First, we’ll sync the router time against another NTP time source. It’s as easy as specifying an IP:

phbrtr#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
phbrtr(config)#ntp server <IP address>
phbrtr(config)#exit
phbrtr#

Incidentally, you can find a list of public NTP servers at:

http://support.ntp.org/bin/view/Servers/WebHome 

To tidy things up, you might want to prevent NTP synchronisation attempts on a per-interface basic. To do this, you can ‘ntp disable’ on the relevant interface(s):

phbrtr#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
phbrtr(config)#interface fa1/0
phbrtr(config-if)#ntp disable
phbrtr(config-if)#exit
phbrtr(config)#exit

Finally, heres how to check that everything’s working as it should:

 phbrtr#sh ntp status
Clock is synchronized, stratum 2, reference is 129.6.15.28
nominal freq is 250.0000 Hz, actual freq is 250.0005 Hz, precision is 2**24
reference time is CE89F9F3.27B5E326 (21:21:55.155 GMT Wed Oct 21 2009)
clock offset is -13.4327 msec, root delay is 99.40 msec
root dispersion is 21.27 msec, peer dispersion is 7.83 msec
phbrtr#

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Cisco: A Beginner’s Guide

CCNA – Cisco Certified Network Associate Study Guide

Cisco Networking for Dummies

Cisco IOS in a Nutshell – O’Reilly

phbrtr#sh vpdn session

PPTP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Intf   Username State    Last Chg    Uniq ID
32       32768   37       Vi3   user            estabd 00:00:18   31
phbrtr#

That pesky user!! Lets disconnect him..

phbrtr#clear vpdn tunnel pptp id 37
Starting to clear the tunnel
phbrtr#

Note here that we’ve used the TunID from the previous command (in this case – 37). Another quick ’show vpdn session’ (or for the lazy: ’sh u’) will show that your user has disappeared.

If you’ve got a lot of users, looking up their id and clearing can be quite tedious. To clear ALL PPTP sessions:

phbrtr#clear vpdn tunnel pptp all
Clear all PPTP tunnels? [confirm]
Starting to clear the tunnel

phbrtr#

Simples!

phbrtr(config)#no ip nat source static tcp 192.168.0.1 25 interface FastEthernet1/0 25
%Static entry in use, cannot remove

phbrtr(config)#

So what it is? Well, as the errors suggests, the rule is currently being used and as such can’t be changed (in this particular instance, there were a few active SMTP connections). On busy routers, this activity sometimes cannot be helped!

So how do you get around it? Well the first way is simply to wait for a lul in the traffic! When this isn’t possible, you can try clearing current IP NAT dynamic translations: (NB: Be quick!)

phbrtr(config)#no ip nat source static tcp 192.168.0.1 25 interface FastEthernet1/0 25
%Static entry in use, cannot remove

phbrtr(config)#do clear ip nat translation *
phbrtr(config)#no ip nat source static tcp 192.168.0.4 25 interface FastEthernet1/0 25
phbrtr(config)#

If this still doesn’t work (note that once you’ve issued the clear ip nat command – any new packets will create a new nat entry – hence ‘Be quick’!), you will to stop nat for a while to allow you to remove the translation:

phbrtr(config)#no ip nat source static tcp 192.168.0.1 25 interface FastEthernet1/0 25
%Static entry in use, cannot remove

phbrtr(config)#interface FastEthernet0/0
phbrtr(config-if)#no ip nat inside
phbrtr(config-if)#exit

phbrtr(config)#interface FastEthernet1/0
phbrtr(config-if)#no ip nat outside
phbrtr(config-if)#exit

phbrtr(config)#do clear ip nat translation *
phbrtr(config)#no ip nat source static tcp 192.168.0.1 25 interface FastEthernet1/0 25

phbrtr(config)#interface FastEthernet0
phbrtr(config-if)#ip nat inside
phbrtr(config-if)#exit

phbrtr(config)#interface FastEthernet1/0
phbrtr(config-if)#ip nat outside
phbrtr(config-if)#exit

 This demo removes IP NAT from both inside and outside interfaces – but you could try to removing it from just one (for ease) - but it will obviously depend on your setup.

