Tell me more x
, there is a new speed test available. Give it a try, leave feedback!
dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
27547
share rss forum feed

Nano_Magnus

join:2011-10-19

Help configuring a CISCO 1921

Hi, I need to configure a Router Cisco1921 so I need some help with it.
Description:
1.- I had a public IP x.x.x.70

2.- My ISP provide a ZXDSL 831 Series for connecting to internet with gateway x.x.x.69

3.- I had an Internal DNS Server forwarding to ISP DNS ( I already tested with an ISA server and it's forwarding ok) ip 10.133.0.1

4.- Router Cisco1921 with two ethernet Interfaces g0/0 10.133.0.6 LAN and g0/1 x.x.x.70 WAN

It's my first time working with Cisco and my first goal it's to allow internet on my LAN.
After that I will continue with server publishing and VPN.

And sorry for my poor english...

Here is my running conf:

Building configuration...

Current configuration : 3931 bytes
!
! Last configuration change at 14:35:52 Caracas Wed Oct 19 2011 by ******
! NVRAM config last updated at 14:39:48 Caracas Wed Oct 19 2011 by ******
! NVRAM config last updated at 14:39:48 Caracas Wed Oct 19 2011 by *****
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router01
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 ************.
enable password ******
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
clock timezone Caracas -4 0
!
no ipv6 cef
ip source-route
no ip routing
no ip cef
!
!
!
!
!
ip domain name dominio.local
ip name-server 10.133.0.1
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-375522388
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-375522388
revocation-check none
rsakeypair TP-self-signed-375522388
!
!
crypto pki certificate chain TP-self-signed-375522388
certificate self-signed 01
x
x
x
quit
license udi pid CISCO1921/K9 sn FTX1532821Z
!
!
username ------ privilege 15 secret 5
************
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip route-cache
shutdown
no cdp enable
!
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 10.133.0.6 255.255.0.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-WAN$
ip address x.x.x.70 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
no cdp enable
!
ip default-gateway x.x.x.60
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 10.133.0.15 80 interface GigabitEthernet0/1 80
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.133.0.0 0.0.255.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.133.0.0 0.0.255.255
!
no cdp run
!
snmp-server community public RO
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ****
login
transport input all
!
scheduler allocate 20000 1000
end

Thanks

elnino

join:2006-08-27
Akron, OH
This line is causing all your problems: no ip routing You need to enable IP routing so the router can do it's job. To enable it, use the command ip routing from the config terminal mode. Also, no ip cef is generally something that shouldn't be disabled in your router config, so enable that with the command ip cef.

One more thing, I would remove ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 and replace it with ip route 0.0.0.0 0.0.0.0 x.x.x.69 (your Internet gateway). This will save a lot of overhead that your 1921 router would have to do

Nano_Magnus

join:2011-10-19
Thanks a lot, I will try it later, after reading your answer it looks SO simple

The next step it's to implement a site to site vpn, and I'm reading and article about it and I would start to test IPSec tomorrow.

Thanks again

aryoba
Premium,MVM
join:2002-08-22
kudos:6
reply to Nano_Magnus
Don't forget to remove the ip default-gateway command to avoid routing issue

HELLFIRE
Premium
join:2009-11-25
kudos:20
reply to Nano_Magnus
15.1 and 'no ip routing' STILL shows up in the default config?!

:insert facepalm moment:

Regards


sk1939
Premium
join:2010-10-23
Mclean, VA
kudos:10
Sad isn't it? I wonder if they've finally changed the default for EIGRP to no auto-summary.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
said by sk1939:

Sad isn't it? I wonder if they've finally changed the default for EIGRP to no auto-summary.

to steal a line from nosx See Profile (because we all know i'm a tool and very unimaginative)

you need to enable the following features/services on your router


q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


sk1939
Premium
join:2010-10-23
Mclean, VA
kudos:10
Uh huh...is that supposed to be an insult or a joke of some kind?


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
said by sk1939:

Uh huh...is that supposed to be an insult or a joke of some kind?

only towards cisco and how broken some of their stuff is out of the box with monolithic (proxy-arp, routing, auto-summary, etc).

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


sk1939
Premium
join:2010-10-23
Mclean, VA
kudos:10
Reviews:
·T-Mobile US
·Verizon FiOS
Well yeah, for the price they charge you would think they would error check/revise default startup config more than every 10 years. I'm curious about the 1921 though, mostly by how it measures up to the 1941 and 1811 (besides the gig interfaces/HWIC).

HELLFIRE
Premium
join:2009-11-25
kudos:20
reply to tubbynet
said by tubbynet:

you need to enable the following features/services on your router

Doesn't everything in IT need that enabled? Thanks for the smile of the day tubbynet

Regards


OVERKILL

join:2010-04-05
Peterborough, ON
reply to sk1939
said by sk1939:

Well yeah, for the price they charge you would think they would error check/revise default startup config more than every 10 years. I'm curious about the 1921 though, mostly by how it measures up to the 1941 and 1811 (besides the gig interfaces/HWIC).

One just magically appeared on my desk this morning, so I may have the ability to do some testing. We'll see what time is like.

HELLFIRE
Premium
join:2009-11-25
kudos:20
A sanitized 'show tech' and a couple hours of iperf test results would be MOST welcome OVERKILL

Keep us posted!

Regards


OVERKILL

join:2010-04-05
Peterborough, ON
said by HELLFIRE:

A sanitized 'show tech' and a couple hours of iperf test results would be MOST welcome OVERKILL

Keep us posted!

