2
Konfiguration Cisco 1812 für T-Dsl als einfacher Router mit Firewall
Cisco 1812 bekommt keine IP von T-DSL business zugewiesen.
Ich habe den Cisco 182 mit CCP auf beiden WAN Etherntports mit den jeweiligen T-DSL Zugangsparametern konfiguriert und sowohl PAP, CHAP und beide als Authentifizierungsmethode erfolglos ausprobiert. Einmal habe ich auf einem WAN-Port eine IP-Adresse zugewiesen bekommen, jedoch hat dies nach Änderung der IP-Adresse des Cisco nicht mehr funktioniert. Kann man den Cisco überhaupt per CCP konfigurieren? Die CLI-Kommandos erscheinen zunächst logisch (aus Sicht eines Laien).
Wichtig wäre erst einmal eine funktionierende Anmeldung bei der Telekom mit Zuweisung einer IP-Adresse, den Rest konfiguriere ich erst später (PAT, Firewall etc.).
Anbei die derzeitige Konfig. Falls jemandem ein Fehler auffällt, wäre ich wirklich dankbar - ich verdiene mein Geld leider nicht mit EDV, brauche sie aber um Geld zu verdienen und keiner der erreichbaren "EDV-Experten und Händler" kennt sich mit Cisco aus. Die, die sich mit Cisco auskennen lassen sich feiern anstatt zu helfen. Danke.
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1812
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$BqdOXXXXXXXXXXt9/
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-xxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxx
!
!
quit
dot11 syslog
no ip source-route
!
ip cef
no ip bootp server
ip domain name test.de
ip name-server 80.102.114.80
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 $XXXXXXXXXX5x2/
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
interface FastEthernet0
description DSL 1$ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security out-zone
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface FastEthernet1
description DSL 2$FW_OUTSIDE$$ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security out-zone
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 80.102.114.54 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname feste-ip8/XXXXX@t-online-com.de
ppp chap password 7 XXXXX
!
interface Dialer2
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname feste-ip6/XXXXXXXX@t-online-com.de
ppp chap password 7 XXXXXXXXX
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet1 permanent
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 80.102.114.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
control-plane
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler interval 500
ntp update-calendar
ntp server 80.102.114.80 prefer
end
Wichtig wäre erst einmal eine funktionierende Anmeldung bei der Telekom mit Zuweisung einer IP-Adresse, den Rest konfiguriere ich erst später (PAT, Firewall etc.).
Anbei die derzeitige Konfig. Falls jemandem ein Fehler auffällt, wäre ich wirklich dankbar - ich verdiene mein Geld leider nicht mit EDV, brauche sie aber um Geld zu verdienen und keiner der erreichbaren "EDV-Experten und Händler" kennt sich mit Cisco aus. Die, die sich mit Cisco auskennen lassen sich feiern anstatt zu helfen. Danke.
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1812
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$BqdOXXXXXXXXXXt9/
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-xxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxx
!
!
quit
dot11 syslog
no ip source-route
!
ip cef
no ip bootp server
ip domain name test.de
ip name-server 80.102.114.80
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 $XXXXXXXXXX5x2/
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
interface FastEthernet0
description DSL 1$ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security out-zone
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface FastEthernet1
description DSL 2$FW_OUTSIDE$$ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security out-zone
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 80.102.114.54 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname feste-ip8/XXXXX@t-online-com.de
ppp chap password 7 XXXXX
!
interface Dialer2
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname feste-ip6/XXXXXXXX@t-online-com.de
ppp chap password 7 XXXXXXXXX
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet1 permanent
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 80.102.114.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
control-plane
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler interval 500
ntp update-calendar
ntp server 80.102.114.80 prefer
end
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 144225
Url: https://administrator.de/contentid/144225
Printed on: April 19, 2024 at 06:04 o'clock
2 Comments
Latest comment
http://whiskey-tango-foxtrott.de/wiki/doku.php?id=cisco:cisco_3620_als_ ...
Die wichtigen Punkte stehen dort.
Die wichtigen Punkte stehen dort.
Dein Konfig birgt einen gefährlichen Kardinalsfehler, denn dein internes LAN was über den NAT Prozess des Routers rennt ist ebenfalls ein öffentliches IP Netz das weltweit offiziell einem spanischen Eigentümer (Orange) gehört:
inetnum: 80.102.0.0 - 80.102.255.255
netname: UNI2-NET
descr: Uni2 IP Data Network
country: ES
remarks: For complaints of abuse from these addresses
remarks: send a mail to abuse@orange.es
role: Hostmaster Administrator FTE
address: Parque Empresarial La Finca
address: Edificio 9
address: Paseo del Club Deportivo, 1
address: 28223 Pozuelo de Alarcon
address: Madrid, Spain
Hier kann es erhebliche Probleme im Routing geben. Tunlichst solltest du also wie es allgeien üblich ist RFC-1918_Private_Netze lokal am Router nutzen, da das o.a. Netz vermutlich NICHT dir gehört, oder ??
