Cisco 831
I am using Cisco 831 at many smaller remote offices with DHCP. What is the best way to both monitor and control access on the 4 fastethernet ports. Is there a way to secure all of the ports with a MAC address security, etc so only certain machines will be able to gain network and internet access via the router?
Thanks - any help would be appreciated.
Jamie
Hello Jamie,
the 831 does not support port-security on the FastEthernet ports. There is however a workaround you could use, if you have a limited number of know MAC addresses that you want to block. Basically, what you do is use the command:
arp {ip-address | vrf vrf-name} hardware-address encap-type [interface-type]
to manually blackhole MAC addresses by sending them to a Loopback or Null interface. Let's say you want to deny IP address 192.168.1.10 with MAC address 00ed.3456.7896, the entry would be:
arp 192.168.1.10 00ed.3456.7896 arpa Loopback0
This would effectively send all traffic for that IP and MAC address to the Loopback interface...
HTH,
GNT
Similar Messages
-
Uploading Cfg file to Cisco 831
Really new here to Cisco. Our netwok administrator was let go and I am running the show now but am having a problem with uploading a config file to our Cisco 831 which is acting as a firewall to a T1 line. I am so newbie to Cisco so bear with me please! Our router was reset to defaults(yea, I know) and of course the config file was lost on the router but... I did find these files saved on one of our file servers. in a folder TFTP-Root
c831-k9o3y6-mz.123-2.XC2.bin
startup-config
cisco831-config
I can see the files were backed up and on this server there is a TFTP server that has been ran. Here are my questions.
1. To get the router back to where it was with these files, which ones do I need to upload?
2. Do I need to upload a boot file and config file or just one or the other?
3. I did try to upload the startup-config file using telnet and got as far as the TFTP program trying to load it to the Cisco but an error came up about the security range for the TFTP didnt include 10.10.10.1??? The wierd thing is the TFTP server is 192.168.1.10 and the Cisco is 192.168.1.252. I can ping the Cisco but I cannot figure out why the Cisco is sending to the TFTP server that its IP is 10.10.10.1.
I appreciate any help since right now our office netork has no email till I reset this.
Thanks
JimJim
I do not think it is a stupid question. When you post to a public forum like this, all kinds of people will see what you post. It is wise to want to protect yourself.
I would suggest that as a starting point that you replace any passwords with "" (or some silimar string which shows us what passwords were configured but disguises the actual password).
I would suggest that you disguise any IP addresses that are in public address space (I believe that addresses in private space do not need to be disguised). Some people post configs with the address blanked out but I find this is sometimes counter-productive. I would suggest that you change the first octet of any public address in your config, and be careful that the first octet still shows whether this was class A, class B or class C address space. If you disguise the first octet then if the second, third, and fourth octet are the same as your config we will not have any real idea where you are, but there are valuable indications of what subnetting is being done, and perhaps other things that may be helpful.
I believe that it is probably sufficient to disguise any passwords and disguise any public IP addresses. If you look through your config and find other things that concern you (perhaps there are comments on interfaces about what they connect to that you do not want to become public) feel free to remove or to alter/disguise them.
And if you are really nervous about posting config details on the forum, you can email them to me privately. My email address is available through my forum profile. Some other forum contributors also make their email addresses available through their forum profile.
HTH
Rick -
Hello. I am trying to access my cisco 831 behind another vendor's hardware firewall for VPN services. I have the VPN enabled on the inside interface. I am not using the outside interface at all. I basically want to use this device just for VPN services.
eg.
{Internet}-WAN->FIREWALL-> Forward VPN Services->CISCO831(LAN)
Can I forward ports at the firewall level to allow VPN connections on the cisco device?
If so, is there a way to relay the DHCP requests to my DHCP server rather than allocate a pool on the VPN device?
