January 16, 2006

Cisco Tip of the day – How to move ssh traffic to a different port

If you know anything about linux, you know ssh is a necessity. It is the same for routers if you do not want everything you do passed in cleartext across the net. Problem is that alot of people use a cisco router as their firewall with NAT enabled. So when you try to ssh to your linux box from work (or elsewhere) via port 22, it will hit the router instead. So you have two options:

  • Configure PAT so you move your ssh traffic to a different public port, say 2222, and it will redirect it to port 22 on the inside of your network.
  • Configure a rotary group and move the router’s ssh port to a different port, say 2222.

This post will cover the latter.

It is a pretty simple config, but it takes awhile to find it on Cisco’s web site due to the amount of information they have on there. It is two lines total:

ip ssh port 2222 rotary 1

This line moves the ssh service to port 2222, and makes it part of rotary group 1. A rotary group allows you to define attributes, services and features of lines that reference the group. In this case, any line that is part of rotary group one will have ssh on port 2222.

line vty 0 4
rotary 1
This set of commands places vty lines 0 through 4 in rotary group 1. So these vtys will take on all the features you have configured for that group. In this case, ssh has been moved to port 2222 on vty lines 0 through 4.

And that is it.

* Filed by RawCode at 5:55 am under Cisco, General IOS, Networking
* 5 Comments

October 12, 2005

Cisco tip of the day – Useful SNMP strings for cisco devices

Here are some useful SNMP strings for cisco devices. I have used these to graph the various information in Cacti.

Cisco Pix:
CPU:
5 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.5.1
1 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.4.1
5 Second: 1.3.6.1.4.1.9.9.109.1.1.1.1.3.1
Memory:
Free: 1.3.6.1.4.1.9.9.48.1.1.1.6.1
Used: 1.3.6.1.4.1.9.9.48.1.1.1.5.1


Cisco Router:
CPU:
5 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.8.1
1 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.7.1
5 Second: 1.3.6.1.4.1.9.9.109.1.1.1.1.6.1
Old MIB CPU:
5 Minute: 1.3.6.1.4.1.9.2.1.58.0
1 Minute: 1.3.6.1.4.1.9.2.1.57.0
5 Second: 1.3.6.1.4.1.9.2.1.56.0
Memory:
Free: 1.3.6.1.4.1.9.9.48.1.1.1.6.1
Used: 1.3.6.1.4.1.9.9.48.1.1.1.5.1


Cisco Switch:
CPU:
5 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.8.1
1 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.7.1
5 Second: 1.3.6.1.4.1.9.9.109.1.1.1.1.6.1
Old MIB CPU:
5 Minute: 1.3.6.1.4.1.9.2.1.58.0
1 Minute: 1.3.6.1.4.1.9.2.1.57.0
5 Second: 1.3.6.1.4.1.9.2.1.56.0
Memory:
Free: 1.3.6.1.4.1.9.9.48.1.1.1.6.1
Used: 1.3.6.1.4.1.9.9.48.1.1.1.5.1

* Filed by RawCode at 6:22 am under Cisco, General IOS, Networking
Comments Off

July 24, 2005

Cisco tip of the Day

A guide to getting a Cisco pix 501 online with PPPoE, dynamic and static PAT. With these commands, you should be able to get online with DSL, and PAT.

Basic config
I. Nat-Pat config

These two commands will specify the ip translation between Inside and outside interfaces. The two commands are part of the same NAT mapping. In this instance it is mapping one. The “nat (inside)” command will translate any traffic it matches on to the “global (outside)” address. The global address is interface, which means whatever address it happens to have at the time. ( In case of address changes due to PPPoE or DHCP.)

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

II. PPPoe Config

This command tells your outside interface to use pppoe and to set the route automaticlly.

ip address outside pppoe setroute

This set of commands configures your method of authentication and specifies your credenitals.

vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname username@domain.net
vpdn group pppoe_group ppp authentication pap
vpdn username username@domain.net password *********

III. Names

Names are easy you can figure it out. I will be using names in the following sections. They are cap sensitive.

name 192.168.0.2 Main_Workstation
name 209.11.0.1 Work
name 192.168.0.4 Laptop
name 192.168.0.6 Linux_box
name 209.11.0.2 work vpn

Advanced config
III. Static NAT statements (Port forwarding)

This command takes any traffic that hits 209.11.17.23:24899
and forwards it to Main_workstation:4899

static (inside,outside) tcp 209.11.17.23 24899 Main_Workstation 4899 netmask 255.255.255.255 0 0

IV. Access lists

This access-list named “outside_access_in” allows any TCP traffic to
connect to host 209.11.17.23 on port 24900 and logs it to level 4 syslog.

access-list outside_access_in permit tcp any host 209.11.17.23 eq 24900 log 4

The same access-list “outside_access_in” allows any connection from Work to my home network via port 22. (ssh access)

access-list outside_access_in permit tcp Work 255.255.255.240 any eq 22 log 4

* Filed by RawCode at 6:29 am under Cisco, General IOS
Comments Off

July 20, 2005

Cisco Tip of the day

How to configure a Cisco Soho91/800/1700 for use with PPPoE.

There is four steps to get a Cisco up as a PPPoE client for dsl.

A. Turn on VPDN and specify a vpdn group
This set of commands turns on vpdn, creates a vpdn group named “pppoe”, and specifies it to dialin using the PPPoE protocol. You can only have one vpdn group that uses PPPoE.

B. Configure a physical interface
This set of commands tells the interface to enable pppoe functionality and take on client behavior of the dial pool that is assigned to.

C. Configure a dialer interface and associate it with a physical interface.
This set of commands creates the dialer1 interface and then specifies how it will behave.

D. Define your default gateway
This command takes all traffic that does not have a known route and directs to to the dialer 1 interface, regardless of the ip that is assigned to that interface.

A. Turn on VPDN and specify a vpdn group
RouterA#config t
RouterA(config)#vpdn enable
RouterA(config)#vpdn-group 1
RouterA(config-vpdn)#request-dialin
RouterA(config-vpdn-req-in)#protocol pppoe
^Z

B. Configure a physical interface
RouterA#config t
RouterA(config)#int fastethernet 0
RouterA(config-if)#no ip address
RouterA(config-if)# pppoe enable
RouterA(config-if)# pppoe-client dial-pool-number 1
RouterA(config-if)#no shutdown
^Z

C. Configure a dialer interface and associate it with a physical interface.
RouterA#config t
RouterA(config)#int dialer 1
RouterA(config-if)#ip address negotiated
RouterA(config-if)#encapsulation ppp
RouterA(config-if)#dialer pool 1
RouterA(config-if)#ppp authenticate pap callin
RouterA(config-if)#ppp sent-username [username] password [password]
^Z

D. Define your default gateway
ip route 0.0.0.0 0.0.0.0 dialer 1
^Z

And then you should be online.

* Filed by RawCode at 10:58 pm under Cisco, General IOS
Comments Off

July 18, 2005

Cisco Tip of the day

In config mode you can perform non-config commands by prepending “do” before the command you want to do.

RouterA(config)#sh ver
^
% Invalid input detected at '^' marker.

RouterA(config)#do sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1710-K9O3SY-M), Version 12.3(15), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport

As elegant as Instant Oatmeal.

* Filed by RawCode at 6:19 am under Cisco, General IOS
* 1 Comment