Sowas gehört eigentlich zum IP Grundschulwissen eines Netz Admins !!!
Hier findest du ebenfalls aktuell lauffähige Konfigurationen:
Cisco 1700 ADSL konfigurieren
Cisco 2600 Router
und hier:
Vernetzung zweier Standorte mit Cisco 876 Router
Bei letzterer denkst du dir einfach die VPN Tunnel weg !
Eine sicher funktionierende Konfig mit IOS Firewall Feature Set ist auch diese:
version 12.4
service timestamps log datetime localtime
!
hostname Router
!
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.149
ip dhcp excluded-address 192.168.0.170 192.168.0.254
!
ip dhcp pool 0
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.254
domain-name staruser.local
!
ip domain name staruser.local
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
(------Diese Zeilen nur relevant bei DynDNS !!------------)
ip ddns update method dyndns
HTTP add http://<username>:<pw>:@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
(--------DynDNS Ende----------------)
!
username admin password admin
!
interface Ethernet0
description Lokales LAN
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Ethernet1
description DSL Modem Anschluss
no ip address
duplex auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dialer0
description T-Online DSL Einwahl mit DynDNS Update
(--------Nur bei DynDNS !--------)
ip ddns update hostname <dyndns hostname>
ip ddns update dyndns
(---------DynDNS Ende------------)
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect FW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no keepalive
no cdp enable
ppp authentication pap callin
ppp pap sent-username 0012345678902345001@t-online.de password Geheim
ppp ipcp dns request
ppp ipcp mask request
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
no ip http server
ip http authentication local
ip http secure-server
!
ip dns server
ip nat inside source list 103 interface Dialer0 overload
!
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq domain any
(-------Nur wenn PPTP Client im lokalen LAN betrieben wird !-----)
access-list 111 permit gre any any
(--------PPTP erlauben Ende--------)
access-list 111 deny ip any any log
dialer-list 1 protocol ip list 103
!
sntp server de.pool.ntp.org
end
inetnum: 80.102.0.0 - 80.102.255.255
netname: UNI2-NET
descr: Uni2 IP Data Network
country: ES
remarks: For complaints of abuse from these addresses
remarks: send a mail to abuse@orange.es
role: Hostmaster Administrator FTE
address: Parque Empresarial La Finca
address: Edificio 9
address: Paseo del Club Deportivo, 1
address: 28223 Pozuelo de Alarcon
address: Madrid, Spain
Hier kann es erhebliche Probleme im Routing geben. Tunlichst solltest du also wie es allgeien üblich ist RFC-1918_Private_Netze lokal am Router nutzen, da das o.a. Netz vermutlich NICHT dir gehört, oder ??
Sowas gehört eigentlich zum IP Grundschulwissen eines Netz Admins !!!
Hier findest du ebenfalls aktuell lauffähige Konfigurationen:
Cisco 1700 ADSL konfigurieren
Cisco 2600 Router
und hier:
Vernetzung zweier Standorte mit Cisco 876 Router
Bei letzterer denkst du dir einfach die VPN Tunnel weg !
Eine sicher funktionierende Konfig mit IOS Firewall Feature Set ist auch diese:
version 12.4
service timestamps log datetime localtime
!
hostname Router
!
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.149
ip dhcp excluded-address 192.168.0.170 192.168.0.254
!
ip dhcp pool 0
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.254
domain-name staruser.local
!
ip domain name staruser.local
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
(------Diese Zeilen nur relevant bei DynDNS !!------------)
ip ddns update method dyndns
HTTP add http://<username>:<pw>:@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
(--------DynDNS Ende----------------)
!
username admin password admin
!
interface Ethernet0
description Lokales LAN
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Ethernet1
description DSL Modem Anschluss
no ip address
duplex auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dialer0
description T-Online DSL Einwahl mit DynDNS Update
(--------Nur bei DynDNS !--------)
ip ddns update hostname <dyndns hostname>
ip ddns update dyndns
(---------DynDNS Ende------------)
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect FW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no keepalive
no cdp enable
ppp authentication pap callin
ppp pap sent-username 0012345678902345001@t-online.de password Geheim
ppp ipcp dns request
ppp ipcp mask request
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
no ip http server
ip http authentication local
ip http secure-server
!
ip dns server
ip nat inside source list 103 interface Dialer0 overload
!
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq domain any
(-------Nur wenn PPTP Client im lokalen LAN betrieben wird !-----)
access-list 111 permit gre any any
(--------PPTP erlauben Ende--------)
access-list 111 deny ip any any log
dialer-list 1 protocol ip list 103
!
sntp server de.pool.ntp.org
end