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Cisco: A Beginner’s Guide

CCNA – Cisco Certified Network Associate Study Guide

Cisco Networking for Dummies

Cisco IOS in a Nutshell – O’Reilly

First is to leave it as it is - going off to a serial port – but add a permanent terminal to display the results. Not very practical – especially if the router is at a remote site.

Second option is to send the messages off to a syslog server – which is good if you’ve got routers spread all over and want to report back to a central point. Ok! Time to get yourself a syslog server up and running. If you’ve not already got it, Tftpd32 has funcitionality for this (which is also useful for the transfer of IOS images – more on this some other time maybe). You can get it from http://tftpd32.jounin.net. Configuring tftpd32 is beyond the scope of this guide – but it’s easy enough. Google it if in doubt. Enter global config mode on your router (conf t) and then:

phbrouter(config)# logging <ip address of syslog server>
phbrouter(config)# exit
phbrouter# wr mem

It’s that easy! Future messages will now be directed to your syslog server.

The third option is to get the router to store messages in a buffer for retrieval later. This is really useful to debug network failure at remote sites (say for instance your remote routers can’t report back to you whats going on - because its outside link is down! You’d wait for the line to come back up, log in and check what happened). Again, this is easy to configure. Enter global config mode and:

phbrouter# conf t
phbrouter(config)# logging buffered
phbrouter(config)# exit
phbrouter# wr mem
phbrouter#

And to retrieve the messages, issue:

phbrouter#
phbrouter#sh logging
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 4873 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 3 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled

No active filter modules.

    Trap logging: level debugging, 4879 message lines logged
        Logging to 192.168.0.1(global) (udp port 514, audit disabled, link up), 4879 message lines logged, xml disabled,
               filtering disabled

Log Buffer (4096 bytes):

*Jun 10 18:01:01: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.0.107)
*Jun 10 18:14:57: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 192.168.0.107] [localport: 22] at 18:14:57 GMT Wed Jun 10 2009
*Jun 10 18:20:49: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.0.107)

If you getting too much crap in the buffer, you can clear it by issuing the ‘clear logging’ command. Incidentally, you can set the amount of buffer space by tagging on a byte value at the end of ‘logging buffered’ (between 4096 to 2147483647).

Finally, if you’re sick of the logging messages appearing on the serial console (or if you want to hide the messages from prying eyes!) you can stop them by entering global config mode and issuing:

phbrouter(config)# no logging console

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Cisco: A Beginner’s Guide

CCNA – Cisco Certified Network Associate Study Guide

Cisco Networking for Dummies

Cisco IOS in a Nutshell – O’Reilly

http://en.wikipedia.org/wiki/Network_address_translation 

What I am going to go into is how to configure them on your router. What we’re trying to achieve here is that you’ve got a functioning router and want to direct any incoming requests (SMTP, POP, HTTP – pick one!) to an internal server.

First identify which interface sits on the outside. Then enter global config mode, and issue:

ip nat inside source static tcp <internal ip> <internal port> interface <outside interface> <outside port>

So, for example, if you’re outside interface is FastEthernet1/0, and you wanted to redirect any HTTP requests to your internal web server on 192.168.0.10, you would issue:

phbrouter(config)# ip nat inside source static tcp 192.168.0.10 80 interface FastEthernet1/0 80

What if you’ve got multiple public IP’s? Simply use this instead:

phbrouter(config)# ip nat inside source static tcp 192.168.0.10 80 123.123.123.123 80

Easy, yet effective!

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Cisco: A Beginner’s Guide

CCNA – Cisco Certified Network Associate Study Guide

Cisco Networking for Dummies

Cisco IOS in a Nutshell – O’Reilly

If you’re still reading, you want to know how to do it. Ok! First identify what module and so what interfaces you want to swap over (’sh int’ or ’sh diag’ will do). Say we want to swap over an NM-1FE1R2W in slot #3 with a WIC1-ADSL:

phbrouter# conf t
phbrouter(config)# interface FastEthernet3/0
phbrouter(config-if)# shutdown
phbrouter(config-if)# exit
phbrouter(config)# interface TokenRing3/0
phbrouter(config-if)# shutdown
phbrouter(config-if)# exit
phbrouter(config)# interface ATM3/0
phbrouter(config-if)# shutdown
phbrouter(config-if)# exit
phbrouter(config)# exit
phbrouter#

Next, physically remove the slot #3 module. If you’re on the console or have logging enabled, you should see something like:

* Jun  5 22:07:53: %OIR-6-REMCARD: Card removed from slot 3, interfaces disabled

You could stop here (make sure you install filler plate),  or you could replace it with a similar card and repeat the steps above substituting ’shutdown’ for ‘no shutdown’. 