Thanks in advance.The DHCP protocol supplies automatic configuration parameters such as an IP address with a subnet mask, default gateway, DNS server address, and WINS address to hosts. Initially, DHCP clients have none of these configuration parameters. They obtain this information by sending a broadcast request for it. When a DHCP server sees this request, the DHCP server supplies the necessary information. Due to the nature of these broadcast requests, the DHCP client and server must be on the same subnet. Layer 3 devices such as routers and firewalls do not typically forward these broadcast requests by default.
Refer to the following document for more information
PIX/ASA 7.x as a DHCP Relay Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml -
Cisco 831 --- dot1x critical and MAB Support
Hi,
We have 4 Cisco 831 routers that we are trying to configure for wired 802.1x authentication using CSSC (Cisco Secure service client -- free version). I was wondering what version of IOS (on 831 platform) support the dot1x critical as well as Mac-auth bypass features. I checked the release note for 12.4 with no luck...
I was wondering if anyone was able to get these features working on Cisco 831 platform?
Thanks in a advance802.1x authenticator feature is not supported on cisco 831 broadband routers. Try using cisco 851 router.
-
Cisco 831 Router to Configure VPN Access
Hello,
I need assistance in configuring a VPN in a Cisco 831 Router. I do not have any experience in configuring routers and VPN's, and would appreciate if any one could help out.
I would like to connect three Laptops to the Cisco 831 via Cisco VPN Client. Three laptops must have 10.42.6.x Address assigned by the router on the VPN Connection. They will also need access to the internal network which is 192.168.x.x private network. The Cisco has a Static IP on the Internal Interface and External Interface. I have tried several different ways of doing this, however I must be doing something wrong in my config.
Any help or suggestions would be appreciated.Hi Robert
You can refer the below link in finding out the exact config to start with.
do make sure that your Cisco 831 box with the current IOS code installed in it supports the required feature to run the same..
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor16
regds -
Cisco 831 and "Can't get video from the camera."
I'm running a Cisco 831 router with ios 12.4(5a) installed. Every time I try to initiate a video chat with a computer going through the router, I get the "Can't get video..." error. It works fine with computers on my internal network and if I bypass the Cisco router and plug straight into my Cable modem.
I've covered every conceivable TCP/UDP port being open (per numerous pages re: port 5060, 5190, etc.) and have even gone as far as testing with "permit UDP any any" and "permit TCP any any" at the top of the rules. No luck.
I've been reading about the possibly needing to "unbind" SIP (port 5060). Is this something that a Cisco 831 router would require? The router doesn't seem to respond to any of the documented Cisco command re: VoIP and does not have any phone support that I'm aware of.
If anyone has any info that can help me get his up-and-running, I'd be much obliged.
Thanks,
MatheauHi Kcritchie,
It will most likely look like that. But in this case it should be on the UDP protocol.
The link looks useful (it takes a scroll down to see it for others looking)
If I do nat bindlist in my Alcatel I get this
Last login: Thu Jun 29 12:36:20 on console
Welcome to Darwin!
Ralph-G4:~ Ralph$ telnet 10.0.0.138
Trying 10.0.0.138...
Connected to speedtouch.johnshome.
Escape character is '^]'.
Username :
(Pic line drawing edited out here )
=>nat bindlist
Application Proto Port
ESP esp 1
FTP tcp 21
GRE gre 1
H323 tcp 1720
IKE udp 500
ILS tcp 389
ILS tcp 1002
IP6TO4 6to4 1
IRC tcp 6660-6670
JABBER tcp 5222
JABBER tcp 15222
PPTP tcp 1723
RAUDIO(PNA) tcp 7070
RTSP tcp 554
=>
On my device this is because the SIP binding on UDP port 5060 is unbound.
2:30 PM Thursday; June 29, 2006 -
Hello,
please i cannot find part number of Power Supply for Cisco 831.
We need new one for this router.
Thank you
TomasPWR-830-WW1= is the part number for the CISCO830 Series External Spare AC Power Supply.
