Find the answer to your Linux question:
Results 1 to 7 of 7
Here is the deal. My friend wants me to do some work on his ISP. (The ISP is all Run on RED HAT) He has Cisco 2600 routers. I don't ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer adrenaline's Avatar
    Join Date
    Aug 2004
    Location
    Seattle, Washington
    Posts
    1,058

    Cisco Routers.


    Here is the deal. My friend wants me to do some work on his ISP. (The ISP is all Run on RED HAT) He has Cisco 2600 routers. I don't have any idea about Cisco Routers, but I want to punch my static IP in the table so I can Admin the ISP from my home. Does anybody know how to do this. I tried to ask on Cisco Forums and got no response So I was wondering if this is something somebody here might know.

    All I want to do is have the Cisco allow my static IP is there a config file somewhere where I can add my IP or do I have to reconfig the router to do that?
    I know that this isn't a linux question per say but it is for the benefit of a Linux ISP so I am hoping this is OK.

    Thanks,
    Mike
    Some people have told me they don't think a fat penguin really embodies the grace of Linux, which just tells me they have never seen a angry penguin charging at them in excess of 100mph. They'd be a lot more careful about what they say if they had.
    -- Linus Torvalds

  2. #2
    Linux Newbie jeickal's Avatar
    Join Date
    Jan 2005
    Location
    Switzerland
    Posts
    114
    I would probably know how to do this but I'm not sure to get what you want. You say you want to "alllow your static IP", how do you mean that? I'd need to know what is connected with what and from where you wanna go to where. Too bad you can't draw a quick diagram hum?
    Anyway, just to get you started with cisco, there is no config file, when you are logged in the router as "enable" (enable for cisco = root for linux), you need to type "conf t" (for configure from terminal) and then you enter in the configuration mode. Then the "?" will be very usefull as it'll show you all the available command. To see the help of a sub-command, go: "ip ?" will show you all the sub-command of the "Ip" commande. Get it?
    Now if you manage to be a little more specific about what you need to do, I might be able to provide the magic command

  3. #3
    Linux Engineer adrenaline's Avatar
    Join Date
    Aug 2004
    Location
    Seattle, Washington
    Posts
    1,058
    The isp is running on RED HAT servers behind 3 cisco 2600's (not quite sure about why 3 but there is definitely 3 routers). If I am at work at my home in a different city. I cannot log into the red hat servers because the CISCO don't all my IP to go passed them. I need to allow my IP to get to the RED HAT MACHINES so I don't have to drive to the city where the RED HAT Boxes are located.
    Does that make sense. I need to allow my IP to get passed the CISCOS so I can admin remotely.

    BTW So far your instructions are good - I appreciate any help I can get. Trying to save a dying ISP that is worth saving.
    exp
    I think I am looking for a line that says
    allow through firewall = 63.231.145.21 #ip is fake
    Some people have told me they don't think a fat penguin really embodies the grace of Linux, which just tells me they have never seen a angry penguin charging at them in excess of 100mph. They'd be a lot more careful about what they say if they had.
    -- Linus Torvalds

  4. #4
    Linux Newbie jeickal's Avatar
    Join Date
    Jan 2005
    Location
    Switzerland
    Posts
    114
    OK so basically this is what you're facing:

    home/work PC ==== Internet ==== ISP's 3x 2600 ===== ISP'sRedHat

    Well, that's what I understood. Anyway, OK so there can be several problems. 1st you gotta make sure it ain't no routing issue: Are the redhat a public IP@? I'll assume they are, so when you traceroute them, you go die on the 2600? If you're sure that the 2600 have the correct routing table to forward any request from your source IP to the redhat and backwards, then it is probable that some access-list are configured on the 2600. Not that by default cisco router are not firewall, they let everything go through unless you specify otherwise (one more time if routing config is correct). So check out for access-list. You can do it this way:

    Log in as "enable" and type "show run" (run stands for "running-config" short names work great). this will display the whole config of the box. Now you won't miss'em. Access-list are on the 2nd part of the config (after the interfaces) and looks like:
    Code:
    ip access-list 10 permit ip any any
    Then access-list are applied to an interface, like this:

    Code:
    interface fastethernet 0/0
    ip address 10.0.0.1 255.0.0.0
    ip access-group 10 in
    this mean that the access-list n10 (allow everything in my ex has to be appliy to int fastethernet 0/0 for the inbound traffic. Get it?
    Note that on the interface you have "access-group" not "access-list" you can see it as a group of access-list since you can write several line for a same access-list number.
    So check this out and see if you see an access-list that might be blocking your traffic.
    Sorry to insist on the routing issue, are you confortable with it? Routing can be extreemly tricky, and you must insure you packets are routed to the right direction before spending time checking for access-list. Just a tip.
    Now about the "why 3x 2600". In the networking world, redundancy is not a "nice to have", but it is a MUST have. When the network is down, you loose it all my friend. That might be one good reasons to have 3 routers.

  5. #5
    Linux Engineer adrenaline's Avatar
    Join Date
    Aug 2004
    Location
    Seattle, Washington
    Posts
    1,058
    Quote Originally Posted by jeickal
    OK so basically this is what you're facing:

    home/work PC ==== Internet ==== ISP's 3x 2600 ===== ISP'sRedHat

    Well, that's what I understood. Anyway, OK so there can be several problems. 1st you gotta make sure it ain't no routing issue: Are the redhat a public IP@? I'll assume they are, so when you traceroute them, you go die on the 2600? If you're sure that the 2600 have the correct routing table to forward any request from your source IP to the redhat and backwards, then it is probable that some access-list are configured on the 2600. Not that by default cisco router are not firewall, they let everything go through unless you specify otherwise (one more time if routing config is correct). So check out for access-list. You can do it this way:
    Correct so far.