Done!!

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Cisco: A Beginner’s Guide

CCNA – Cisco Certified Network Associate Study Guide

Cisco Networking for Dummies

Cisco IOS in a Nutshell – O’Reilly

Get a console cable rigged up and your favourite terminal application. Make sure this works first and then turn on / reboot the router.

When the router is ‘Self decompressing the image’ hit CTRL+C. If nothing seems to happen – check your terminal app for keyboard mappings, etc (I know that PuTTY needs a bit of playing with. HyperTerminal works with the defaults)

The next stage is to alter the config register to make it ‘ignore’ the startup-config on next boot (which is where your passwords are stored). You should check what your original config register is before you change it – but if you know what it was, you probably wouldn’t be reading this!! It’s usually safe to assume anyway that you want to set the config register to 0×2142. So, at the prompt:

rommon 1> confreg 0×2142
rommon 2> reset

The router should now be resetting itself as if it didn’t have any config – and start to run through the ‘Initial Setup’. Hit CTRL+C and you’ll drop to the prompt. The trick is to get yourself into priviledged mode, copy over your startup config to ‘running’ and then set your new password(s). So:

Router> en
Router# copy startup-config running-config
phbrouter#

Note that you’ll see your interfaces being brought up, and other status messages to signify the router is/has been configured. What you do at this point depends entirely on your configuration. Chances are that you’ll want to set a new enable password, but you may also want to reset local user passwords, console passwords, etc. I’ll show you how to reset the enable secret (but make sure to do a ’sh run’ to check for others):

phbrouter# conf term
phbrouter(config)# enable secret <new password>
phbrouter(config)# exit
phbrouter#

Issue a quick ‘wr mem’ and your new config will be written. Finally, you’ll need to set your config register back to 0×2102 (to tell the router to no longer ignore your startup-config):

phbrouter# conf t
phbrouter(config)# config-register 0×2102
phbrouter(config)# exit
phbrouter# wr mem

Done! Reboot and you should be able to use your new password(s).  Note that on some IOS images, I’ve noticed that the interfaces adopt the shutdown state. Easily rectified by going into configuration mode, and issuing a ‘no shutdown’ for each interface.

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Cisco: A Beginner’s Guide

CCNA – Cisco Certified Network Associate Study Guide

Cisco Networking for Dummies

Cisco IOS in a Nutshell – O’Reilly

First off, you’ll want to make sure that you have VPN server functionality. Again, this is determined by your IOS image. Check your feature set on the Cisco feature navigator:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Once you’ve done that – on to the configuration. I’ll point out anything that’s worth noting.

Enter configuration mode, set some basic aaa and enable vpdn:

phbrouter#conf t
phbrouter(config)#aaa new-model
phbrouter(config)#aaa authentication ppp default local
phbrouter(config)#aaa authorization network default if-authenticated
phbrouter(config)#vpdn enable
phbrouter(config)#

As mentioned, this is a fairly basic config. You’ll notice that we’re authenticating against the local userlist (which we’ll define later). If you wanted to, you could use RADIUS instead (which is outside the scope of this article! Maybe I’ll cover it some other time!). Next we need to setup a VPDN group, tell it that we accept dialin, define what protocol it should use and which virtual interface template to use for incoming connections (which we’ll do later):

phbrouter(config)#vpdn-group 1
phbrouter(config-vpdn)#accept-dialin
phbrouter(config-vpdn-acc-in)#protocol pptp
phbrouter(config-vpdn-acc-in)#virtual-template 1
phbrouter(config-vpdn-acc-in)#exit
phbrouter(config-vpdn)#exit
phbrouter(config)#

