Prepaid Services on Cisco 3640 Router

Similar Messages

• IPSEC between Netscreen SSG-140 and Cisco 3640 Router

  The symptoms are that the NS will try to build the IKE session and time out. Even with the Cisco debugging enabled I get no IKE nor IPSEC SA trying to build on the 3640. What am I doing wrong or what can I try?
  Enclosed is the configuration and a brief description of my environment.
  172.30.0.0/16 -> 172.30.20.254 | Netscreen SSG-140 | 192.168.1.254 -> private net -> 192.168.3.5 | 3640 | 172.20.0.220 -> 172.20.0.0/16
  The configurations are enclosed

  Hi
  I think you need to apply the crypto map to the interface FastEthernet0/0.
  crypto map nsmap
  Please rate if this helps.
  Regards MJ

• Cisco 3640 router

  intermittent loss on port 80.(http traffic) port 443 and ftp ok. if I put in the command.
  no IP inspect webs_url out. to my interface. it fixes issue
  any ideas???
  any ideas?

  'ip inspect' command verifies if the HTTP packets are in response to the communication initiated from the router. If it doesn't match, the packets will be dropped.
  The Cisco IOS Firewall performs inspections for TCP and UDP traffic. For example, TCP inspections include Telnet traffic (port 23, by default) as well as all other applications on TCP such as Hypertext Transfer Protocol (HTTP), e-mail, instant message (IM) chatter, and so on. Therefore, there is no easy way to inspect Telnet traffic alone and deny all other TCP traffic.
  The Granular Protocol Inspection feature allows you to specify TCP or UDP ports using the PAM table. As a result, the Cisco IOS Firewall can restrict traffic inspections to specific applications, thereby permitting a higher degree of granularity in selecting which protocols are to be permitted and denied
  Also refer to http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad3.html

• Cisco 3640 - Error : Uncompression of the image failed.

  Having a problem booting my Cisco 3640 Router and get the following errors in boot "rommon" mode:
  Error : Uncompression of the image failed.
  invalid compressed data--format violated
  Error : zip decompress failed
  Does anyone know what might cause this and what I can do to get it booted up into IOS?
  Thanks, Scott

  Update - I have already tried uploading a new image to flash: using the rommon> xmodem command and got the same results. Thinking that my flash SIMM card was toast, I then tried installing the IOS image from a PCMCIA Smart card. Again, got the same errors. Anyone know what might cause these errors and how to fix them?

• Can Cisco switch WS-C3650- 24TS-S with ip based services do the ospf routing?

  Can Cisco switch WS-C3650- 24TS-S with ip based services do the Ospf routing?
  Is it necessary to have IP Services features? 

  Yes, IP Base supports OSPF.
  This is web page to check all features:
  http://tools.cisco.com/ITDIT/CFN/jsp/SearchBySoftware.jsp

• No service password recovery command on cisco 2801 router

  HI,
  we have a cisco 2801 router in class which has a disabled pasword recovery. We tried almost everything, we cannot get into ROMmon and the break sequence dosent work in any program (hyper terminal, putty, teraterm pro). We dont have any idea how to solve this problem.
  Here is the log from hyperterminal:
  System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 2004 by cisco Systems, Inc.
  PLD version 0x10
  GIO ASIC version 0x127
  c2801 processor with 131072 Kbytes of main memory
  Main memory is configured to 64 bit mode with parity disabled
  Readonly ROMMON initialized
  PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
  program load complete, entry point: 0x8000f000, size: 0xc100
  Initializing ATA monitor library.......
  program load complete, entry point: 0x8000f000, size: 0xc100
  Initializing ATA monitor library.......
  program load complete, entry point: 0x8000f000, size: 0xd49718
  Self decompressing the image : #################################################
  ######## [OK]
  --- TRIED BREAK SEQUENCE HERE but nothing happens ---
  Smart Init is enabled
  smart init is sizing iomem
    ID            MEMORY_REQ         TYPE
                  0X003AA110 public buffer pools
                  0X00211000 public particle pools
  0X0013          0X00035000 Card in slot 1
                  0X000021B8 Onboard USB
  If any of the above Memory Requirements are
  "UNKNOWN", you may be using an unsupported
  configuration or there is a software problem and
  system operation may be compromised.
  Allocating additional 7692663 bytes to IO Memory.
  PMem allocated: 117440512 bytes; IOMem allocated: 16777216 bytes
                Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
             cisco Systems, Inc.
             170 West Tasman Drive
             San Jose, California 95134-1706
  Cisco IOS Software, 2801 Software (C2801-IPBASE-M), Version 12.4(1c), RELEASE SO
  FTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2005 by Cisco Systems, Inc.
  Compiled Wed 26-Oct-05 08:42 by evmiller
  Image text-base: 0x6007ECA0, data-base: 0x61480000 
  --- TRIED BREAK SEQUENCE HERE but nothing happens too ---
  Port Statistics for unclassified packets is not turned on.
  Cisco 2801 (revision 6.0) with 114688K/16384K bytes of memory.
  Processor board ID FCZ102422KK
  2 FastEthernet interfaces
  2 Low-speed serial(sync/async) interfaces
  DRAM configuration is 64 bits wide with parity disabled.
  191K bytes of NVRAM.
  62720K bytes of ATA CompactFlash (Read/Write)
  Press RETURN to get started!
  Thanks for help!

  I usually suffer from the same issue, but what works for me everytime is the other method that simulates break sequence. Can't find the documentation for it but this is how it goes:
  Set the serial connection as follows in Putty:
  Baud rate 1200
  1 stop bit
  8 data bits
  no parity
  no flow control
  Turn off your router, then turn it back on and immediately press the spacebar for about 10-15 seconds. All you'll see is giberish. After that reset your console connection settings to the usual 9600 baud rate, and you'll find yourself in rommon mode.