    Quote Originally Posted by jeickal
    Log in as "enable" and type "show run" (run stands for "running-config" short names work great). this will display the whole config of the box. Now you won't miss'em. Access-list are on the 2nd part of the config (after the interfaces) and looks like:
    Code:
    ip access-list 10 permit ip any any
    Then access-list are applied to an interface, like this:

    Code:
    interface fastethernet 0/0
    ip address 10.0.0.1 255.0.0.0
    ip access-group 10 in
    Are you saying here is where I put my remote IP (BTW you are correct about the RH machines having live ip's too). I only want to allow 1 ip only and not a class of them. If that is true and I change it here what do I do to save the config and do I have to reboot or restore service? and if so how?

    I really appreciate this I am going to do this tonight so if I screw up a hole city is going to loose its internet and I will have to recover and btw can I save something so if I screw up I can copy it back or do I just not screw up?

    example:
    cp goodconfig goodconfig.good

    One thing to note the linux servers are mail, web, Rad, and DNS. I will tell you I am going be a ccna when all of this is over.


    Thanks again,
    Mike
    Some people have told me they don't think a fat penguin really embodies the grace of Linux, which just tells me they have never seen a angry penguin charging at them in excess of 100mph. They'd be a lot more careful about what they say if they had.
    -- Linus Torvalds

  6. #6
    Linux Newbie jeickal's Avatar
    Join Date
    Jan 2005
    Location
    Switzerland
    Posts
    114
    Yes saving you config is obviously important. I was thinking last night that maybe I should have been a little more carefull telling you all this because on a cisco IOS, command are applied live in production! So there are lots of ways to mess up.
    Here is some basic info you need to know before messing aroung with cisco boxes.
    "show run" will display you the running-config meaning the one being lively used currently in prod.
    "show start" will display the "startup-config" that will be used next time the box reboot.
    If you make any changes, it will go straight in production so it will change the running-config.
    The good point about this is that if you mess up you only have to reboot the box and everthing should be back to normal. Otherwise, you should (almost) never have to reboot a cisco to apply new change of config.
    Whenever you're happy with you new config, you need to copy the running-config to the startup config by typing:
    Code:
    copy run start
    Then you changes stay there after a reboot.
    Now to save your config before touching it. What I would suggest is that you transfer it to a tftp server. You can simply do this:
    Code:
    copy run tftp:
    Then it asks you for the ip address of the tftp and will upload your config as a simple text file. Just be carefully to the syntax, it is "copy source destination*. So if you swap it by mistake and type "copy tftp run" you will over-ride your running-config. This can be handy in some circumpstances. Remember if you mess up, no big deal, just reboot and you'll get your nice untouch startup-config back in production (OK after 2-3 min of downtime, hey what did I say about redundancy? .

    Now this being known, you need to understand why your source IP is being blocked, and where in the router's config it is blocked. If access-list are used in your router and appllied to the interface your IP packet are using to reach the redhat then yes you will have to add your IP in the access-list. I forgot to mention before that at the end of each access-list you have a default line which is "drop any any" (even if you don't see it, it is there). So basically if you see some "permit" line (that do not match you source IP) and then nothing else, it is the default drop line that is causing your trouble. Then you would need to add sth like "permit ip source_IP dest_IP" to this access-list.
    Note that it's a little more complicated (sorry, but net admin is a job...)
    You have 2 sort of acces-list: the standard ones and the extended ones.
    The standard ones are only IP@ based. They have acces-list number from 1-99
    The extended ones (number higher than 100) are IP + layer 4 protocol (TCP/UDP, etc...) based. So you can allow an IP to reach the mail server while not letting it try to hack any other services this server is providing.
    You need to know this even if you wantn to allow any protocol from your PC's IP because you will have to add some more "any" to the command for the source and dest tcp port number.
    Try already to locate which access-list you will have to modify and if it's a standard one or extended. And also get a tftp server running and backup your config file. You can get a tftp server from www.rpmfind.net. Look up for a package called tftp-server. But I can hardly imaging a provider running a production network without already having one... Then feed me up with some more info about the sort of access-list you have and I'll try to be a little more specific about the command you'll have to type.
    Becoming a CCNA will sure help. And it's not hard. Me, I'm nothing I don't believe in certification where you have to learn a bunch of useless thing (and pay ALOT for that) just to pass a F... exam. I'd rather know the stuff rather than show off with a paper. But I'm lucky enough not to have an employer not asking for it And CCNA is basic stuff. If you can at least take the class it'll sure help, now the exam is up to you. But if don't absolutely need it, I don't think you need to make cisco any richer...

  7. #7
    Linux Engineer adrenaline's Avatar
    Join Date
    Aug 2004
    Location
    Seattle, Washington
    Posts
    1,058
    Thank you for your time and energy. I really really appreciate it. When I arrived there were too many other issues to do to worry about the access list yet. This information is valuable to me and I really thank you for your time in writing this up for me. This is exactly what I was looking for.

    Thanks again,
    Mike
    Some people have told me they don't think a fat penguin really embodies the grace of Linux, which just tells me they have never seen a angry penguin charging at them in excess of 100mph. They'd be a lot more careful about what they say if they had.
    -- Linus Torvalds

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •