Cisco 2821 config questions... this should be fun.

So we have 2 circuits one is a primary from XO, the other is from a tier 2 provider (basically a T1) We use a BGP session for starters.

What we are wanting to do is take a selection of production systems and run them on the backup network only. Both cisco devises are matched identical. Well we tries to clone the config of device one that has been in production for a LONG time. That didn't work. Symptoms are as follows on device 2

We can reach internet from the router we can ping and route to internet, from the inside interface we are dead in the water, the IPs are routable addresses not using private addresses for this secession. Being the awesome that ATS is with out wide range of people I am sure we have a guru here that can nudge me in the right direction!

Thanks in advance!

Going to need more info here ;-)

So you can ping any public IP address from the Cisco (Device 2)? Can you ping any internal IP addresses from the Cisco (device 2)? do you have a network switch siting on the LAN side of Device 2?

Is the LAN IP address of the 'Cloned' Cisco the same as the production Cisco? If so this would cause issues and need to be different...

originally posted by: ksarge1
Going to need more info here ;-)

So you can ping any public IP address from the Cisco (Device 2)? Can you ping any internal IP addresses from the Cisco (device 2)? do you have a network switch siting on the LAN side of Device 2?

Is the LAN IP address of the 'Cloned' Cisco the same as the production Cisco? If so this would cause issues and need to be different...

Reply on more info...

Part one, yes we can ping public
Part two, no we can not ping internal ips but the interface is active
Part three, no switch we have a pc(laptop) connected directly to device 2
Part four, no the ip of device 2 is not the same as device 1, one is x.x.x.1 (device 1) one is x.x.x.15 (device 2)

We can shell from the laptop to device 2

a reply to: sycomix

Ok we made a changed the IP into a private IP, turned on NAT and then we can get out, but we want to be able to make this work without NAT... hmm

We would like to be able to use a routable IP and not a private IP

a reply to: ksarge1

This is the config...


"zeus2#sho startup-config
Using 3096 out of 245752 bytes
!
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
hostname zeus2
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-24.t1.bin
boot system flash:c2800nm-advipservicesk9-mz.124-8.bin
boot-end-marker
!
logging buffered 4096 notifications
no logging console
no logging monitor
enable secret 5 [SNIP]
!
no aaa new-model
clock timezone CST 5
clock summer-time CST recurring
no ip source-route
no ip icmp rate-limit unreachable
!
!
ip cef table adjacency-prefix validate
ip cef
!
!
no ip bootp server
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2498966342
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2498966342
revocation-check none
rsakeypair TP-self-signed-2498966342
!
!
crypto pki certificate chain TP-self-signed-2498966342
certificate self-signed 01 nvram:IOS-Self-Sig#3232.cer
username [SNIP] privilege 15 password 7 [SNIP]
username [SNIP] privilege 3 password 7 [SNIP]
username [SNIP] privilege 15 secret 5 [SNIP]
archive
log config
hidekeys
!
!
!
class-map match-any ALL-TRAFFIC
match any
class-map match-any primary-business-critical
match protocol http
match protocol telnet
match protocol ipsec
match protocol sqlserver
match protocol ip
match protocol l2tp
match protocol xwindows
match protocol arp
match protocol cdp
match protocol rip
match protocol sqlnet
match protocol secure-http
match protocol secure-telnet
!
!
!
!
!
!
interface GigabitEthernet0/0
description #### Connection to port 3 on Gotham ####
ip address x.x.x.15 255.255.255.0
ip nat inside
ip nat allow-static-host
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description Backup T1 to PAETEC
ip address x.x.x.122 255.255.255.252
ip access-group 100 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no fair-queue
no cdp enable
!
router rip
version 2
network x.x.x.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Serial0/0/0 overload
!
access-list 100 permit ip any host x.x.x.233
access-list 100 permit ip 192.168.90.0 0.0.0.255 any
access-list 100 deny ip 192.168.90.0 0.0.0.255 any
access-list 100 permit ip any any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^CCCCc Unauthorized access to this equipment is punishable by local, national and international laws. Illegal access to this system will be punished to the full extent of these laws. ^C
!
line con 0
line aux 0
line vty 0 4
access-class 20 in
privilege level 15
password 7 [SNIP]
login local
transport input telnet ssh
line vty 5 15
privilege level 15
no login
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

--
"

don't know if its still true as been a while since i messed with cisco kit but don't leave the password/secret hashes in the public domain.

And as to say we don't know your IP so its safe, i'd say that a bit of time with shodan and its possible to find the kit

that is unless you have just facepalmed the keyboard for the password hashes

a reply to: Maxatoria

Those are credentials that are not for production, they will change later, need it to work in testing first. Nice catch though!

a reply to: sycomix

have sent a message to the mods to perhaps edit it a bit just incase and reuse of passwords can catch people out so better safe than sorry especially in 6-8 months time and you forget all about this thread

I believe that the addresses on the internal interfaces need to be not only different IP addresses between the 2 routers, but also different subnetworks.

You can configure that by changing the netmasks.

-dex