• I am loosing configuration when I power off my Cisco 857 router

  I bought new Cisco 857 router from the shop. Router must have been used before as I couln't go in with default username/password cisco/cisco.
  Well I followed instruciton and reset password to username and password. Now I finally connected to the Cisco CP express over my IE browser.
  I found out that somebody was using a router from the shop so this is why I coun't log to it in the first place. Anyway problem is that when I changed configuration and applied settings it remembers it until I power it off. When I power it on again it remembers all settings from that shop.
  It reverts everything back: IP address, previous level 15 account and password - everything like after password reset.
  I tried it again and it again lost settings. So I found following instruction:
  http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a00800a65a5.shtml
  I followed it and changed again all settings on the router. My settings are again lost after power off/on. I noticed that when I do first bit it does show
  0x2102 not 0x2142 like they think that is password reset mode.
  Here is my output from Hyper Terminal:
  =============================
  Cisco#enableCisco#show startUsing 3359 out of 131072 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Cisco!boot-start-markerboot-end-marker!logging buffered 51200 warningsenable secret 5 $1$hpKF$Rc1tl6r45J8iHG7EN5jSk.!no aaa new-model!crypto pki trustpoint TP-self-signed-3185909327 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3185909327 revocation-check none rsakeypair TP-self-signed-3185909327!!crypto pki certificate chain TP-self-signed-3185909327 certificate self-signed 01 nvram:IOS-Self-Sig#5.cerdot11 syslogno ip dhcp use vrf connectedip dhcp excluded-address 10.10.10.1!ip dhcp pool ccp-pool   import all   network 10.10.10.0 255.255.255.248   default-router 10.10.10.1   lease 0 2!!ip cefno ip domain lookupip domain name molinary.com!!!username admin privilege 15 secret 5 $1$jD3j$r6ROikgGsIlcMTGjkxFQ6.username username privilege 15 password 0 password!!archive log config  hidekeys!!!!!interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl operating-mode auto!interface ATM0.1 point-to-point description $ES_WAN$ ip nat outside ip virtual-reassembly pvc 0/38  encapsulation aal5mux ppp dialer  dialer pool-member 1 !!interface FastEthernet0!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$ ip address 10.10.10.1 255.255.255.248 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452!interface Dialer0 ip address dhcp encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname [email protected] ppp chap password 0 netgear01 ppp pap sent-username [email protected] password 0 netgear01!ip forward-protocol nd!ip http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat inside source list 1 interface ATM0.1 overload!access-list 1 remark INSIDE_IF=Vlan1access-list 1 remark CCP_ACL Category=2access-list 1 permit 10.10.10.0 0.0.0.7dialer-list 1 protocol ip permitno cdp run!control-plane!banner exec ^C% Password expiration warning.-----------------------------------------------------------------------Cisco Configuration Professional (Cisco CP) is installed on this deviceand it provides the default username "cisco" for  one-time use. If you havealready used the username "cisco" to login to the router and your IOS imagesupports the "one-time" user option, then this username has already expired.You will not be able to login to the router with this username after you exitthis session.It is strongly suggested that you create a new username with a privilege levelof 15 using the following command.username <myuser> privilege 15 secret 0 <mypassword>Replace <myuser> and <mypassword> with the username and password youwant to use.-----------------------------------------------------------------------^Cbanner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C!line con 0 login local no modem enableline aux 0line vty 0 4 privilege level 15 login local transport input telnet ssh!scheduler max-task-time 5000endCisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#show versionCisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_teamROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARECisco uptime is 20 minutesSystem returned to ROM by power-onSystem image file is "flash:c850-advsecurityk9-mz.124-15.T12.bin"This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email [email protected] 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory.Processor board ID FCZ140792J5MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x104 FastEthernet interfaces1 ATM interface128K bytes of non-volatile configuration memory.20480K bytes of processor board System flash (Intel Strataflash)Configuration register is 0x2102Cisco#Cisco#Cisco#Cisco#endTranslating "end"% Unknown command or computer name, or unable to find computer addressCisco#reloadProceed with reload? [confirm]*Mar  1 01:19:27.786: %SYS-5-RELOAD: Reload requested  by username on console. Reload Reason: Reload Command.System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARETechnical Support: http://www.cisco.com/techsupportCopyright (c) 2006 by cisco Systems, Inc.C850 series (Board ID: 2-149) platform with 65536 Kbytes of main memoryBooting flash:/c850-advsecurityk9-mz.124-15.T12.binSelf decompressing the image : ############################################## [OK]              Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.           cisco Systems, Inc.           170 West Tasman Drive           San Jose, California 95134-1706Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_teamImage text-base: 0x8002007C, data-base: 0x814E7240This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email [email protected] 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory.Processor board ID FCZ140792J5MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x104 FastEthernet interfaces1 ATM interface128K bytes of non-volatile configuration memory.20480K bytes of processor board System flash (Intel Strataflash)no ip dhcp use vrf connected               ^% Invalid input detected at '^' marker.SETUP: new interface NVI0 placed in "shutdown" statePress RETURN to get started!*Mar  1 00:00:03.952: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized*Mar  1 00:00:03.960: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled*Mar  1 00:00:07.244: %LINK-3-UPDOWN: Interface FastEthernet0, changed state toup*Mar  1 00:00:08.413: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up*Mar  1 00:00:08.821: %SYS-5-CONFIG_I: Configured from memory by console*Mar  1 01:19:27.072: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up*Mar  1 01:19:27.352: %SYS-5-RESTART: System restarted --Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_team*Mar  1 01:19:27.352: %SNMP-5-COLDSTART: SNMP agent on host Cisco is undergoinga cold start*Mar  1 01:19:27.436: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF*Mar  1 01:19:27.436: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF*Mar  1 01:19:27.540: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to down*Mar  1 01:19:28.072: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up*Mar  1 01:19:28.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up*Mar  1 01:19:28.484: %LINK-5-CHANGED: Interface ATM0, changed state to administratively down*Mar  1 01:19:28.848: %LINK-5-CHANGED: Interface NVI0, changed state to administratively down*Mar  1 01:19:28.932: %LINK-3-UPDOWN: Interface FastEthernet3, changed state toup*Mar  1 01:19:28.936: %LINK-3-UPDOWN: Interface FastEthernet2, changed state toup*Mar  1 01:19:28.940: %LINK-3-UPDOWN: Interface FastEthernet1, changed state toup*Mar  1 01:19:29.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down*Mar  1 01:19:29.932: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down*Mar  1 01:19:29.936: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down*Mar  1 01:19:29.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down*Mar  1 01:19:29.948: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to upAuthorized access only!===========================================
  Please help me as I am stuck and can't go any further....

  Hi David White,
  Alternatively, after password recovery you can modify the configuration to be what you want, and then issue:
     write memory
  to save the configuration.  You can then verify that your changes have been saved to the startup config by issuing:
     show startup-config"
  The only good thing is that when I switch off a router it erase configuration except my new password which I created after password reset. Everything else is getting vanished (ADSL settings, DHCP, routing ) everything. Even new admin accounts I created.
  Well have a question to your above comments. I am new in Cisco so please put as much detail as you can for me to understand. When you say modify configuration do you mean to go to Cisco CP Express graphical interface and then connect router to hyper terminal and execute above commands?
  Why router doesn't remember this anyway. There must be some option to change in configuration to make thing permanent when I hit apply changes in Cisco CO Express otherwise it is pointless to heve it.
  Phillip
  write memory
  is
  copy running-config startup-config"
  Can't this be done via Cisco CP Express or set up router to copy this every time I change this in graphical interface rather going to command line to achnoledge it?
  I understand your concern about this router and somebodie's configuration details as you want things to be un-used when you buy them - true. ADSL details belongs to the shop which sold me the router so that is why I don't make a big problem about this. We take most of hardware from this shop and have discount and many good deals with them so I think they have been just testing it and forgot to erease their config. It might be that someone has returned router to the shop and they have repaired it and tested it.
  I hope this is a normal behaviour of this router as I have option to replace it in case this is a fault.
  Could you please write me step by step guide how can I make changed options stay permanently on router?
  thank you
  Dragan

• Cisco 877 router - Cisco IP phone won't register with SIP provider

  Hi all,
  I'm having a problem with a Cisco SPA504G phone not registering with the SIP carrier over the Internet. We've recently rolled out a Cisco 877 router onto a new NBN business connection and can't get the pre-configured IP phone to register.
  When we tested the phone with the NBN-provided Netgear router, it worked fine, as it did with the previous Cisco 1841 router we were using on a different link.
  The way it's setup is using VLANs to define the internal subnets, which are then assigned to the physical interfaces (since the 887 doesn't allow IP assignments to the interfaces directly).
  VLAN 100 is the internal network and has a SBS2011 server – assigned to F0 – IP range is 192.168.1.0
  VLAN 200 is the guest network and has Internet access only – assigned to F1 – IP range is 10.1.1.0
  VLAN 500 is the WAN network and connects to the NBN upstream box – assigned to F3 – external IP address assigned by DHCP
  I've been playing around with access lists, nat rules, basically everything in my limited Cisco knowledge to try and figure this out, but to no avail. I have even configured what I believe is unrestricted access to IP, UDP and TCP outbound and inbound to all VLANs and still can't get it to register.
  Tried isolating the issue by creating a new VLAN and assigning it to the spare interface and basically allowing everything in and out, but still no luck.
  The problem has to be something on the router – probably some small line of config I haven’t removed or added.
  I am going to pull my hair out soon, so would really appreciate some assistance from the Cisco gurus out there.
  My client has just purchased about 10 of these handsets from their provider so I need to fix this ASAP. The guy who provided them wasn't very helpful, and basically said I'm on my own once we tested using the NBN-provided Netgear router.
  Happy to post my config as well.
  Please help!!!!

