>” ” “ANY” tunnel vpn “< Local VPN Name >” id 3 pair-policy 26

Workstation MTU size to 1300

See the original Link
Bron: http://blog.mozilla.com/mrz/2007/07/16/ipsec-vpn-between-cisco-ios-netscreen-solved/