Friday, June 25, 2010
How To Change Router configuration from NAT to Routing : cisco
How To Change Router configuration from NAT to Routing : cisco
1.Need login Router and first need to change existing Private IP in LAN interface to Public IP with appropriate subnet .
2. After Change (Private To Public IP) we need to remove all NAT command and related access list which supporting NAT in Router .
Command which need to remove as following:
No ip nat inside (from LAN interface)
No ip nat outside (From WAN interface normally -VLAN1)
Remove NAT access list : no ip access-list standard for_NAT
Disable DHCP if existing in preconfiguration.
3. Then we need to reboot LAN interface through shut and no shut command so that changes will come into effect and client need to do required changes in his end on own device.
4. After That when connection backup we need to check internet through router and for that we can ping our DNS server IP (209.250.128.6 or 209.250.128.8) through extended source as following:
ping 209.250.128.6 source f0
Here f0 we are assuming client LAN interface
5. If we are able to go outside means changes in configuration is ok otherwise we need to check configuration changes again carefully .
1.Need login Router and first need to change existing Private IP in LAN interface to Public IP with appropriate subnet .
2. After Change (Private To Public IP) we need to remove all NAT command and related access list which supporting NAT in Router .
Command which need to remove as following:
No ip nat inside (from LAN interface)
No ip nat outside (From WAN interface normally -VLAN1)
Remove NAT access list : no ip access-list standard for_NAT
Disable DHCP if existing in preconfiguration.
3. Then we need to reboot LAN interface through shut and no shut command so that changes will come into effect and client need to do required changes in his end on own device.
4. After That when connection backup we need to check internet through router and for that we can ping our DNS server IP (209.250.128.6 or 209.250.128.8) through extended source as following:
ping 209.250.128.6 source f0
Here f0 we are assuming client LAN interface
5. If we are able to go outside means changes in configuration is ok otherwise we need to check configuration changes again carefully .
Gre Tunnel
End A Configuration
----------------------------
1. Create Gre Tunnel having any number
Router(config)#interface Tunnel1
Router(config-if)#description Gre Tunnel to Remote Location
2. Need to give IP Address to Tunnel
Router(config-if)#ip address 10.10.0.1 255.255.255.252
3. Need to Give Public Source address to tunnel 1 from where it would initiate
Router(config-if)#tunnel source Vlan1
where x.x.x.x is the IP address of Vlan 1 and is Source/Wan IP of Self Router
4. Need to give Public destination address where it terminate
Router(config-if)# tunnel destination y.y.y.y
where y.y.y.y is the destination public IP Address
!
5. Following is the Configuration of LAN Interface Port.
Router(config)# interface FastEthernet0
Router(config-if)#description Local Lan IP
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# ip nat inside
6.Following is the Configuration of WAN Interface Port.
Router(config)# interface Vlan1
Router(config-if)# description Cisco IP
Router(config-if)# ip address x.x.x.x 255.255.255.252
Router(config-if)# ip nat outside
7. Default Route Pointing to Internet using Pathway.
ip route 0.0.0.0 0.0.0.0 Pathway
8. Remote LAN Route pointing to other end ip of gre tunnel 1
ip route 192.168.2.0 255.255.255.0 10.10.0.2
End B Configuration
---------------------------
1. Create Gre Tunnel having any number
Router(config)#interface Tunnel1
Router(config-if)#description Gre Tunnel to Remote Location
2. Need to give IP Address to Tunnel
Router(config-if)# ip address 10.10.0.2 255.255.255.252
3. Need to Give Public Source address from where it would initiate
Router(config-if)# tunnel source Vlan1
where y.y.y.y is the IP address of Vlan 1 and is Source/Wan IP of Self Router
4. Need to give Public destination address where it terminate
Router(config-if)# tunnel destination x.x.x.x
where x.x.x.x is the destination public IP Address
5. Following is the Configuration of LAN Interface Port.
Router(config)# interface FastEthernet0
Router(config-if)# description Local LAN_IP
Router(config-if)# ip address 192.168.2.1 255.255.255.0
Router(config-if)# ip nat inside
6. Following is the Configuration of WAN Interface Port.
Router(config)# interface Vlan1
Router(config-if)# description Cisco IP
Router(config-if)# ip address y.y.y.y 255.255.255.252
Router(config-if)# ip nat outside
7. Default Route Pointing to Internet using Pathway.
ip route 0.0.0.0 0.0.0.0 Pathway
8. Remote LAN Route pointing to other end ip of gre tunnel 1
ip route 192.168.1.0 255.255.255.0 10.10.10.1
----------------------------
1. Create Gre Tunnel having any number
Router(config)#interface Tunnel1
Router(config-if)#description Gre Tunnel to Remote Location
2. Need to give IP Address to Tunnel
Router(config-if)#ip address 10.10.0.1 255.255.255.252
3. Need to Give Public Source address to tunnel 1 from where it would initiate
Router(config-if)#tunnel source Vlan1
where x.x.x.x is the IP address of Vlan 1 and is Source/Wan IP of Self Router
4. Need to give Public destination address where it terminate
Router(config-if)# tunnel destination y.y.y.y
where y.y.y.y is the destination public IP Address
!