  Current configuration : 4912 bytes
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router1
  boot-start-marker
  boot-end-marker
  no aaa new-model
  memory-size iomem 10
  crypto pki token default removal timeout 0
  no ip source-route
  ip dhcp excluded-address 10.1.1.1
  ip dhcp pool GUEST
   network 10.1.1.0 255.255.255.0
   dns-server 10.1.1.1 203.50.2.71 139.130.4.4
   default-router 10.1.1.1
  ip cef
  no ip domain lookup
  ip domain name network.local
  ip name-server 192.168.1.123
  ip name-server 203.23.53.12
  ip name-server 197.12.32.86
  ip name-server 8.8.8.8
  no ipv6 cef
  license udi pid CISCO887VA-K9 sn FGL171220XY
  username admin privilege 15 secret 5 $1$aNsm$N1BCQYkoi8gnURyvloYEX/
  controller VDSL 0
  interface Ethernet0
   no ip address
   shutdown
  interface ATM0
   no ip address
   no atm ilmi-keepalive
   bridge-group 10
   pvc 8/35
  interface FastEthernet0
   description NAC - Internal network
   switchport access vlan 100
   no ip address
  interface FastEthernet1
   description NAC - Guest network
   switchport access vlan 200
   no ip address
  interface FastEthernet2
   no ip address
   shutdown
  interface FastEthernet3
   description **** WAN Port ****
   switchport access vlan 500
   no ip address
  interface Vlan1
   no ip address
   bridge-group 10
   hold-queue 100 out
  interface Vlan100
   description NAC - Internal Vlan
   ip address 192.168.1.1 255.255.255.0
   ip access-group IN-100 in
   ip access-group OUT-100 out
   ip nat inside
   ip virtual-reassembly in
  interface Vlan200
   description NAC - Guest Vlan
   ip address 10.1.1.1 255.255.255.0
   ip access-group IN-200 in
   ip access-group OUT-200 out
   ip nat inside
   ip virtual-reassembly in
  interface Vlan500
   description **** WAN Vlan ****
   ip address dhcp
   ip nat outside
   no ip virtual-reassembly in
  no ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http secure-server
  ip dns server
  ip nat inside source list NAT-100 interface Vlan500 overload
  ip nat inside source list NAT-200 interface Vlan500 overload
  ip nat inside source static tcp 192.168.1.123 25 interface Vlan500 25
  ip nat inside source static tcp 192.168.1.123 443 interface Vlan500 443
  ip nat inside source static tcp 192.168.1.123 3389 interface Vlan500 3399
  ip nat inside source static tcp 192.168.1.123 80 interface Vlan500 80
  ip nat inside source static tcp 192.168.1.123 4125 interface Vlan500 4125
  ip nat inside source static tcp 192.168.1.124 3389 interface Vlan500 3390
  ip nat inside source static tcp 192.168.1.123 987 interface Vlan500 987
  ip nat inside source static tcp 192.168.1.123 1723 interface Vlan500 1723
  ip route 0.0.0.0 0.0.0.0 55.234.52.43
  ip access-list extended IN-100
   permit udp any any range bootps bootpc
   deny   ip 10.1.1.0 0.0.0.255 any
   permit ip 192.168.1.0 0.0.0.255 any
  ip access-list extended IN-200
   permit udp any any range bootps bootpc
   permit ip 10.1.1.0 0.0.0.255 any
  ip access-list extended NAT-100
   deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
   permit ip 192.168.1.0 0.0.0.255 any
  ip access-list extended NAT-200
   deny   ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
   permit ip 10.1.1.0 0.0.0.255 any
  ip access-list extended OUT-100
   permit udp any range bootps bootpc any
   deny   ip 10.1.1.0 0.0.0.255 any
   permit ip any 192.168.1.0 0.0.0.255
  ip access-list extended OUT-200
   permit udp any range bootps bootpc any
   deny   ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
   permit ip any 10.1.1.0 0.0.0.255
  access-list 23 permit 59.23.164.52
  access-list 23 permit 192.168.1.0 0.0.0.255
  access-list 23 permit 10.1.1.0 0.0.0.255
  access-list 23 permit 120.146.0.0 0.0.255.255
  access-list 23 permit 149.185.12.0 0.0.0.255
  access-list 23 permit 110.44.28.0 0.0.0.255
  access-list 23 permit 110.44.26.0 0.0.0.255
  access-list 23 permit 103.25.212.0 0.0.0.255
  access-list 23 permit any
  bridge 10 protocol ieee
  banner motd ^C
  *      Authorized personnel only!       *
  ^C
  line con 0
   login local
   no modem enable
  line aux 0
  line vty 0 4
   password password01
   login local
   transport input all
  end

• Configuration Issue with my Cisco 871 Router

  Hi all,
  I am a newbie to the Cisco IOS.
  I got a Cisco 871 Router that I'd like to use for internet connection. My LAN network is 192.168.1.0/24 and the ISP has assigned us the IP 41.212.79.108/24 and gateway 41.212.79.1.
  With my current configuration, I can hit the router - 192.168.1.1 - and it's WAN port - 41.212.79.108 - but not the gateway.
  Below is my current config:
  Hoggers#show config
  Using 4414 out of 131072 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Hoggers
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  enable secret 5 **********************.
  no aaa new-model
  crypto pki trustpoint TP-self-signed-568493463
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-568493463
  revocation-check none
  rsakeypair TP-self-signed-568493463
  crypto pki certificate chain TP-self-signed-568493463
  certificate self-signed 01 nvram:IOS-Self-Sig#7.cer
  dot11 syslog
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 192.168.1.1
  ip dhcp excluded-address 192.168.1.2
  ip dhcp excluded-address 192.168.1.3
  ip dhcp excluded-address 192.168.1.4
  ip dhcp excluded-address 192.168.1.5
  ip dhcp excluded-address 192.168.1.6
  ip dhcp excluded-address 192.168.1.7
  ip dhcp excluded-address 192.168.1.8
  ip dhcp excluded-address 192.168.1.9
  ip dhcp excluded-address 192.168.1.10
  ip dhcp excluded-address 192.168.1.100
  ip dhcp excluded-address 192.168.1.90
  ip dhcp pool ccp-pool
     import all
     network 10.10.10.0 255.255.255.248
     default-router 10.10.10.1
     lease 0 2
  ip dhcp pool LANPOOL
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 41.212.3.2 41.212.3.253
  ip domain name yourdomain.com
  ip name-server 41.212.3.2
  ip name-server 41.212.3.253
  archive
  log config
    hidekeys
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description Wan to Outside World
  ip address 41.212.79.108 255.255.255.0
  duplex auto
  speed auto
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 192.168.1.1 255.255.255.0
  ip tcp adjust-mss 1452
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 41.212.79.1
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat inside source static tcp 192.168.1.31 80 interface FastEthernet4 80
  access-list 23 permit 10.10.10.0 0.0.0.7
  no cdp run
  control-plane
  scheduler max-task-time 5000
  end
  I'll appreciate any light you can shed on what am missing.

  2 wireless routers can not communicate wirelessly with each other.
  You need to connect cable between 2 routers and use the second wireless router as access point.
  Follow this link to connect Linksys router to another router.
  Some of your devices are getting same IP address. This might be the issue with DHCP server of the router. You can try DHCP reservation on the router so that each device will get unique IP address.