Below are some useful document URLs:
Cisco 831 Router and SOHO 91 Router Hardware Installation Guide
http://www.cisco.com/en/US/docs/routers/access/800/831/hardware/installation/guide/overview.html
Cisco Cable Product Numbers, Part Numbers, and Descriptions
http://www.cisco.com/en/US/products/hw/routers/ps332/products_tech_note09186a0080094b45.sh
tml
Upgrading Cisco IOS Software for the Cisco 806, 826, 827, 828, 831, 836, and SOHO70
Routers
http://www.cisco.com/en/US/products/hw/routers/ps380/products_tech_note09186a0080094b23.shtml
Marcos Hernandez
Technical Marketing Engineer
Cisco Systems, Inc. -
Cisco 831 no netflow export packets through IPSEC
I have cisco 831 in remote office. Remote office is connected to Central Office through IPSec tunnel. I has configured netflow export from sorce address Lan interface (inside interface) remote office to Server central office. But I did not see netflow packet in central Office at netflow server. May be somebody fixed the problem ?
Check 'ip route-cache flow' cmd enabled on tunnel interface.
also check this bug-id:CSCef28662.
Try this link:
http://www.cisco.com/en/US/tech/tk812/technologies_white_paper09186a008022bde8.shtml#wp1002626 -
NAT port range forward on Cisco 831
Hi,
I've been trying to forward a range of UDP port to an internal address but I can't do it.
I can only do static forward, and I'm not gonna forward port 8000 to 9999 one by one.
I've tryed with acl, with no result.
INFO:
Router: Cisco 831 (ISO 12.4(2)t1)
ETH0 (LAN: 192.168.2.0)
ETH1 (INTERNET)
FORWARD PORT (UDP 8000 to 9999)
to Address IP (192.168.2.88)How about you break it down to basics and try a more general approach to it and then if that works, then you can tailor it more.
Try the slight tweak on your configuration above:
access-list 111 permit udp any any range 8000 9999
ip nat pool voip 192.168.2.88 192.168.2.88 netmask 255.255.255.0 type rotary
ip nat inside source list 111 pool voip
Also ensure that there are no ACLs which would block this traffic and remember that the ACL inbound has to specify the GLOBAL IP and not the internal IP as the access-list inbound is checked before the NATting occurs. -
Hi, I'm rather new to working with a Cisco equipment. Just switched to it from a Netgear a month ago. Got a weird problem with my Cisco 831 Router at the moment.
To send e-mail I need to log into my outgoing SMTP server. But since I install the 831 it just refuses to work. When you hit send it is immediately bounced back from "System Administrator" saying "Authentication Required". If I use a SMTP server that doesn't require authentication it works fine.
Before with the netgear it worked and I've tried putting it back in since the 831 was installed. And it still works placing the blame on the 831.
Anyone came across anything like this?
Any ideas?
Thanks,
PeterHi,
Thanks for your reply.
Hopefully this is what your after.
Building configuration...
Current configuration : 4650 bytes
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname admin
no logging buffered
enable secret xxxx.