Regards

Any particular part of "show tech" that you want to see? It is HUGE......


sk1939
Premium
join:2010-10-23
Mclean, VA
kudos:10
POWER CONSTANT AND MAX_POWER DETAILS, show inventory, and ResourceMaximum LimitAvailable

HELLFIRE
Premium
join:2009-11-25
kudos:20
reply to OVERKILL
Everything if possible, minus the company-sensitive and device-unique stuff

Regards


OVERKILL

join:2010-04-05
Peterborough, ON
said by HELLFIRE:

Everything if possible, minus the company-sensitive and device-unique stuff

Regards

But it is massive, LOL

Here's some info from it:










OVERKILL

join:2010-04-05
Peterborough, ON
reply to Nano_Magnus
And some more:



sk1939
Premium
join:2010-10-23
Mclean, VA
kudos:10
Interesting to see how little juice it uses compared to the 3925/45.


OVERKILL

join:2010-04-05
Peterborough, ON
reply to Nano_Magnus
And of course to top it all off, this router is giving me issues trying to get a functional Easy VPN server..... Something that works fine on a pile of 800-series routers I have in service..... with very similar configs!!!

GRRRRRRRRRRRRR

HELLFIRE
Premium
join:2009-11-25
kudos:20
So other than Cavium, they STILL don't tell you exactly what CPU is used on it *sighs*
Any word on what it does with services configured?

TAC unable to help you with EasyVPN? Best of luck on the configs OVERKILL.

Regards


OVERKILL

join:2010-04-05
Peterborough, ON
said by HELLFIRE:

So other than Cavium, they STILL don't tell you exactly what CPU is used on it *sighs*
Any word on what it does with services configured?

TAC unable to help you with EasyVPN? Best of luck on the configs OVERKILL.

Regards

No, haven't had a chance. Getting the VPN working is imperative, so that has been my focus. I'm working with TAC on it now.

Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
Thanks for the help, now I'm tryinng to test vpn but I can't enable the evaluation licenses (securityk9 and datak9)

I'm still searching information about installing licenses and using evaluation licenses, but I need a litle orientation about how licenses work, and what licenses or IOS are needed for VPN site to site with IPSEC.

P.S. Sorry for my english


OVERKILL

join:2010-04-05
Peterborough, ON
said by Nano_Magnus:

Thanks for the help, now I'm tryinng to test vpn but I can't enable the evaluation licenses (securityk9 and datak9)

I'm still searching information about installing licenses and using evaluation licenses, but I need a litle orientation about how licenses work, and what licenses or IOS are needed for VPN site to site with IPSEC.

P.S. Sorry for my english

CCP has a license manager feature IIRC. I may be wrong though, LOL

I've been pretty happy with the VPN performance of this router. Running 3x site-to-sites as well as an Easy VPN server on it.

bigsy

join:2001-07-18
ireland
kudos:1
reply to Nano_Magnus
said by Nano_Magnus:

Thanks for the help, now I'm tryinng to test vpn but I can't enable the evaluation licenses (securityk9 and datak9)

I'm still searching information about installing licenses and using evaluation licenses, but I need a litle orientation about how licenses work, and what licenses or IOS are needed for VPN site to site with IPSEC.

There's a useful link to ISR G2 licensing at »www.cisco.com/en/US/prod/collate ··· 985.html.

You download a temporary license by following the 'if you do not have a PAK, please click here for Demo and Evaluation licenses' link at »www.cisco.com/go/license. At this link you'll find a list of ISR G2 temporary licenses. To download one you need both the product ID (e.g. 'CISCO1921/K9') and serial no.

You'll need to have created a Cisco login ID in order to do the above.

Once the license is on your ISR (or tftp server etc.), install it using:

license install xxxxx.lic

For example:


Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
Ok, I need to upgrade my IOS, and I need to had a contract to be able to download upgrades, but I'm not sure about to what I need.

I found a smatnet extended service, here is a link: »www.softchoice.com/catalog/en-us ··· C-HR7354

I need to config a site to site vpn, do I need to find something else? or I'm ok with that service?

Thanks

Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
mmm now I found that I don't need a contract service to download the upgrade, I only need to buy the license Cisco L-SL-19-SEC-K9= Cisco IOS Security License.

I suposse that I only need the license to configure the VPN, am I right?


OVERKILL

join:2010-04-05
Peterborough, ON
said by Nano_Magnus:

mmm now I found that I don't need a contract service to download the upgrade, I only need to buy the license Cisco L-SL-19-SEC-K9= Cisco IOS Security License.

I suposse that I only need the license to configure the VPN, am I right?

Yes, you need the sec license.

SmartNet is also cheap and will let you get the OS updates.

bigsy

join:2001-07-18
ireland
kudos:1
reply to Nano_Magnus
said by Nano_Magnus:

I suposse that I only need the license to configure the VPN, am I right?

Why don't you install the temporary sec license? That will give you 60 days to play with the features, configure the VPN and confirm that it does everything you need before you pay for the license upgrade.

Also, as OVERKILL See Profile states, SMARTnet doesn't cost much (especially relative to the sec license you're looking at). It will also give you access to the various Cisco VPN clients in addition to IOS upgrades.


OVERKILL

join:2010-04-05
Peterborough, ON
said by bigsy:

said by Nano_Magnus:

I suposse that I only need the license to configure the VPN, am I right?

Why don't you install the temporary sec license? That will give you 60 days to play with the features, configure the VPN and confirm that it does everything you need before you pay for the license upgrade.

Also, as OVERKILL See Profile states, SMARTnet doesn't cost much (especially relative to the sec license you're looking at). It will also give you access to the various Cisco VPN clients in addition to IOS upgrades.

I have to say, buying the device with the sec license to begin with would have been a less expensive choice.