• How to install 2-port vic3 2fxs/DID and 2-port vic2 fxo on cisco 2801 router

  Hello
  I'm looking for information on how to install 2 newly purchased cards  and keep running into dead links. The cards I bought are for a  CISCO-2801-CCME/K9 with PVDM2-8, FL-CCME-25, SP Services 128F/256D cisco  router:
  vic3 2fxs/DID and a vic2 2fxo.
  I keep finding documents on how to  install these cards but all links are dead and leading to nowhere.
  http://www.cisco.com/en/US/docs/routers/access/interfaces/ic/hardware/installation/guide/2port_FXS_DID_VIC.html#wp1065062
  The  2 documents i'm looking for are: how to install a 2-port vic2 fxo cards on cisco  2801 router and how to install 2-port vic3 2fxs/DID cards on the same 2801 cisco  router.
  NOTE: I've never installed these cards and am not sure if:
  Does my  ios support both of these cards?
  and which slots do I install those in the  router.
  I have 4 slots like this:
  slot 0: This slot only accepts VIC's   ***This could be used for the vic3 2fxs/DID card correct?
  slot 1: Nothing  written here  ****What can i install in this slot?
  slot 2: This slot only  accepts VIC's and WIC's  ***If I buy a WIC and install here which other slot can  i install my VIC2-2FXO card in ?
  slot 3: Nothing written here  ***What can i  install in this slot?
  Any chance someone can help me out with this.
  Thanks  very much

  Ok
  I was able to figure out what goes where and found out that the IOS i had c-2801-spservicesk9-mz.124-15.T10.bin with cme-full-4.1.0.2 tar didn't support the vic3 2fxs/DID card. I then found the one that works which is the c2801-spservicesk9-mz.124-22.YB5.bin.I am now able to see my new hardware interfaces. The question I have now is since the previous version ran with cme-full-4.1.0.2 tar i'm not sure if this needs to be changed since in the compatibility matrix i found this IOS c2801-spservicesk9-mz.124-22.YB5.bin to be compatible with cme-full-7.1.0.0 tar
  Do i need to remove cme-full-4.1.0.2 tar and install the cme-full-7.1.0.0 tar?
  If yes, i know how to install the cme-full-7.1.0.0 tar but how do i remove the other cme-full-4.1.0.2 tar file in order to be able to install the other version?
  Thanks

• What are the ideal settings for my TC with Shaw's Cisco DPC3825 router/modem

  My old 2nd Gen Time Capsule crapped out and now I am about to set up my new 2TB TC.  My provider is Shaw Communications and they have upgraded me to their Broadband 100 Mbps service.  This came with a new modem/router combo made by Cisco and is model DPC3825.  Before I start plugging things in I'd like to know what are the ideal settings such that I gain the most of the BB100 service.  Should I be setting the Cisco modem/router to Bridge mode or the TC?  Should I have Shaw disable anything?  Any insight is greatly appreciated.

  Unless you specifically need to have the TC perform as the main router for your network, life will be a lot easier if you configure the TC to operate in Bridge Mode.
  Whether the Cisco modem/router or gateway can possibly be configured to act as a simple bridge mode modem is one thing to consider.
  Whether Shaw would support you in the event of any connection difficulties with the modem/router configured this way is another.
  Since Shaw is your provider, it might make sense to talk with them about best practice as far as configuring the DPC3825.
  Once you have that information in hand, you will then have the answer on how best to configure the TC.....which will very likely be in Bridge Mode.