username xxx password xxx
username xxx password xxx
username xxx password xxxx
no aaa new-model
ip subnet-zero
ip name-server 62.31.64.39
ip name-server 62.31.112.39
ip dhcp excluded-address 192.168.168.1
ip dhcp excluded-address 192.168.168.168
ip dhcp excluded-address 192.168.168.101
ip dhcp pool CLIENT
import all
network 192.168.168.0 255.255.255.0
default-router 192.168.168.1
lease 0 2
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.168.1-255.255.255.0
ip address 192.168.168.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
interface FastEthernet1
no ip address
duplex auto
speed auto
interface FastEthernet2
no ip address
duplex auto
speed auto
interface FastEthernet3
no ip address
duplex auto
speed auto
interface FastEthernet4
no ip address
duplex auto
speed auto
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 192.168.168.168 5900 interface Ethernet1 5900
ip nat inside source static tcp 192.168.168.168 80 interface Ethernet1 80
ip nat inside source static tcp 192.168.168.168 21 interface Ethernet1 21
ip classless
ip http server
no ip http secure-server
access-list 23 permit 192.168.168.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 192.168.168.0 0.0.0.255 any
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 5900
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
no cdp run
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
scheduler max-task-time 5000
end -
Help limiting throughput by IP address- Cisco 831
I have a cisco 831 with about 40 users behind it. I need to limit throughput to certain stations by IP address. Is this possible? Using CAR maybe? My config is below:
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
hostname xxxxx
enable secret xxx
enable password xxx
username admin password xxx
ip subnet-zero
ip domain name xxxxx
ip name-server x.x.x.x
ip name-server x.x.x.x
ip dhcp excluded-address 10.10.10.1
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
ip dhcp pool xxxxx
ip audit notify log
ip audit po max-events 100
ip ssh source-interface Ethernet0
ip address-pool dhcp-pool
vpdn enable
vpdn-group pppoe
request-dialin
protocol pppoe
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
hold-queue 100 out
interface Ethernet1
ip address dhcp
ip nat outside
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxx
ppp chap password xxx
ppp pap sent-username xxxx password xxx
ip nat inside source list 101 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
access-list 101 permit ip host 10.10.10.8 any
access-list 101 permit ip host 10.10.10.36 any
access-list 101 permit ip host 10.10.10.39 any
access-list 101 permit ip host 10.10.10.54 any
access-list 101 permit ip host 10.10.10.55 any
access-list 101 permit ip host 10.10.10.63 any
access-list 101 permit ip host 10.10.10.78 any
access-list 101 permit ip host 10.10.10.85 any
access-list 101 permit ip host 10.10.10.90 any
access-list 101 permit ip host 10.10.10.91 any
access-list 101 permit ip host 10.10.10.92 any
access-list 101 permit ip host 10.10.10.102 any
access-list 101 permit ip host 10.10.10.116 any
access-list 101 permit ip host 10.10.10.123 any
access-list 101 permit ip host 10.10.10.126 any
access-list 101 permit ip host 10.10.10.127 any
access-list 101 permit ip host 10.10.10.134 any
access-list 101 permit ip host 10.10.10.144 any
access-list 101 permit ip host 10.10.10.158 any
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
login local
length 0
scheduler max-task-time 5000
end
Any help is appreciated.Hi Brian,
Generally, rate limiting is possible with qos acls, class-maps and policy-maps.
But I have no knowledge about the scale of qos features in Cicso 831 routers.
I suggest you going in this direction with your search.
Cheers:
Istvan -
Cisco 831 CRWS (web utility) not loading
Greetings. I just unwrapped my new Cisco 831 router, and everything worked out of the box (my post in this newsgroup is proof). However, when I attempt to access the CRWS web setup utility, I get a "Please wait while we check router version, IOS version, ..." and a blue progress bar infinitely fills up and re-starts-- it never allows me to get past this point and actually access the utility. My only guess is that I'm using Firefox v1.5 and this browser isn't supported-- but this would surprise me. Has anyone had this happen to them before, and does anyone have any possible solutions? Thanks in advance!
Hi
The system requirements for CRWS are:
* PC using the Microsoft Windows 95, Windows 98, Windows Me, Windows 2000, or Windows NT operating system.
* Netscape 4.5 or better
* IE 4.0 or better
* Java enabled on the Web browser
* Pentium II, 166 MHz or higher
* 800 by 600 screen resolution with 256 or more colors
It seems that Firefox isn't explicitly supported. Pls try IE or Netscape and see how you go.
Hope that helps - pls rate the post if it does.
Regards,
Paresh, -
Got a cisco 831 and I need to know if this router is capable of doing the pppoe auth without having the ATM interface.
Currently my dsl modem is in bridge mode with a wrt54g doing the pppoe login/auth.
