Gretech.be Just another WordPress weblog…

8Apr/107

Cisco 877 (800 serie) RFC 2684 (before 1483) multi-protocol over ATM, config Dommel CityConnect (Wan DHCP, ADSL2+)

Config I use for the Belgium provider Dommel with the Cityconnect ADSL2+ they offer.

  • WAN IP: DHCP (ATM0.1 point-to-point)
  • LAN Router IP: 10.10.10.1
  • DHCP Range: 10.10.10.10 10.10.10.240
  • DNS Server forwarding requests to OpenDNS
  • NTP Server forwarding requests to 81.246.92.140 and 212.68.213.7 (be.pool.ntp.org ip's)
  • Timezone Paris
  • Incoming ACL: 101
  • Outgoing ACL: 100
  • SSH via WAN on port 822
  • SNMP Private string: privateString
  • SNMP Public string: publiekeString
  • Logging previous 300 console commands


!* cisco-axelius.axelius.be.CiscoConfig
!* IP Address : 10.10.10.1
!* Community : privateString
!* Downloaded 21/03/2010 19:07:58 by SolarWinds Config Transfer Engine Version 5.5.0
!
! Last configuration change at 19:06:47 Paris Sun Mar 21 2010 by admin
! NVRAM config last updated at 19:06:53 Paris Sun Mar 21 2010 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco-axelius
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ...
!
no aaa new-model
!
resource policy
!
clock timezone Paris 1
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.9
ip dhcp excluded-address 10.10.10.241 10.10.10.254
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name axelius.be
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto pki trustpoint TP-self-signed-4008809079
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4008809079
revocation-check none
rsakeypair TP-self-signed-4008809079
!
!
crypto pki certificate chain TP-self-signed-4008809079
certificate self-signed 01
30820250 ...
quit
username admin privilege 15 secret 5
archive
log config
logging enable
logging size 300
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
description Fysieke ADSL (ATM) Interface
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description ATM Routed Bridge Encapsulation (RBE) Subinterface t.b.v. Internet
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 8/35
encapsulation aal5snap
protocol ip inarp
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
no ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 822
ip dns server
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=17
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any any established
access-list 101 permit udp host 212.68.213.7 eq ntp any eq ntp
access-list 101 permit udp host 81.246.92.140 eq ntp any eq ntp
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit tcp any any eq 822
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip any any
snmp-server community privateString RW
snmp-server community publiekeString RO
snmp-server location Hasselt
snmp-server contact GregoryBE
!
control-plane
!
banner login Authorized access only!
Gretech Configured router. Unauthorized access will be logged.
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17179862
ntp master
ntp server 81.246.92.140 prefer
ntp server 212.68.213.7
end

Links:
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a008071a5d0.shtml
http://forums.overclockers.com.au/showthread.php?t=460519

Tagged as: , , , , , , , , , Leave a comment
Comments (7) Trackbacks (0)
  1. Jim M.
    May 31st, 2010 - 18:41

    Really decent post… I love it. Keep ‘em coming… :)

  2. Alge
    November 3rd, 2010 - 19:18

    ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 822

    Ik snap deze regel niet helemaal: interface Dialer0 in een route-bridged ip configuratie..?

    Grt, Alge

  3. GregoryBE
    November 3rd, 2010 - 20:13

    This line redirects public port 822 (on the Dialer0 site) to port 22 on the private ip 10.10.10.1 (the address of the router in this case)
    (So you can access the SSH server of the router from the internet on port 822.)

    Gr Greg

  4. mutepower
    November 4th, 2010 - 19:58

    How would I go about this with a cityconnect fixed wan ip? I tried this using your example but this isn’t working yet as I do not understand enough yet.

    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname WAN
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 4096 warnings
    logging console alerts
    enable secret 5 lalaladelidoe
    !
    no aaa new-model
    clock timezone Paris 1
    !
    crypto pki trustpoint TP-self-signed-3350390588
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3350390588
    revocation-check none
    rsakeypair TP-self-signed-3350390588
    !
    !
    crypto pki certificate chain TP-self-signed-3350390588
    certificate self-signed 01
    30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    quit
    dot11 syslog
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.10
    ip dhcp excluded-address 192.168.1.241 192.168.1.254
    !
    ip dhcp pool sdm-pool1
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 192.168.1.1
    !
    !
    no ip bootp server
    no ip domain lookup
    ip domain name cool.be
    ip name-server 193.109.184.72
    ip name-server 193.109.184.75
    ip name-server 208.67.222.222
    ip name-server 208.67.220.220
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    multilink bundle-name authenticated
    !
    !
    username mutepower privilege 15 secret 5 oiuy.
    !
    !
    archive
    log config
    logging enable
    logging size 400
    hidekeys
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 5
    !
    bridge irb
    !
    !
    interface ATM0
    description Fysieke ADSL (ATM) Interface
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode adsl2+
    !
    interface ATM0.1 point-to-point
    description ATM Routed Bridge Encapsulation (RBE) Subinterface 4 Internet
    ip address 83.101.77.77 255.255.255.0
    ip access-group 101 in
    ip nat outside
    ip virtual-reassembly
    atm route-bridged ip
    pvc 8/35
    encapsulation aal5snap
    protocol ip inarp
    !
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    description de default vlan
    ip address 192.168.1.1 255.255.255.0
    ip access-group 100 in
    ip nat inside
    no ip virtual-reassembly
    !
    interface Dialer0
    no ip address
    !
    ip default-gateway 83.101.77.1
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 83.101.77.1
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip dns server
    ip nat inside source list 1 interface ATM0.1 overload
    ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 822
    !
    logging trap debugging
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=17
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 permit tcp any any established
    access-list 101 permit udp host 212.68.213.7 eq ntp any eq ntp
    access-list 101 permit udp host 81.246.92.140 eq ntp any eq ntp
    access-list 101 permit udp host 208.67.220.220 eq domain any
    access-list 101 permit udp host 208.67.222.222 eq domain any
    access-list 101 permit udp host 193.109.184.72 eq domain any
    access-list 101 permit udp host 193.109.184.75 eq domain any
    access-list 101 permit tcp any any eq 822
    access-list 101 permit icmp any any administratively-prohibited
    access-list 101 permit icmp any any echo
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any traceroute
    access-list 101 permit icmp any any unreachable
    access-list 101 permit udp any eq bootps any eq bootpc
    access-list 101 deny ip any any
    snmp-server community privateString RW
    snmp-server community publiekeString RO
    snmp-server location Hasselt
    snmp-server contact GregoryBE
    !
    !
    !
    !
    control-plane
    !
    bridge 1 route ip
    banner login #Authorized access only!
    #
    !
    line con 0
    exec-timeout 0 0
    logging synchronous
    login local
    no modem enable
    transport output telnet
    line aux 0
    login local
    no exec
    transport input all
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp clock-period 17179862
    ntp master
    ntp server 81.246.92.140 prefer
    ntp server 212.68.213.7
    end

  5. GregoryBE
    November 5th, 2010 - 20:08

    It is not necessary the configure your fixed IP, the fixed IP will be assigned by Dommel.

    Greets,
    Greg

  6. mutepower
    November 5th, 2010 - 20:50

    Ah Okay thanks for the tip Gregory I’ll try that

  7. mutepower
    November 5th, 2010 - 21:41

    Yup cheers not trying to fix an IP did the trick :-)


Leave a comment


No trackbacks yet.

« Installing Exchange Certificate using AD Certificate Services (GUI) on Exchange 2010 Updating ESX 3.5 to 4.0: PANIC: Failed to find HD boot partition »

Pages

Categories

Blogroll

Archive

Meta