5. Following is the Configuration of LAN Interface Port.
Router(config)# interface FastEthernet0
Router(config-if)#description Local Lan IP
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# ip nat inside
6.Following is the Configuration of WAN Interface Port.
Router(config)# interface Vlan1
Router(config-if)# description Cisco IP
Router(config-if)# ip address x.x.x.x 255.255.255.252
Router(config-if)# ip nat outside
7. Default Route Pointing to Internet using Pathway.
ip route 0.0.0.0 0.0.0.0 Pathway
8. Remote LAN Route pointing to other end ip of gre tunnel 1
ip route 192.168.2.0 255.255.255.0 10.10.0.2
End B Configuration
---------------------------
1. Create Gre Tunnel having any number
Router(config)#interface Tunnel1
Router(config-if)#description Gre Tunnel to Remote Location
2. Need to give IP Address to Tunnel
Router(config-if)# ip address 10.10.0.2 255.255.255.252
3. Need to Give Public Source address from where it would initiate
Router(config-if)# tunnel source Vlan1
where y.y.y.y is the IP address of Vlan 1 and is Source/Wan IP of Self Router
4. Need to give Public destination address where it terminate
Router(config-if)# tunnel destination x.x.x.x
where x.x.x.x is the destination public IP Address
5. Following is the Configuration of LAN Interface Port.
Router(config)# interface FastEthernet0
Router(config-if)# description Local LAN_IP
Router(config-if)# ip address 192.168.2.1 255.255.255.0
Router(config-if)# ip nat inside
6. Following is the Configuration of WAN Interface Port.
Router(config)# interface Vlan1
Router(config-if)# description Cisco IP
Router(config-if)# ip address y.y.y.y 255.255.255.252
Router(config-if)# ip nat outside
7. Default Route Pointing to Internet using Pathway.
ip route 0.0.0.0 0.0.0.0 Pathway
8. Remote LAN Route pointing to other end ip of gre tunnel 1
ip route 192.168.1.0 255.255.255.0 10.10.10.1
How to Configure Site-to-Site VPN in Cisco Routers
How to Configure Site-to-Site VPN in Cisco Routers
1. Create Internet Key Exchange (IKE) key policy. The policy used in our case is number 10 and it requires a pre-shared key
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
Encryption 3des
Group 2
Lifetime 28800
2. Setup the shared key that would be used in the VPN,
Router(config)#crypto isakmp key 1q2w3e4r address X. X. X.X no-xauth
where,
1q2w3e4r is the shared key that you will use for the VPN, and remember to set the same key on the other end.
X.X.X.X the static public IP address of the other end.
3. Now we set lifetime for the IPSec security associations,
Router(config)#crypto ipsec security-association lifetime seconds YYYYY
Where YYYYY is the association’s lifetime in seconds. It is usually used as 86400, which is one day.
4. Define the transformations set that will be used for this VPN connection,
Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC
where,
SETNAME is the name of the transformations set. You can choose any name you like.
BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des and esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.
5) After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.
Router(config)#crypto map MAPNAME ipsec-isakmp 10
Router(config-crypto-map)#set peer X.X.X.X.
Router(config-crypto-map)#set transform-set SETNAME
Router(config-crypto-map)#match address 123
where,
MAPNAME is a name of your choice to the crypto-map
X.X.X.X. the static public IP address of the other end
SETNAME is the name of the transformations set that we configured in step 4
123 is the number of the access-list that we created to define the traffic in step 7
6) The last step is to bind the crypto-map to the interface that connects the router to the other end.
Router(config-if)#crypto map MAPNAME
where MAPNAME is the name of the crypto-map that we defined in step 5
7) Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,
Router (config)#access-list 123 permit ip X.X.X.X. Y.Y.Y.Y A.A.A.A B.B.B.B
where,
123 is the access-list number
X.X.X.X. Y.Y.Y.Y is the source of the data allowed to use the VPN link.
A.A.A.A B.B.B.B is the destination of the data that need to pass though the VPN link.
8) Deny access-list 123 in NAT access-list
Router(config)#deny ip X.X.X.X. Y.Y.Y.Y A.A.A.A B.B.B.B
Permit ip X.X.X.X. Y.Y.Y.Y any
Now, repeat these steps on the other end, and remember to use the same key along with the same authentication and transform set.
