Equipment Support > Hardware By Brand > Cisco > [HELP] Some 1841 questions

[HELP] Some 1841 questions

1) »www.cisco.com/en/US/prod/collate···035.html
Looks like this happened in 2009.

2) CONSOLE is usually where you connect your DB9->RJ-45 cable, and AUX is where you would
connect the out of band modem. Pin-out-wise, I think they're identical.

3) Only time where I found a DB-9->RJ-45 cable didn't work is one that is used for Cisco
routers and switches versus the one used for CSS, long story that I won't bore you with.
Hook it up and in your terminal software, make sure your settings are 9600-8-n-1 and hit
enter a couple times when the router's booted up. If there's no password, you should get
a prompt like router>. If it is password protected, it should prompt you for a password.

Regards

Thanks for this info.

Based on the answer to question #3, I may have been hooked up, but didn't realize it. On the 678 ADSL modem, the hardware readout happens automatically when the unit boots up; I expected the 1841 to do the same. I will try connecting it later today and hitting "Enter" a couple of times after the 1841's "Sys Pwr" light is on continuously.

If the previous owner's password is still in there, I assume that the procedure is like the 678 ADSL modem, where there is a command "Set NVRAM erase" (may be a little different for the 1841) that wipes out all of the configuration settings, so that you can start over. I didn't see any factory-default reset pushbutton.

reply to HELLFIRE
I have the 1841 hooked right now to my old Dell laptop (which has a genuine Serial port on it- no need for a USB-to-Serial adapter), running Windows XP Professional, SP3. In the HyperTerminal program, the settings are:

-Function, arrow and ctrl keys act as: Terminal keys

-Backspace key sends: Ctrl+H

-Emulation: Auto detect

-Telnet terminal ID: ANSI

-Backscroll buffer lines: 500

-Play sound when connecting or disconnecting: (unchecked)

The communications settings are 9600-8-n-1-(no flow control)

Absolutely nothing is displayed when the 1841 boots up and when I press "Enter" multiple times after boot-up. I guess the proper approach at this time (before pronouncing the router as DOA) is to research the proper cable pinouts and to make sure that what I am using matches up.

Update- I connected the management cable to the 678 ADSL modem, changed the baud rate to 38,400 (which is required for that model) and applied power to the modem- It tells me "Hello!", followed by the status info. So, the cable is good, and the HyperTerminal program in the laptop can communicate with the cable.

The only suspects left at this point appear to be either a dead router or a cable that is unsuitable for this router.

reply to daveinpoway
My vote is a wrong cable or an fsck'd console port setting -- I've run into a few of those before in my time.
The cable could also be a candidate as well. Do you know how to make your own cables, daveinpoway?

May want to try here »www.cisco.com/en/US/products/hw/···85.shtml

Regards

I found some data on the Internet (before seeing your reply)- the 678 Management Cable does not match the pinouts required by this model. After putting together a cable which meets the specifications, I see that the router is now chattering away. Talkative thing, giving me all sorts of warnings and notices.

No time to do any more on this project today, so I will wait until another time to read just what it is saying. Enabling communication is sufficient progress for now.

OK, I'm lost. I tried following the password recovery procedure; in Step 12, I tried setting the secret password to "cisco"(without the quotes), but I get no confirmation that the change was made.

In the configuration, I see that there are 2 usernames; each has a password 7, followed by a long alphanumeric code; I have no idea if these are encrypted or not.

Anyway, when I try to login to the router, I have tried using both of these usernames, and I have typed in the alphanumeric sequences, but verification is denied. How can I log in? I see no way to log in with the secret password (and, as I said earlier, without a confirmation, I don't know if the secret password was even changed).

Step 12 in the password recovery procedure changes the secret password, but I see no steps regarding how to change the username(s) and username password(s). Did I miss something, or is there another document that I need to follow to do this?

Also, I understand that there is a graphical interface in this model; how can I access this? I didn't see anything in the console commands to enable/disable the graphical interface (but I will admit that it may have been there, but I didn't know what to look for).

When the procedure tells you to set the interfaces to the up state, the console tells me that they have been configured to be up, but, after a few seconds, I get a message that they have been configured to be down again. Is this normal?

I have worked with SonicWALL. Juniper, CheckPoint/SofaWare, Watchguard and SnapGear equipment, but nothing that I learned about these brands seems to be of any use regarding understanding Cisco configuration. Should I give up and sell this, or is there some hope that I can figure out how to set it up? My frustration level is at 100% right now.

reply to daveinpoway
After changing the enable password, issue a '^z' command, which should make
your changes to the current running config. If you reload the router you
HAVE to issue a 'copy run start,' otherwise you lose your changes.

For the type 7 passwords, you may want to look here to decrypt daveinpoway »www.ibeast.com/content/tools/Cis···ndex.asp.
The only time you need those username / passwords is if you are not consoling
into the router but are remoting in via telnet or such. Until you are, you
can leave them as such

For a GUI you can get either SDM or CCP if you have a Cisco CCO account.

For the interfaces, unless there is a cable plugged in and an ACTIVE device on
the other end, then yes it is normal for the interface to go into a down/down state.

Just out of curiousity, when you were doing Juniper, was it the routing side or
the ScreenOS side, and were you working predominantly with the CLI or GUI?
Pretty much the Cisco CLI is like any other CLI, you just need to know and
get used to the commandset. The rest follows with practice. If you worked thru
and mastered so may other products, I think you can master this

Just for myself, if the previous owner was stupid enough to leave their config
on this device before selling it, can you post it up for us?

Regards

I followed the password recovery article's instructions regarding storing the changes; if additional steps are required, the article didn't tell me what they are.

Thank you for the link to the password 7 decrypting site.

If I don't need the usernames/passwords when connecting to the router via the console, why does it ask me for a username and password after I hit "Return" once the console is initialized? What should I enter here? Apparently, I should use cisco and cisco on a brand-new router, but those don't work on this used one. Until I authenticate at this step, I am not allowed to proceed.

I see that the secret password is a type 5; if my previous work was successful, the password should now be cisco; if my work didn't pan out, then the secret password is whatever the previous owner set it to.

I was under the (possibly wrong) impression that SDM was already loaded into the router; if it is, I have no idea how to verify this.

My foray into Juniper was for ScreenOS (NetScreen 5GT model); the GUI is so comprehensive (I once heard it described as having "at least 1 million configuration options") that I never needed the CLI. At least the other brands I worked with have a reset switch that clears out the previous owner's passwords and configuration; it wasn't necessary to go through a long procedure to accomplish this.

Yes, the previous owner's configuration is still in there; I will see if I can post it. How can I get to it without going through the password recovery procedure?

Ah, "I see", said the blind man. To get the configuration, I authenticate (using one of the usernames and the decrypted password 7 for it), then I type "enable" and enter "cisco" for the password (this seems to confirm that I did change the secret password). After that, "show configuration" will get me the info.

Since only a little is displayed at a time, requiring repeatedly pressing "Enter" to access "More", I need to accumulate everything in Notepad. For unknown reasons, I do not seem to be able to list everything when accessing the router with my Mac (using a USB-to-Serial adapter), so I will have to do it on my old Dell laptop (which has a native Serial port) or else try a different Mac terminal-emulation program.

I assume there is a way to change the usernames and their passwords, but I presently don't know how to do this.

One frustrating thing about Cisco is that when you type a password, they don't display ***; there is no indication that the router received your password.

OK, here is the configuration. Usernames and passwords have been replaced by 4-letter codes:

JJJJ#show configuration
Using 8379 out of 196600 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname JJJJ
!
boot-start-marker
boot system flash flash:c1841-ipbasek9-mz.124-15.T6a.bin
boot-end-marker
!
logging buffered 4096
enable secret 5 XXXX
!
aaa new-model
!
!
aaa authentication attempts login 2
aaa authentication login RMC group tacacs+ local
aaa authentication login Console local
aaa authorization exec default group tacacs+ local
aaa authorization exec Console local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
aaa session-id common
clock timezone GMT 0
dot11 syslog
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name ims.att.com
ip name-server 12.127.16.67
ip name-server 12.127.16.68
multilink bundle-name authenticated
!
!
!
!
username YYYY password 7 ZZZZ
username AAAA password 7 BBBB
archive
log config
hidekeys
!
!
ip tftp source-interface Serial0/0/0
ip ssh time-out 60
ip ssh version 2
!
!
!
interface FastEthernet0/0
description connection to customer LAN
ip address 12.157.149.137 255.255.255.248
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description connection to SNDGCA0231W GAR3 (Ckt.ID - DHEC.287341)
bandwidth 1536
ip address 12.87.212.106 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no ip mroute-cache
shutdown
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl both
no cdp enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
!
no ip http server
no ip http secure-server
ip tacacs source-interface Serial0/0/0
!
logging source-interface Serial0/0/0
access-list 90 permit 12.38.168.0 0.0.3.255
access-list 90 permit 135.89.154.144 0.0.0.7
access-list 90 permit 135.89.152.48 0.0.0.7
access-list 95 permit 12.38.168.0 0.0.3.255
access-list 95 permit 135.89.154.144 0.0.0.7
access-list 95 permit 135.89.152.48 0.0.0.7
access-list 96 deny any
access-list 101 permit ip 135.89.154.144 0.0.0.7 any
access-list 101 permit ip 135.89.152.48 0.0.0.7 any
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny pim any any
access-list 101 deny ip 12.157.149.136 0.0.0.7 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 240.0.0.0 15.255.255.255 any
access-list 101 permit ip 12.38.168.0 0.0.3.255 any
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq snmptrap
access-list 101 permit ip any any
access-list 103 deny 53 any any
access-list 103 deny 55 any any
access-list 103 deny 77 any any
access-list 103 deny pim any any
access-list 103 permit ip any any
access-list 199 permit ip 135.89.154.144 0.0.0.7 any
access-list 199 permit ip 135.89.152.48 0.0.0.7 any
access-list 199 permit ip 12.38.168.0 0.0.3.255 any
access-list 199 permit ip 12.0.102.0 0.0.0.255 any
access-list 199 permit ip 12.3.170.0 0.0.0.255 any
access-list 199 permit ip 12.0.232.0 0.0.0.255 any
snmp-server community MMMM
snmp-server community LLLL=fqjZ RO 90
snmp-server trap-source Serial0/0/0
snmp-server location ESC_CA
snmp-server contact AT&T BCC, Piscataway, Customer Care Center
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop conf
ig
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service
-up
snmp-server enable traps bgp
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps resource-policy
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-messa
ge
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server file-transfer access-group 95 protocol tftp
no cdp run
!
tacacs-server host 12.38.168.110 port 49
tacacs-server host 12.38.168.109 port 49
tacacs-server timeout 10
tacacs-server key 7 KKKK
!
control-plane
!
banner motd ^C
!!!!! WARNING - IOS RELEASE 12.4(15)T6a !!!!!
ANY EXTENDED ACCESS LIST UPDATES WITH COMPLEX COS NEEDS TO BE TREATED AS INTRUSI
VE AS THIS CAN CAUSE THE ROUTER TO CRASH.

Three Scenarios that can cause the router to crash:
1) Loading a complex QoS configuration containing an extended access list. T
his load can be from PAL/ISPA
2) Upon reloading the router with a complex QoS config and an affected extend
ed access-list.
3) Upon removing or re-applying a policy map to an interface.
Such a policy map would have to contain a child map which utilizes the aff
ected extended access list.