Great! Half way there. The next stage is to create a virtual interface that will be brought up when a user connects. This includes the address allocation and what authentication we want to accept. MS-Chap and MS-Chap v2 is good enough for our purposes:

phbrouter(config)#int Virtual-Template1
phbrouter(config-if)#desc VPN Virtual Interface
phbrouter(config-if)#ip unnumbered FastEthernet0/0
phbrouter(config-if)#peer default ip address pool vpnpool
phbrouter(config-if)#ppp encrypt mppe auto
phbrouter(config-if)#ppp authentication ms-chap ms-chap-v2
phbrouter(config-if)#exit
phbrouter(config)#

You’ll notice that it’ll try to grab an address from a pool (rather creatively) named vpnpool. We’ll define this now – but be sure to change this to a free address range on your network (also big enough to accomodate your number of users):

phbrouter(config)#ip local pool vpnpool 192.168.1.150 192.168.1.160
phbrouter(config)#

The final stage is to define some users. Seeing as we’re going to be using the local userlist, it’s a really good idea to set these users to privilege level 0 (for obvious reasons):

phbrouter(config)#username joebloggs privilege 0 password joebloggsrules
phbrouter(config)#username jackbloggs privilege 0 password brownbear

And you’re finished! You can either use the Cisco VPN Client to connect from remote locations – but I find the in-built Windows ‘Connection Wizard’ is a lot lighter (!) and is more than suffice.

This was done on a router with an existing aaa policy. If I’ve missed anything out – please post your feedback!

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Cisco: A Beginner’s Guide

CCNA – Cisco Certified Network Associate Study Guide

Cisco Networking for Dummies

Cisco IOS in a Nutshell – O’Reilly

Cisco IOS VPN Configuration

Scenario 1: Gateway-to-gateway with preshared secrets

The following is a typical gateway-to-gateway VPN that uses a preshared
secret for authentication.

10.5.6.0/24                                            172.23.9.0/24
    |                                                          |
  --|                                                          |--
    |     +-----------+     /-^-^-^-^--\     +-----------+     |
    |-----| Gateway A |=====| Internet |=====| Gateway B |-----|
    |   AL+-----------+AW   \--v-v-v-v-/   BW+-----------+BL   |
  --| 10.5.6.1   14.15.16.17           22.23.24.25  172.23.9.1 |--
    |                                                          |

Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's
LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has
the address 14.15.16.17.

Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway
B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN
interface address, 172.23.9.1, can be used for testing IPsec but is not
needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario 1 are:

   * Main mode
   * TripleDES
   * SHA-1
   * MODP group 2 (1024 bits)
   * pre-shared secret of "hr5xb84l6aa9r6"
   * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

The IKE Phase 2 parameters used in Scenario 1 are:

   * TripleDES
   * SHA-1
   * ESP tunnel mode
   * MODP group 2 (1024 bits)
   * Perfect forward secrecy for rekeying
   * SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
   * Selectors for all IP protocols, all ports, between 10.5.6.0/24 and
     172.23.9.0/24, using IPv4 subnets

To set up Gateway A for this scenario, use the following steps:

Cisco IOS includes IPSec support, beginning with early versions of IOS
Version 12; however the commands have changed during the evolution of IOS
Version 12 point releases.  The following example uses the current release
version, Cisco IOS Version 12.2(8)T4.

This example uses a Cisco 1700 series router, which has one ethernet port
and one serial port.  The ethernet port, FastEthernet0, will be the outside,
or Internet-facing interface.  The serial port, Serial0, will be the inside
interface.  (This is just an example.  Your interfaces may be different.)

All configuration changes are volatile, and immediate, until the "write"
command is executed, when the configuration is saved to flash and will be
reloaded after a reboot.  At any time, you may examine the running
configuration with the command "show running-configuration", or view the
saved configuration with the command "show config".  Most commands can be
abbreviated.  Use a ? at the prompt or in a command to see options.