• Problem with Cisco 861W router and outgoing VPN

  We have a Cisco 861W router that is blocking an outgoing PPTP on the internal access point only. The outgoing VPN works when the traffic is through a wired connection or the connection is on another access point. We fail to make a connection only when connection to the 861W's internal Access Point.
  Here is the Access Point Configuration:
  Current configuration : 2100 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname obap
  enable secret 5 $1$.1RF$go1D7WITXUn3s8TUaw3tC.
  no aaa new-model
  dot11 syslog
  dot11 ssid OLIVER
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 0 XXXXXXXXXXX
  username XXXXXX privilege 15 secret 5 $1$Wc0K$OzcQDDQfjHP6La31eXMoG/
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm tkip
  ssid OLIVER
  antenna gain 0
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0
  description the embedded AP GigabitEthernet 0 is an internal interface connecti
  ng AP with the host router
  no ip address
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 192.168.0.2 255.255.255.0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  banner login ^CC
  % Password change notice.
  Default username/password setup on AP is cisco/cisco with priv¾ilege level 15.
  It is strongly suggested that you create a new username with privilege level
  15 using the following command for console security.
  username <myuser> privilege 15 secret 0 <mypassword>
  no username cisco
  Replace <myuser> and <mypassword> with the username and password you want to
  use. After you change your username/password you can turn off this message
  by configuring  "no banner login" and "no banner exec" in privileged mode.
  ^C
  line con 0
  privilege level 15
  login local
  no activation-character
  line vty 0 4
  login local
  cns dhcp
  end
  obap#
  Here is the Router's Configuration:
  Current configuration : 5908 bytes
  ! No configuration change since last restart
  version 15.0
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname obrouter
  boot-start-marker
  boot-end-marker
  logging buffered 51200
  logging console critical
  enable secret 5 $1$i9XE$DjxFVAEC9nC4/r6EQKCd6/
  no aaa new-model
  memory-size iomem 10
  clock timezone PCTime -5
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-1856757619
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1856757619
  revocation-check none
  rsakeypair TP-self-signed-1856757619
  crypto pki certificate chain TP-self-signed-1856757619
  certificate self-signed 01
    3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31383536 37353736 3139301E 170D3036 30313032 31323030
    34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38353637
    35373631 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100B1A4 FB786547 3D582260 03DB768D 116BDE9A 309FBA04 B53F77B0 BFE32344
    7C3439B3 97192B36 760A9411 1D5C7549 8D86F532 ABA44F53 0D08B7F4 A9A747D5
    071330C3 65BF25A8 927F3596 29BB5A80 90C8D169 22268476 3B8DDE1E FDB7170D
    B4820D03 5580A849 A92C7E76 9AC10867 505A2FEE 64360741 7F9DBDBF 3D79982C
    F81D0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
    551D1104 19301782 156F6272 6F757465 722E6272 75736868 6F672E63 6F6D301F
    0603551D 23041830 168014D8 5BC2FFB2 967A4C7B 11B44122 5C8D31F7 749B9230
    1D060355 1D0E0416 0414D85B C2FFB296 7A4C7B11 B441225C 8D31F774 9B92300D
    06092A86 4886F70D 01010405 00038181 005901F1 C239074B B8213567 CF7B65BF
    DAFE4557 69B2A3B1 5F2593C7 A54B9598 23FD5E7A 563AA6E0 AFB25801 FA0061E8
    F9545372 DB600B3A BE68AE65 1EDA593E 6A0C96B8 5A4136AF 393F9AAC 651E1C36
    B8B7C6C0 47936C24 D2ECE9A5 9446EE32 FC7461FA AD8CF1CE A7FBF341 07E9C3C6
    505AB88D 0E7FCAFC 5792298A E5E4D1FE CC
          quit
  no ip source-route
  ip dhcp excluded-address 192.168.0.1 192.168.0.99
  ip dhcp pool ccp-pool1
     import all
     network 192.168.0.0 255.255.255.0
     dns-server 216.49.160.10 216.49.160.66
     default-router 192.168.0.1
  ip cef
  no ip bootp server
  ip domain name brushhog.com
  ip name-server 216.49.160.10
  ip name-server 216.49.160.66
  license udi pid CISCO861W-GN-A-K9 sn FTX155281FY
  username tech38 privilege 15 secret 5 $1$d/4Z$n/23EsXbzfHF5XfJ8Nv.y0
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description $ES_WAN$$FW_OUTSIDE$
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  duplex auto
  speed auto
  pppoe-client dial-pool-number 1
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered Vlan1
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  arp timeout 0
  interface Wlan-GigabitEthernet0
  description Internal switch interface connecting to the embedded AP
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
  ip address 192.168.0.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1412
  interface Dialer0
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip mtu 1452
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname XXXXXXXXXXXXX
  ppp chap password 7 XXXXXXXXXXXXXXXX
  ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXX
  no cdp enable
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source static tcp 192.168.0.25 80 interface Dialer0 80
  ip nat inside source list 1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.0.0 0.0.0.255
  dialer-list 1 protocol ip permit
  no cdp run
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner login ^CAuthorized access only!
  Disconnect IMMEDIATELY if you are not an authorized user!^C
  line con 0
  login local
  no modem enable
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  line vty 0 4
  privilege level 15
  login local
  transport input telnet ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  end
  Any help would be appreciated

  Hello,
  i have the same problem with router CISCO861W-GN-E-K9. Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  Can someone help?
  Thank you.
  Here is my config for internal AP and router.

• Configuring Cisco 3620 router

  I am quite new and haven't worked before with Cisco router. I have a Cisco 3620 router with only one ethernet interface (FastEthernet 0/0).
  I want to configure it so that the router will have ip address of 192.168.2.2 (255.255.255.0). I am not using DHCP so all the machines in the network are configured manually.
  My running-config is as follows.
  version 11.3
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname router
  enable secret xxxx
  enable password xxxx
  controller T1 0/0
  framing esf
  linecode b8zs
  channel-group 0 timeslots 1-24 speed 64
  interface FastEthernet0/0
  ip address 192.168.2.2 255.255.255.0
  interface Serial0/0:0
  no ip address
  shutdown
  ip classless
  dialer-list 1 protocol ip permit
  dialer-list 1 protocol ipx permit
  line con 0
  line aux 0
  line vty 0 4
  password xxxx
  login
  end
  Can someone give advise on what should I use for default-gateway, default-network and route?
  I want to use name-server which has class B ip address. 131.x.x.x.
  If my router can route all the traffic to 131.x.x.y (gateway in the same LAN as router) then I can connect to Internet.
  Can someone tell me how to do this?
  Regards,
  Amar.

  Hi
  i feel u need to have 2 ethernet interfaces in your router to have the reachability to the 131.x.x.x series from your local lan which is in 192.168.2.x series..
  eventually u need to deploy nat to have this kinda access in place...
  if you got to have that you can configure one of your interface on 131.x.x.x series and configure it as a nat outside interface and keep faeth0/0 as ur inside interface.
  you need to configure up a access list and also the necessary overloading to achieve the connectivity.
  i think this link will def help u out to find more details about the scenario and config details about which i m mentionining over here..
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
  And again you can have the ip reachability using normal static ip route in your box..pointing to the ip which can be used to go out to the public/outside world..
  regds