PLEASE SEE GT3 WIKI WEBSITE FOR SPECIAL INSTRUCTIONS. »gt3.web.att.com/
wiki/index.php/12.4(15)T6a_critical_bug

^C
!
line con 0
session-timeout 7
exec-timeout 5 0
password 7 CCCC
authorization exec Console
login authentication Console
line aux 0
session-timeout 7
access-class 199 in
no exec-banner
exec-timeout 5 0
password 7 DDDD
authorization exec Console
login authentication Console
line vty 0 4
session-timeout 7
access-class 199 in
exec-timeout 5 0
password 7 EEEE
login authentication FFFF
transport input ssh
line vty 5 15
session-timeout 7
access-class 199 in
exec-timeout 5 0
password 7 GGGG
login authentication HHHH
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178328
ntp source Serial0/0/0
ntp server 135.89.154.147 prefer
ntp server 135.89.152.51
ntp server 135.89.152.52
ntp server 135.89.154.148
ntp server 12.38.168.18
end

reply to daveinpoway
Live and learn, daveinpoway, live and learn

From the config, looks like you got an old AT&T router, too bad there's
nothing juicy from the configs, other than the passwords. If you wanted
to completely factory-reset this thing, you could do a 'erase start'
followed by a 'reload'. That'd start you off completely clean.

Type 7 passwords you can decrypt easily enough with the link I gave you.
Type 5s are another matter as they are encrypted with an MD5 hash, so
forget trying to decrypt them

SDM and CCP are most definately NOT included on a router by default.
You have to download it onto the router's flash memory. Just do a 'show
flash' from the CLI and put up the output, but considering this was a telco
router, I suspect everything was locked down pretty tight.

You may also want to start persuing the FAQ for some basic IOS CLI operands,
least till you can load SDM or CCP. Like I said, if you've done any sort of
CLI, it's not impossible to do, the trick is learning the command set. If not
'?' is your friend. Happy learning!

Regards

How close are the 1841 commands to those of the PIX and ASA series? The Firewall Builder program (»www.fwbuilder.org/) can create PIX and ASA configuration files, but I don't know if these will load into the 1841.

I recall reading somewhere (can't remember where right now) that "later" routers (such as the 1800 series) shipped with SDM installed. Perhaps I am wrong. I will check the flash memory contents when I find the time.

One article I read indicated that it might be necessary to load in an SDM-compatible version of the firmware. This would be a problem for me, as I do not have any support contract on this router, and I won't consider buying one until I have played around for awhile and made up my mind that I am going to keep the router.

The commands are different.

That being said, if you need a default config, let me know, and I'll whip one up for you. Just let me know what you want to do. (NAT, DHCP...etc).

reply to HELLFIRE
The "Show flash" command tells me that the flash contains:

c1841-ipbase9-mz.124.15.T6a.bin

sdmconfig-18xx.cfg

es.tar

common.tar

home.shtml

home.tar

So, it appears that sdm is stored in the flash. I'm not quite sure how to access it, however; need to do some research.

reply to daveinpoway
What are the filesizes of those files? That actually looks like the config generated by SDM, not
SDM itself, which should be a TAR file. You may want to see here »www.cisco.com/en/US/products/sw/···727.html

If you insist on pursuing SDM, by all means daveinpoway. You can also check the forum FAQ or ask us for help.

Regards

reply to daveinpoway
To access SDM from the router you will need to enable the http server on the router.
Point your browser to the IP address on the Ethernet interface and you should get a login.

If you install the SDM software on your pc, then you can run it locally to access the router regardless of whether or not SDM is installed on the router.

Checkout the new Cisco Configuration Professional software. It's the replacement for SDM which is starting to get a little long in the tooth.

CCP may be out of the question for me, as they specify at least a 2 GHz CPU; the ancient Dell laptop I have only has about a 1 GHz CPU. Plus, I would like to be able to access the graphical configuration on my Mac in everyday use; so far as I know, CCP only runs on Windows.

Apparently, there is a CCP Express that will install onto the router, but I haven't read much about it.

I have downloaded the 2.5 version of SDM onto the laptop (which runs Windows XP Pro, SP3), but haven't installed it into the router, since the router isn't configured yet.

I assume that installing the new version of SDM onto the router will overwrite the files that are on there now. If not, I will have to manually delete the old files.