Configure IP on the interfaces:

Router# config term
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# int fa0
Router(config-if)# ip address 14.15.16.17 255.255.255.0
Router(config-if)# speed auto
Router(config-if)# ^Z
Router# config term
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# int ser0
Router(config-if)# ip address 10.5.6.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# ^Z
Router# 

Define the default route:

Router# config term
Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1
Router(config)# exit

Cisco supports only one IKE policy per router, so you must design one which
is acceptable to all systems you are going to interoperate with.  Assign it
an ordering number of 5.  If you wanted to have more than one proposal in
the policy, the proposals would be given in order defined by this policy
order number.  Configure the IKE Policy:

Router# config term
Router(config)# crypto isakmp policy 5
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# group 2
Router(config-isakmp)# hash sha
Router(config-isakmp)# lifetime 28800
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# exit

Since multiple peers will share the same IKE policy, you must match each
peer with its pre-shared secret:

Router# config term
Router(config)# crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25
Router(config-isakmp)# exit

The IPSEC transform will be combined later with the rest of the IPSEC policy
in a crypto map command.  In this command, "STRONG" is just a label.  Labels
are CASE-SENSITIVE.  Define the IPSEC transform:

Router# config term
Router(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
Router(config-isakmp)# exit

Cisco IOS uses access lists for SPD entries.  Many features of access lists
(.e.g. TCP flag checking) don't work in IPSEC.  This kind of access list
MUST be labelled with a 3-digit number.  The netmask in Cisco access lists
are inverted.  Nobody knows why, they just are.  This list says "all traffic
from 10.5.6.0/24 to 172.23.9.0/24, all ports, all IP protocols".  Create the
IPSEC access list:

Router# config term
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1
Router(config)# exit

Because IOS is a router first and an IPSEC gateway second, we have to tell
IOS which interface to send packets on if the default route is not enough.
In this scenario we don't need it, but in other situations you might need to
define a route for the remote protected network:

Router# config term
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ip route 172.23.9.0 255.255.255.0 14.15.16.17
Router(config)# exit

A crypto map binds all the assorted crypto parameters with a specific remote
gateway.  Several crypto maps bound to different remote gateways can be
grouped together in one crypto map SET which is then bound to an outgoing
interface.  The number following the crypto map set name is the ordering of
the map in the set.  Bind the policy together with a crypto map, and give it
the label CISCO:

Router# config term
Router(config)# crypto map CISCO 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
Router(config-crypto-map)# set security-association life seconds 3600
Router(config-crypto-map)# set transform-set STRONG
Router(config-crypto-map)# set pfs group2
Router(config-crypto-map)# set peer 22.23.24.25
Router(config-crypto-map)# match address 101
Router(config-crypto-map)# exit

Because Ciscos could have many interfaces, you have to bind the SPD to the
outgoing interface:

Router# config term
Router(config)# interface fa0
Router(config-if)# crypto map CISCO
Router(config-if)# ^Z

If you had multiple tunnels to multiple gateways, you would need to create a
different access list for each tunnel, add an isakmp key entry for each
gateway, and possibly create a different ipsec transform if your security
policy is different.  For example, let's say you have another remote peer at
23.23.24.25, for which you have created access-list 102.  You could then add
a crypto map to the set created above:

Router# config term
Router(config)# crypto map CISCO 20 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
Router(config-crypto-map)# set security-association life seconds 3600
Router(config-crypto-map)# set transform-set STRONG
Router(config-crypto-map)# set pfs group2
Router(config-crypto-map)# set peer 23.23.24.25
Router(config-crypto-map)# match address 102
Router(config-crypto-map)# exit

Now the outgoing interface FastEthernet0 has both crypto maps, and it will
compare traffic to each map in order to determine if the traffic requires
encryption.

Save the configuration:

Router# write
Building configuration...
[OK]

Here is the completed IPSEC part of the Cisco configuration:

Router# show config
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 22.23.24.25
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet0
 ip address 14.15.16.17 255.255.255.0
 speed auto
 crypto map CISCO
!
interface Serial0
 ip address 10.5.6.1 255.255.255.0
!
access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
!