• Cisco 877W router and external ADSL modem

  Cisco 877W router and external ADSL modem
  In order to support ADSL2+ on a pre ADSL2+ router and in preparation for a later migration to BT infinity I am trying to configure the Router using an external adsl2+ modem appropriately.
  The original configuration had 3 ports configured as one (internal lan) vlan and bridge group together with one wireless sub-interface, the remaining port configured a second vlan and bridge group with a second wireless sub- interface. The Dialer was a member of the second bridge group. This way the second wireless interface and associated bridge group provided a kind of DMZ for outbound access.
  The configuration I am attempting is similar the lan ports remain the same, but port 0 as a member of the vlan and bridge group (now a pppoe client) associated with one of the wireless sub interfaces as per above. The ATM interface is downed. This nearly works except that if the wireless subinterface on this bridge group is configured the dialer no longer dials giving a 'no dialer string' error. If I do not configure that wireless sub interface all works well.
  If anyone is interested to look I would appreciate any comments. I enclose a sanitised config in which you will note the 'commented out' wireless subnet interface (in red).
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname xxxxxxxxxxxxxxxxxxxxx
  boot-start-marker
  boot-end-marker
  logging buffered 4096 warnings
  enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  aaa new-model
  aaa group server radius sdm-vpn-server-group-2
  aaa group server radius rad_eap
   server 192.168.253.1 auth-port 1812 acct-port 1813
   server 192.168.253.1 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-2
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa authorization ipmobile default group rad_pmip
  aaa authorization network sdm_vpn_group_ml_2 local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone PCTime 0
  clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-2834265337
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2834265337
   revocation-check none
   rsakeypair TP-self-signed-2834265337
  crypto pki certificate chain TP-self-signed-2834265337
   certificate self-signed 01 nvram:IOS-Self-Sig#2F.cer
  dot11 syslog
  dot11 ssid GuestAP
     vlan 101
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 113B162712001F4A2D2B25
  dot11 ssid LanAP
     vlan 100
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
     mbssid guest-mode
  no ip source-route
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 192.168.252.1 192.168.252.8
  ip dhcp excluded-address 192.168.252.15 192.168.252.254
  ip dhcp pool sdm-pool1
     import all
     network 192.168.252.0 255.255.255.0
     domain-name XXX.Local
     dns-server xxx.xxx.xxx.xxx
     default-router 192.168.252.254
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  no ip bootp server
  no ip domain lookup
  ip domain name XXX.Local
  ip name-server xxx.xxx.xxx.xxx
  ip name-server xxx.xxx.xxx.xxx
  ip reflexive-list timeout 120
  vpdn enable
  vpdn-group 1
   request-dialin
    protocol pppoe
  username administrator privilege 15 secret 5 £££££££££££££££££££££
  class-map type inspect match-any IN_to_OUT_CLASS
   match protocol tcp
   match protocol udp
   match protocol icmp
  class-map type inspect match-any OUT_to_IN_CLASS
   match protocol https
   match protocol smtp extended
  class-map type inspect match-any DMZ_to_IN_CLASS
   match protocol http
   match protocol https
   match protocol smtp extended
  policy-map type inspect DMZ_to_IN_POL
   class type inspect DMZ_to_IN_CLASS
    inspect
   class class-default
    drop log
  policy-map type inspect IN_to_OUT_POL
   class type inspect IN_to_OUT_CLASS
    inspect
   class class-default
    drop log
  policy-map type inspect OUT_to_IN_POL
   class type inspect OUT_to_IN_CLASS
    inspect
   class class-default
    drop log
  zone security INSIDE
  zone security OUTSIDE
  zone security DMZ
  zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
   service-policy type inspect OUT_to_IN_POL
  zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
   service-policy type inspect IN_to_OUT_POL
  zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
   service-policy type inspect IN_to_OUT_POL
  zone-pair security DMZ_TO_IN source DMZ destination INSIDE
   service-policy type inspect DMZ_to_IN_POL
  bridge irb
  interface Loopback0
   no ip address
  interface Null0
   no ip unreachables
  interface ATM0
   no ip address
   shutdown
   no atm ilmi-keepalive
   dsl operating-mode auto
  interface FastEthernet0
   description Outside Interface (PPPoE)
  interface FastEthernet1
   description Inside Interface
   switchport access vlan 10
  interface FastEthernet2
   description Inside Interface
   switchport access vlan 10
   spanning-tree portfast
  interface FastEthernet3
   description Inside Interface
   switchport access vlan 10
   spanning-tree portfast
  interface Dot11Radio0
   no ip address
   no ip route-cache cef
   no ip route-cache
   encryption vlan 100 mode ciphers aes-ccm tkip
   encryption vlan 101 mode ciphers aes-ccm tkip
   ssid GuestAP
   ssid LanAP
   mbssid
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
   channel 2437
   station-role root
  interface Dot11Radio0.100
   description LanAP
   encapsulation dot1Q 100
   no ip route-cache
   no cdp enable
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  !interface Dot11Radio0.101
  ! description GuestAP
  ! encapsulation dot1Q 101
  ! no ip route-cache
  ! no cdp enable
  ! bridge-group 1
  ! bridge-group 1 subscriber-loop-control
  ! bridge-group 1 spanning-disabled
  ! bridge-group 1 block-unknown-source
  ! no bridge-group 1 source-learning
  ! no bridge-group 1 unicast-flooding
  interface Vlan1
   description $ES_LAN$
   no ip address
   ip virtual-reassembly
   pppoe enable group global
   pppoe-client dial-pool-number 1
   bridge-group 1
  interface Vlan10
   no ip address
   ip virtual-reassembly
   bridge-group 10
  interface Dialer1
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip mtu 1452
   ip nat outside
   ip virtual-reassembly
   zone-member security OUTSIDE
   encapsulation ppp
   ip route-cache flow
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname XXXXXXX
   ppp chap password 7 xxxxxxxxxxxxxxxxxxx
   ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxx
   ppp ipcp dns request
   ppp ipcp wins request
   hold-queue 224 in
  interface Dialer0
   no ip address
  interface BVI10
   description Inside Interface
   ip address 192.168.253.254 255.255.255.0
   ip access-group 101 in
   ip helper-address 192.168.253.1
   ip nat inside
   ip virtual-reassembly
   zone-member security INSIDE
  interface BVI1
   description DMZ Interface
   ip address 192.168.252.254 255.255.255.0
   ip nat inside
   ip virtual-reassembly
   zone-member security DMZ
  ip local pool SDM_POOL_1 192.168.20.9 192.168.20.14
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip http server
  ip http access-class 1
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list Inside_Clients_NAT interface Dialer1 overload
  ip nat inside source static 192.168.253.10 xxx.xxx.xxx.xxx
  ip access-list extended DMZ_to_IN_POL
   remark SDM_ACL Category=128
   permit ip any any
  ip access-list extended Inside_Clients_NAT
   remark SDM_ACL Category=2
   permit ip 192.168.253.0 0.0.0.255 any
  logging 192.168.253.10
  access-list 1 remark Auto generated by SDM Management Access feature
  access-list 1 remark SDM_ACL Category=1
  access-list 1 permit 192.168.253.0 0.0.0.255
  access-list 100 remark VTY Access-class list
  access-list 100 remark SDM_ACL Category=1
  access-list 100 permit ip 192.168.253.0 0.0.0.255 any
  access-list 100 deny   ip any any
  access-list 101 remark Auto generated by SDM Management Access feature
  access-list 101 remark SDM_ACL Category=1
  access-list 101 remark Auto generated by SDM for NTP (123) xxx.xxx.xxx.xxx
  access-list 101 permit udp host xxx.xxx.xxx.xxx eq ntp host 192.168.253.254 eq ntp
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq telnet
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 22
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq www
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 443
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq cmd
  access-list 101 deny   tcp any host 192.168.253.254 eq telnet
  access-list 101 deny   tcp any host 192.168.253.254 eq 22
  access-list 101 deny   tcp any host 192.168.253.254 eq www
  access-list 101 deny   tcp any host 192.168.253.254 eq 443
  access-list 101 deny   tcp any host 192.168.253.254 eq cmd
  access-list 101 deny   udp any host 192.168.253.254 eq snmp
  access-list 101 permit ip any any
  access-list 199 permit ip any host 10.1.1.1
  dialer-list 1 protocol ip permit
  no cdp run
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.253.1 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXX
  radius-server host 192.168.253.1 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXX
  radius-server vsa send accounting
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 10 protocol ieee
  bridge 10 route ip
  banner login C Border Router
  line con 0
   no modem enable
   transport output telnet
  line aux 0
   transport output telnet
  line vty 0 4
   access-class 100 in
   privilege level 15
   length 0
   transport input telnet ssh
  scheduler max-task-time 5000
  scheduler interval 500
  ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
  ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
  sntp server xxx.xxx.xxx.xxx
  end