For troubleshooting purposes, you can use the following commands,
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active
and show crypto map
1. Create Internet Key Exchange (IKE) key policy. The policy used in our case is number 10 and it requires a pre-shared key
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
Encryption 3des
Group 2
Lifetime 28800
2. Setup the shared key that would be used in the VPN,
Router(config)#crypto isakmp key 1q2w3e4r address X. X. X.X no-xauth
where,
1q2w3e4r is the shared key that you will use for the VPN, and remember to set the same key on the other end.
X.X.X.X the static public IP address of the other end.
3. Now we set lifetime for the IPSec security associations,
Router(config)#crypto ipsec security-association lifetime seconds YYYYY
Where YYYYY is the association’s lifetime in seconds. It is usually used as 86400, which is one day.
4. Define the transformations set that will be used for this VPN connection,
Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC
where,
SETNAME is the name of the transformations set. You can choose any name you like.
BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des and esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.
5) After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.
Router(config)#crypto map MAPNAME ipsec-isakmp 10
Router(config-crypto-map)#set peer X.X.X.X.
Router(config-crypto-map)#set transform-set SETNAME
Router(config-crypto-map)#match address 123
where,
MAPNAME is a name of your choice to the crypto-map
X.X.X.X. the static public IP address of the other end
SETNAME is the name of the transformations set that we configured in step 4
123 is the number of the access-list that we created to define the traffic in step 7
6) The last step is to bind the crypto-map to the interface that connects the router to the other end.
Router(config-if)#crypto map MAPNAME
where MAPNAME is the name of the crypto-map that we defined in step 5
7) Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,
Router (config)#access-list 123 permit ip X.X.X.X. Y.Y.Y.Y A.A.A.A B.B.B.B
where,
123 is the access-list number
X.X.X.X. Y.Y.Y.Y is the source of the data allowed to use the VPN link.
A.A.A.A B.B.B.B is the destination of the data that need to pass though the VPN link.
8) Deny access-list 123 in NAT access-list
Router(config)#deny ip X.X.X.X. Y.Y.Y.Y A.A.A.A B.B.B.B
Permit ip X.X.X.X. Y.Y.Y.Y any
Now, repeat these steps on the other end, and remember to use the same key along with the same authentication and transform set.
For troubleshooting purposes, you can use the following commands,
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active
and show crypto map
To Configure DHCP on a Cisco router
To Configure DHCP on a Cisco router
To configure Cisco DHCP, follow these steps, which include sample commands
1) Configure an IP address on the router's Ethernet port, or Fast Ethernet Port and
bring up the interface .
Eg:-
Router(config)# interface FA 0/0
Router(config-if)#ip address 1.1.1.1 255.0.0.0
Router(config-if)# no shutdown
2) enable the DHCP service in the router
Router(config)#service dhcp
3) Create a DHCP IP address pool for the IP addresses you want to use.
Router(config)# ip dhcp pool mypool
Where mypool is name of the DHCP pool
4) Specify the network and subnet for the addresses you want to use from the pool.
Router(dhcp-config)# network 1.1.1.0 255.0.0.0
5) Specify the DNS domain name for the clients.
Router(dhcp-config)# domain-name pathcom.com
6) Specify the primary and secondary DNS servers
Router(dhcp-config)# dns-server 209.250.128.6 209.250.128.8
7) Specify the default router (i.e., default gateway).
Router(dhcp-config)#default-router 1.1.1.1
8) Specify the lease duration for the addresses you're using from the pool.
Router(dhcp-config)#lease 7
9) Exit Pool Configuration Mode.
Router(dhcp-config)#exit
10) Configure the IP addresses to be excluded from the pool. This is usually done to
avoid the conflicts caused by the DHCP with servers and printers. Remember to
give ALL servers and network printers static IP addresses in the same range of the
DHCP pool. And then exclude these addresses from the pool to avoid conflicts
Router(config)#ip dhcp excluded-address XXX.XXX.XXX.XXX
Use the command in the previous form to excluded a single address. You can
repeat it as much as you see fit for the IP addresses you want to exclude.
Use the following commands to check the DHCP operation on the router:
Router#show ip dhcp binding
This command shows the current bindings of addresses given to clients
Router#show ip dhcp server statistics
This command show the DHCP server statistics.
Router#debug ip dhcp server
To clear DHCP server variables, use the following commands as needed:
Router#clear ip dhcp binding *
NOTE:- DHCP service uses port 67 and 68. So, if you are using a firewall, remember to open these ports
To configure Cisco DHCP, follow these steps, which include sample commands
1) Configure an IP address on the router's Ethernet port, or Fast Ethernet Port and
bring up the interface .
Eg:-
Router(config)# interface FA 0/0
Router(config-if)#ip address 1.1.1.1 255.0.0.0
Router(config-if)# no shutdown
2) enable the DHCP service in the router
Router(config)#service dhcp
3) Create a DHCP IP address pool for the IP addresses you want to use.
