Cisco Switching/Routing :: Configure SSH On 891W ISR?
Mar 22, 2012
I believe I have the steps done at the IOS to config the WAN port for SSH, but I still can't connect to it. I have "logging console 7" on so I am able to see that the router is dropping my TCP session requests. I figure this is just the built-in zone-based firewall at work.
Is there a very straightforward process, via the IOS, to allow SSH inbound on the WAN port? I'm not very familiar with the IOS other than basics so while I know how to do things like "transport input ssh" and "login local" and such on the vty 0 4 line, I have no idea whatsoever on what I should do with the firewall stuff. I believce the WAN interface is already a member of the outside zone though so I imagine one just has to somehow include ssh (preferably on a non-standard port) in the exceptions on the firewall somehow.
I have been poking around for a step-by-step IOS guide for this but only find info on configuring SSH itself but not how to open the firewall to allow the connection for it through.
I have a client that that is installing a new network. They have requested the use of an CISCO891W-AGN-A-K9 mostly to be consistent with upgrades perfomed at other sites. I agree with the use of this router, so that's OK. The issue is that they have requested that I use the integrated PoE available on this model. I'm also OK with this as it will make a much neater installation. However, I can't seem to find much information on how to get the integrated PoE. I need clarification as to whether I can get a kit to upgrade this router. I generally purchase from sites like newegg or cdw (I'm an independent contractor) and I can't seem to find one with it. I have found some information on 800-IL-PM-4 and 800-ILPM-4 (who could confuse those ). Are they the same or different? Which one is the correct one and does it include the AC power adapter and can if be retro'ed into a router without the PoE?
I have an 891w as my edge device for my home office. I have a VLAN for family use (wired and wireless) that routes out to the internet just fine. I have a second VLAN assigned to a VPN tunnel that backhauls traffic to my corporate network (wired and wireless) and all of the traffic gets to the corporate network fine when I am on that VLAN.
However, while I am on the VPN VLAN, no traffic gets to the internet. I believe it is because I have the gateway of last resort (0.0.0.0) set to the WAN IP address provided by my ISP, so DNS is resolving against corporate, but because there is no specific route, it is trying to dump the traffic back out the WAN without traversing the VPN tunnel.
I'm new to using Cisco Config Professional Express but a lot of things are just "off" with this utility. But my problem for this post is specifically the 891W's internal access point, or initial access to it.
My situation is that I have some 891W's. It's my first time working with them, as well as with CCP Express (2.5). After isolating the router and my PC to their own network, using the IP my PC got via DHCP frmo the router I opened a web broswer and connected to the router. The initiial configuration wizard came up and I went through the various screens. One of those screens had basic config info for the internal wireless AP which I provided. Somewhere in that screen it asked for a Hostname for the AP, and a password. It doesn't askfor a username though. To ensure I wouldn't run into confision, I made sure to set every password I ever get asked to configure as the same thing so the AP's password was also the same.
However after I finish with the wizard, the java-based CCP Express begins prompting me for first the main router credentials which I provide and it gets the router config, then it prompts mefor the username/password for the Access Point. First of all, the initial config wizard had never asked me for the username for the access point, only the hostname, and the password. I had assumed it was just going to use the main router username, or perhaps a blank username.
In any case, nothing I type ever works. I've used cisco/cisco, or a blank username with my new password, or the same username as the main router with the password ---- nothing. This is now the 4th time I have completely Reset the router to factory defaults and while I am learning the use of CCP Express through repetition, I'd also like to get this thing configured and out the door so my customer can use it.
I am trying to configure the FE8 (WAN port) to connect to the Internet. We're swtiching ISP'ssoon so this router was set up at my office and has since been deployed at the client site. So far it is just plugged in and powered, with a console cable attached but no LAN cabling since this router will replace an existing one using the same addressing (except the WAN settings of course). So for now I am just focused on working on the WAN side since I have the ISP's cable modem attached . I had intiially used CP Express to config the wan port with an IP and mask and the various port forwarding options I intend to use. Now, connected via console cable, I tried pinging the IP of the wan port, which works. Beyond that, can't ping anyting (8.8.8.8 - a Google IP), also can't resovle any DNS names which makes sense with no apparent connectivity. Likely my config is just imcomplete. Nowhere in sh run do I see a Default Gateway, yet this ISP did specify one so I assume I need to enter it. Not sure what's the right way - I get confusing results on searches telling me either to use ip default-gateway or ip default-network. I want to think that it's as simple as entering in the IP but so far I've learned with the IOS that you never do anythign without knowing all the possible implications, which I don't. Also while I am at it, I don't know what I should have for DNS entries. This router will not be a DNS server for any internal systems that function will be managed by the two Windows 2008 R2 DNS machines. The ISP has also provided two IP's for their DNS servers. I thought it would be a simple matter of just adding two entrires via ip name-server command, which I did. So now I have four entries, first the two internal servers (inaccessible currently due to no LAN cabing to this router), and the two ISP servers. Can't ping those either, but again there's no default gateway.
I'm working with some 891W's that have the internal 800-series AP. I have this router set up initially using Cisco Config Express, then, using Cisco Config Professional 2.5 I set up the firewall and other featuress that CCE doesn't do. Overall this is a very simple router, meant to be a small business Internet gateway device but is currently in my lab.
The intended WLAN setup is very simple. One SSID, with broadcast enabled, using WPA2-Personal. Auth: open Encryption is both TKIP and AES-CCM.
However no matter what I do I cannot get thhis thing to broadcast . In the past I had sometimes run into issues where if I had more than one AP running independently it would cause a channel conflict and one or both would cancel each other's radio, so I disabled all other AP's in my vicinity.
Also I've had issues in the past where f I enabled both TKIP and AES, sometimes clients can't find the AP as a result. My solution had been to disable one of them leaving just the other - no change here however.
Via the IOS, ssid config shows mbssid guest-mode which I believce is default.
Interestingly, if I do the following:
ap# Config t ap(config)# dot11 ssid <myssid> ap(config - ssid)#guest-mode end
I end up with both "guest-mode" and "mbssid guest-mode" in the sh run for the AP, and voila, my AP broadcasts the SSID. However clients end up joining without any security at all, no prompts for pre-shared key or anything.
I have an 891W router that requires a firmware update to fix a bug wth the internal AP where all you get when accessing it via the CP Express ("Launch Wireless Application", which is just opening another web browser to your AP) is an Enter button. This issue seems to be common so I found a thread, though for the 881W (but same process) where the fix is to update the AP's firmware.
So I downloaded ap801-rcvk9w8-tar.124-21a.JY.tar from cisco.com, set it up in my tftp server, and at the console ran the following from the router:
It seems to go through the process of re-imaging the fw but the end result now after it is done is that I cannot access the ap at all and the hostname has been screwed up. So now when I go to the AP (via Router#service-module wlan-ap 0 session <enter>), this is what I see:
AP6400.f177.d0ee>
If I type "enable", I get no username prompt but I do get a password prompt, however my pw no longer works. Also the IP address of the AP (192.168.0.2=) is no longe rpingable.
I did save the log of the console session for the (failed??) firmware upgrade process - the only odd thing I recall was that it seemed like it was trying to enter part of the update process commands but instead the router was interpreting them as a DNS lookup or something. Kind of stupid process it seems but anyway I am quite lost. Don't know what it'ssuch a challenge to update firmware.
I have had trouble to verify the support wireless speed and band that CISCO891W-AGN-A-K9 supports. I saw on a vendor website that it supports a max wireless transmission speed of 54Mbps but this seems low for what is supposed to be the current model wireless router which is supports 802.11n. What the maximum supported wireless speed and whether 5Ghz is supported? Plus I am thinking about purchasing it for my home wireless network (upgrading from an 871W).
I have an 891w that started acting up recently. Radio dot11 0 is reporting its a b radio. When it is actually an n 2.4 radio. Of course that radio is not allowing any clients to connect to it at this time. I have tried updating the firmware to the latest, tried a hardware reset but still a nogo.
sh interface output.
Dot11Radio0 is up, line protocol is down Hardware is 802.11B Radio, address is 0000.0000.0000 (bia 0000.0000.0000) MTU 1500 bytes, BW 11000 Kbit/sec, DLY 1000 usec,
I have an 891W that I initially configured using CCP Express (2.5). So it has a WAN IP set, and through CCP Express I had enabled via the checkboxes the various default settings for security. This includes zone-based firewall. I then added a number of NAT entries in the setup wizard.
What never occured to me at the time was that I should have added entries that allow for remote access. So it seems I've locked myself out of accessing the router via the WAN interface even though I know it's IP. I'm sure it's just a matter of adding port exceptions for SSH and/or whatever port(s) CCP uses.
So I"m wondering what the proces woudl be. In the IOS while showing the running config., I see pages and pages of class-map stuff which at present I don't know enough about to risk editing anything directly. But maybe I don't have to? What would be the best way to, for example, enable SSH access through the firewall? I already have transport input ssh set on the interface itself so I believe it's ready to allow the connection, just that I can't get to it via WAN int. so I assume it's the firewall.
upgrading our small office network. We currently have about 75 employees with probably 125 devices on the network. I'd like to create about 10 vlans for the different departments and then configure intervlan routing as needed. Currently we have all unmanaged switches and it's just a huge broadcast storm on the network. We are upgrading our Cisco 800 router to an ASA5505 sec. Plus license. I need some recommendations on switches. Of course, this needs to be done as cheap as possible.... Is there a way to use the ASA to configure all the vlans and intervlan routing and access lists and use a cheaper switch to provide the access layer to hosts?
In our datacenter we have a 3750 stack with IP base image. I have enabled PBR and reloaded the switch. Show sdm prefer says i am using default template. The reason i want to use PBR is that we have 2 firewalls on the same work and want to be able to have granular control over which gateway out of the network they use but still be able to access all internal resouces accross wan and locally.
Created access list to identify traffic:
access-list 10 permit 10.2.3.59 (test workstation on vlan 3)
Created policy:
route-map TestASA permit 10 match ip address 10 set ip next-hop 10.2.0.3
Assigned policy to the user vlan3:
ip policy route-map TestASA
Results:It changed the default gateway to the above gateway but i could not access any resources on any other vlan, could not access resouces accross wan.
The layer 2 switches are connected to layer 3 Switch via trunks, and routing between layer 2 switch ports with configured SVI's on 3550. All working fine. Now I'm trying to configure routing between 2800 and 3550, I tried connecting both Straight Throught and Crossover cables to the 2800 Fa0/0 and Fa0/1 ports as well as the switchports on 3550
No switchport commands are configured however, the lights do not go on for both straight through or crossover cables. I tried connecting 1750 routers but same result. My goal is to have all the VLANS routed to the internet with configuring NAT translation the router.
how do i configure the new asa 5505 to be as a router as shown in the diagram note: the isps' routers placed in head office. but i cannot change the configurations of the isp's routers.
i try to configure DNS on cisco 800 , it's worked , but after 24 hours the command ip domain-lookup change to disable, and it stop work i'm not understanding why it's happen ,
that's the configuration
ip domain name XXXXXX.CC.CC ip host XXX-RR-FF.com 2.2.2.2 ip name-server 1.1.1.1 [Code]....
If I have an ASA 5520 with an INSIDE interface, a DMZ interface and a WAN interface what would be the best way to configure NAT? If I configure nat-control and a nat (inside) 1 0.0.0.0 0.0.0.0 this will configure everything to be NAT'd when passing from the INSIDE interface out.My question is what about the devices I want to access in the DMZ from the inside for management etc? I'm guessing the ASA isn't smart enough to realise you're accessing hosts in it's DMZ interface so do you have to configure a nat 0 rule for every subnet within the DMZ you want to access or is there an easier way to do it? It's worth noting that the same devices will be accessing the OUTSIDE network and the DMZ network from the INSIDE network.
I notice that NAT is not possible Cisco Catalyst 4500e series. Is there any other ways to configure NAT? Currently we have 2x Catalyst 6509 and we're migrating to the 4510e and there's NAT in the 6509s. I was thinking of re-using the 6509s and connect to the 2 new 4510e in a meshed trunking layout with MST (Layer 2) and OSPF/EIGRP (Layer 3) protocols turned on.