  Hi Jody,
  Apologies delay in replying. I have done the following:
  Made two of the FE ports vlan1,BVI1 (for LAN traffic)
  Left one port as VLAN10 as the pppoe client conected to the externalmodem
  Made the last port VLAN10 as well and gave it an IP addess as for a DMZ client.
  I have DHCP configured to serve the DMZ  addresses.
  This all works for LAN clients and also works for a client attachedto that physical DMZ port.
  When I added a dot11radio sub interface into VLAN 10 the wireless client did not get an IP lease. Everything else continued to work.
  I had never thought about this before, but if a dot11radio interface is on the same vlan (but not being part ofa bridge group) why are DHCP broadcasts not propogating to all the vlan members as I would have expected. I recognise that this isa limit in my understanding.
  If I then made VLAN10 a member of a new Bridge Group, I lost WAN connectivity as per original posting.
  I cannot add another VLAN due to the 2 vlan limit in this image.
  Finally regarding your comment about giving it what it wants, what exactly did you have in mind. The dialer already has a dial string parameters configured.
  Think I am about to give upon this.
  Regards,

• RADIUS and Cisco 2611 router

  Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
  Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
  Using 2297 out of 29688 bytes
  ! Last configuration change at 17:20:27 PDT Tue May 20 2008
  ! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
  version 12.1
  no service single-slot-reload-enable
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname Tester
  logging buffered 10000 debugging
  aaa new-model
  aaa group server radius RadiusServers
  server 172.26.0.2 auth-port 1812 acct-port 1813
  aaa authentication login default group RadiusServers local
  aaa authentication login localauth local
  aaa authentication ppp default if-needed group radius local
  aaa authorization exec default group radius local
  aaa authorization network default group radius local
  aaa accounting delay-start
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa processes 6
  enable secret xxx
  username test password xxx
  clock timezone PST -8
  clock summer-time PDT recurring
  ip subnet-zero
  no ip domain-lookup
  no ip bootp server
  interface Loopback0
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/0
  description To Main Network
  ip address X.X.X.X 255.255.255.128
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  full-duplex
  no cdp enable
  interface Ethernet0/1
  description To Internal Network
  ip address 172.26.0.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  load-interval 30
  full-duplex
  no cdp enable
  ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
  ip nat inside source list 3 pool test overload
  ip nat inside destination list 3 pool test
  ip classless
  ip route 0.0.0.0 0.0.0.0 X.X.X.X
  no ip http server
  ip radius source-interface Ethernet0/1
  access-list 3 permit 172.26.0.0 0.0.0.255
  no cdp run
  snmp-server community public RO 15
  radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
  radius-server retransmit 3
  radius-server key secret
  line con 0
  password xxx
  logging synchronous
  line aux 0
  line vty 0 4
  access-class 10 in
  password 7 1234567890
  logging synchronous
  ntp clock-period 17208108
  ntp server 192.43.244.18
  end
  My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
  I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
  Thank you for any assistance you may be able to provide.

  I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
  The command I shared:
  aaa authentication enable default group radius local
  ... was erroneous. The keyword should have been "enable", as you have discovered.
  Therefore use:
  aaa authentication enable default group radius enable
  When I view a Wireshark trace I see the following:
  AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
  Like you, I see the user password appended with the group of \000 grouping's.
  Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
  I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
  The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
  My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
  However, there are other mainstream authentication methods that I think you should investigate as well.
  You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
  I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
  The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
  I think you should:
  1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
  2. Investigate whether PPPoE support exists on your router's interfaces.
  3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
  4. Decide which methods appeals to you.
  5. Dive in.
  I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
  I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
  Good luck.