Router(config)# ip dhcp pool mypool
Where mypool is name of the DHCP pool
4) Specify the network and subnet for the addresses you want to use from the pool.
Router(dhcp-config)# network 1.1.1.0 255.0.0.0
5) Specify the DNS domain name for the clients.
Router(dhcp-config)# domain-name pathcom.com
6) Specify the primary and secondary DNS servers
Router(dhcp-config)# dns-server 209.250.128.6 209.250.128.8
7) Specify the default router (i.e., default gateway).
Router(dhcp-config)#default-router 1.1.1.1
8) Specify the lease duration for the addresses you're using from the pool.
Router(dhcp-config)#lease 7
9) Exit Pool Configuration Mode.
Router(dhcp-config)#exit
10) Configure the IP addresses to be excluded from the pool. This is usually done to
avoid the conflicts caused by the DHCP with servers and printers. Remember to
give ALL servers and network printers static IP addresses in the same range of the
DHCP pool. And then exclude these addresses from the pool to avoid conflicts
Router(config)#ip dhcp excluded-address XXX.XXX.XXX.XXX
Use the command in the previous form to excluded a single address. You can
repeat it as much as you see fit for the IP addresses you want to exclude.
Use the following commands to check the DHCP operation on the router:
Router#show ip dhcp binding
This command shows the current bindings of addresses given to clients
Router#show ip dhcp server statistics
This command show the DHCP server statistics.
Router#debug ip dhcp server
To clear DHCP server variables, use the following commands as needed:
Router#clear ip dhcp binding *
NOTE:- DHCP service uses port 67 and 68. So, if you are using a firewall, remember to open these ports
How to configure the PPTP on Cisco sever
How to configure the PPTP on Cisco sever
1) Enable VPDN (virtual private dial-up networking) on Router.To do so use this command:
Router(config)# vpdn enable
2) Create a VPDN group for PPTP, just like the Microsoft VPN client will use, by default
Router(config)# vpdn-group TEST-VPN
Router(config-vpdn)# accept-dialin
Router(config-vpdn)# protocol pptp
virtual-template 1
Router(config-vpdn)# exit
3) configure the ip address on local LAN interface
Router(config)# interface FA0/0
Router(config-if)# ip address z.z.z.z
Router(config-if)# no shutdown
4) Create your virtual-template that will apply to the inbound VPN connections. This template references the FA/0 interface for its IP address. It also references a pool of IP addresses that will be handed out to VPN clients. Finally, it configures the PPP encryption and authentication mechanisms to match what the Microsoft VPN client defaults to:
5)
Router(config)# interface Virtual-Template1
Router(config-if)# ip unnumbered FA0/0
Router(config-if)# peer default ip address pool defaultpool
Router(config-if)# ppp encrypt mppe auto required
Router(config-if)# ppp authentication ms-chap ms-chap-v2
No keepalive
Create the pool of IP addresses for PPTP Users
Router(config)# ip local pool defaultpool x.x.x.x y.y.y.y
Where x.x.x.x is the Stariug IP and y.y.y.y is the Last IP ,also above Range of IP should
be excluded from DHCP List
6) Create a test vpn user:
Router(config)# username pathway password 0 1q2w3e4r
1) Enable VPDN (virtual private dial-up networking) on Router.To do so use this command:
Router(config)# vpdn enable
2) Create a VPDN group for PPTP, just like the Microsoft VPN client will use, by default
Router(config)# vpdn-group TEST-VPN
Router(config-vpdn)# accept-dialin
Router(config-vpdn)# protocol pptp
virtual-template 1
Router(config-vpdn)# exit
3) configure the ip address on local LAN interface
Router(config)# interface FA0/0
Router(config-if)# ip address z.z.z.z
Router(config-if)# no shutdown
4) Create your virtual-template that will apply to the inbound VPN connections. This template references the FA/0 interface for its IP address. It also references a pool of IP addresses that will be handed out to VPN clients. Finally, it configures the PPP encryption and authentication mechanisms to match what the Microsoft VPN client defaults to:
5)
Router(config)# interface Virtual-Template1
Router(config-if)# ip unnumbered FA0/0
Router(config-if)# peer default ip address pool defaultpool
Router(config-if)# ppp encrypt mppe auto required
Router(config-if)# ppp authentication ms-chap ms-chap-v2
No keepalive
Create the pool of IP addresses for PPTP Users
Router(config)# ip local pool defaultpool x.x.x.x y.y.y.y
Where x.x.x.x is the Stariug IP and y.y.y.y is the Last IP ,also above Range of IP should
be excluded from DHCP List
6) Create a test vpn user:
Router(config)# username pathway password 0 1q2w3e4r
Subscribe to:
Comments (Atom)