I am attempting to configure a Cisco 2901 router using IOS 15 to properly perform NAT/PAT translation between LAN and the internet connection.
My Configuration:
interface GigabitEthernet0/0 ip address dhcp ip nat outside ip virtual-reassembly no ip route-cache duplex auto speed auto no cdp enable no mop enabled(code)
I've been trying to configure a connection which requires NAT translation but my devices are too old and seems that the configurations I tried doesn't work or I don't know how to implement it properly.Firstly, I will introduce my router to you, it is a Cisco C3640-JS-M Version 12.2(1), so I found many ways to solve my problem, but none of them are supported by it.
To continue,the connection I am trying to configure is the following one:
So one host from 172.22.1.0/24 needs to connect to a server in my LAN (10.1.1.20) but they can´t use the real IP and we need to configure a NAT rule to translate traffic from them to 192.168.6.10 to 10.1.1.20, but only for this connection (there are other "WAN" interfaces.
These are my failed attempts:
interface FastEthernet0/0.302 ip nat outside ip nat inside source static 10.1.1.20 192.168.9.10
PROBLEM: Works for this connection, but other connections are affected and no one can reach 10.1.1.20 apart from LAN and incoming traffic to F0/0.302
[code]....
But as I said before, some configurations are not supported by my device.
I have a Cisco 881 VPN Router (TX) which connects to the Concentrator at our corporate office (NY). The TX subnet is 10.16.x.x. The corporate subnet is 10.1.x.x, 10.2.x.x, 10.9.x.x.Right now, the 881 router is only used for VPN to corporate, but, I would like to use it our primary router. We have to ISP's, and I would like to allow traffic to come in on either interface to our internal LAN to a few servers.
I got one SF 300-48 layer 3 switch I tried to configure to use it in the office network.Unfortunately I'm unable to configure the VLAN settings.I need port one for input(VLAN2),port 7-15 for another vlan(vlan3) also need to connect with the vlan 4.port 15 is another vlan(vlan4) this is for wireless.Other ports are static.It doesn't get any connections with other vlans.I wish to know how to configure vlans in GUI mode.I tried , But I can't get the Vlan setting correctly.Also,I need to know how to communicate both vlans in GUI mode.
When I try to add an IP address to a port-channel interface on a 3845 ISR I am getting an error that seems to imply that only L2 etherchanneling is possible. Am I missing something?Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(24)T8,
sfo-c3845-1#sho run int port-channel 1 Building configuration... Current configuration : 31 bytes ! interface Port-channel1 end
how to configure an IPaddress for a PWR-RPS 2300?.I tried finding info on the website but no luck as yet. RPS 2300 will be used on stack of 3750E series switches.
configure qos in Cisco 3750 switch.I have configured below template and applied on the vlan interface.But i am getting the hit on the access list but I am not able to get hit on the class map.
How i can configure the SFP Ports on my 4500 SERIES CHASSIS with other SFP ports on the connecting switch. I want to connect 15 switches via GLC=SX=MM to my 4506E sfp card.
I need to configure the port forwarding on Cisco 887 to forward port 22 on Public IP to a LAN IP port 2200. I don't know anything on Cisco router at all, beside telnet to the cisco and quit . Any step by step command.
where 192.168.1.150 is my server (that hosts SQL server and that I want to be able to connect to remotely using VNC) and GigabitEthernet0 is my configured WAN interface.
When I try to connect from an external client I get the error: "Failed to connect to server..." Is this a firewall issue? How do I get round it? The 819 is the only router/firewall in my network.
Can i configure proxy on ASA 5510? i.e for internet use my user should be authenticate by ASA5510 and after successful authentication user should be allowed to access internet and futher is it possible to do bandwidth managment with ASA5510?
I purchased an old cisco 831 for practical studies for a cisco certification. I purchased the console cable (serial/rj45) and a usb->serial converter cable. However when I open my terminal application (tera term) After I select the right com port (3) and make sure the connection settings are right. It will just sit idle and not show any data from the device. Was I sold a faulty device? It lights up and has three lights on.
Everytime I look at a manual or cisco video I am given the impression the terminal application will just automatically connect. But whenever I try I get nothing.