TIAThanks, Should my config look something like this:
vpdn enable
no vpdn logging
vpdn-group pppoe
request-dialin
protocol pppoe
interface Dialer 1
description connected to Internet
ip address negotiated
ip mtu 1492
encapsulation ppp
dialer-group 2
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 12345
ppp pap sent-username password 12345
interface Ethernet 1
no shutdown
description connected to Internet
ip address x.x.x.x x.x.x.x
no keepalive
pppoe enable
pppoe-client dial-pool-number 1
interface Ethernet 0
no shutdown
description connected to Internal Switch
ip address x.x.x.x x.x.x.x -
Seriously lost with a cisco 831 broadband router...
ok, to make a long story short I got myself way in over my head with something I know nothing about. Additionally, I've been on the internet for approximately 48 hours and I feel I'm missing something. Here is what I need clarification on. Please help me.
Purchased online: Cisco 831 Broadband Router. I believe the router software has been wiped but not sure.
I purchased a serial-to-rj45 adapter and was TRYING to follow instructions for connecting to the console port on the router to at least see if I can communicate with this darn thing... I'm having no luck..
Can someone PLEASE take me, step by step through the process of pin-out configs for a rj-45 cable, the process for connecting an xp pro computer to the console port on this router and the commands to verify that the software is loaded? I'm a hardware man, not a software man and frankly I feel like the information is written in sand script. I would forever be indebted to anyone that would provide a little guidance for a young man that bit off more than he could chew. <- something I've always done, but I've usually been able to figure things out.hi
i feel these links will be of some help to u...
http://cisco.com/en/US/products/sw/netmgtsw/ps4618/products_installation_and_configuration_guide_chapter09186a00800810ca.html#xtocid1838115
pinout details..
http://cisco.com/en/US/products/sw/netmgtsw/ps4618/products_installation_and_configuration_guide_chapter09186a00800810ca.html#xtocid1838115
after you get onto the box it may prompt for a password if its set already ,try with cisco or else a simple enter which will get u in the box once ur in give show version command and check whether you are getting any proper o/p.
meanwhile if u dont get any prompt for password and getting into rommon that tells u that ur box doesnt have a valid ios file or due to various other reason it didnt get up on.
for more info/assistance do a simple search on what u need in cisco.com or else post it out here...
regds -
Hi ,
Who can tell me how to config ipsec over GRE tunnel when remote side useing dynamic ip !
Thanks!Cisco has introduced a feature designed to do exactly what you are asking. You can configure an IPSec VPN over GRE tunnel where the remote has dynamic IP using the feature of Dynamic Multipoint VPN (DMVPN).
The key concept here is that the remote side must initiate the tunnel to the central side. In the message requesting the tunnel the remote indicates what address the central should use as the tunnel destination.
I have configured it in the lab and it worked pretty well. I have not yet used it in a production environment.
This URL should help you get started with this:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html
HTH
Rick
Maybe you are looking for
-
How do I locate multiple files at one time?
I've moved a few songs around in my computer's files, and each time I'd go back to locate the files, it asked me if I would like to locate the original files for other songs. Today I tried to do the exact same thing, but it doesn't give me the same o
-
On Workflow completion in ECC create Service ticket in CRM
Hi Experts, Our client requirement is to create service ticket in CRM on completion of work flow in R3 system. Can anyone please advice me how to achieve the above requirement. Thanks in advance Kind Regards, Veined.
-
Software update doesn't recognize Aperture 3.
I tried to download 3.2.2 and I get a message that I must have 3.0 to download. I already have 3.2.1. What can I do?
-
Result Row in the query output
Hi, If I restrict a characteristic by hierarchy then I cant have the result row displayed. If the hierarchy active is removed then the result row gets displayed. All characteristics are marked to show the result row. This characteristic is Account N
-
I posted something earlier but hace recevied no response and now have more details. One user of my extension is unable to install it getting the error shown. 14.2.1 is lower than 14.9 right? So any ideas what is going here? Screenshots from users