Now, bring up a tunnel!  The IOS ping command extensions will allow you to
select the source interface, and hence IP address, of the ping:

Router# ping
Protocol [ip]:
Target IP address: 172.23.9.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: serial0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.9.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Hmmmm ... what could be wrong?  Let's check some basics:

Router# show ip int brief
Interface                  IP-Address      OK? Method Status            Protocol
FastEthernet0              14.15.16.17     YES manual up                   up

Serial0                    10.5.6.1        YES manual down                 down

Ah, the serial interface is down.  I have to actually connect it up to something
to bring the interface up.  Now, the ping works and brings up the SAs.

Show the SAs with these commands:

Router# show crypto isakmp sa
dst             src             state           conn-id    slot
14.15.16.17     22.23.24.25     QM_IDLE               1       0

Router# show crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: CISCO, local addr. 14.15.16.17

   local  ident (addr/mask/prot/port): (10.5.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.23.9.0/255.255.255.0/0/0)
   current_peer: 22.23.24.25
     PERMIT, flags={origin_is_acl,}
    # pkts encaps: 12, # pkts encrypt: 12, # pkts digest 12
    # pkts decaps: 23, # pkts decrypt: 23, # pkts verify 23
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0
    # send errors 0, # recv errors 0

     local crypto endpt.: 14.15.16.17, remote crypto endpt.: 22.23.24.25
     path mtu 1500, media mtu 1500
     current outbound spi: 3C39A800

     inbound esp sas:
      spi: 0xD7228E4B(3609366091)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: CISCO
        sa timing: remaining key lifetime (k/sec): (4607999/3574)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3C39A800(1010411520)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: CISCO
        sa timing: remaining key lifetime (k/sec): (4607999/3574)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

The easiest way to clear SAs from a Cisco IOS system varies with version, but
one of these two will generally work:

RouterRouter# clear crypto isakmp
RouterRouter# clear crypto sa

To enable debugging in IOS, you must turn on the debug as well as turn on the
debug monitor, which is normally the terminal you are logged in on:

Router# debug crypto verbose
Router# debug crypto isakmp
Router# term monitor

To disable debugging:
Router# nodebug all
Router# term no monitor

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Cisco: A Beginner’s Guide

CCNA – Cisco Certified Network Associate Study Guide

Cisco Networking for Dummies

Cisco IOS in a Nutshell – O’Reilly

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

I’m running a Cisco 3660 with c3660-ik9o3s-mz.124-6.T.bin which has IPSec and 3DES – so we’re good to go.

SSH doesn’t like a router that doesn’t have a configured hostname or domain name. So, we’ll make sure that both of them are done now:

 Router# conf term
 Router(config)# hostname phbrouter
 phbrouter(config)# ip domain-name phirebird.net
 phbrouter(config)#

Right. Now you’re ready to create an RSA encryption key pair. Whilst generating, you’ll notice that it asks how many bits you’d like to use in the modulus. Don’t accept the default of 512. Instead, select at least 1024 bits.

 phbrouter(config)# crypto key generate rsa
 The name for the keys will be: phbrouter.phirebird.net
 Choose the size of the key modulus in the range of 360 to 2048
        for your General Purpose Keys. Choosing a key modulus greater than
        512 may take a few minutes.
 How many bits in the modulus [512]: 1024
 % Generating 1024 bit RSA keys …[OK]
 phbrouter(config)#
 * May  16 10:05:28.283: %SSH-5-ENABLED: SSH 1.99 has been enabled
 phbrouter(config)#

To make sure that everything has been configured correctly, you can issue these commands:

 show ip ssh  (Displays the version and basic configuration)
 show ssh  (Displays the status of any connections)

You may stop reading here, but it’s a good idea to familiarise yourself with the other SSH configuration options open to you:

phbrouter(config)#ip ssh ?
  authentication-retries  Specify number of authentication retries
  break-string            break-string
  logging                 Configure logging for SSH
  maxstartups             Maximum concurrent sessions allowed
  port                    Starting (or only) Port number to listen on
  rsa                     Configure RSA keypair name for SSH
  source-interface        Specify interface for source address in SSH
                          connections
  time-out                Specify SSH time-out interval
  version                 Specify protocol version to be supported

Most notable here is thatrunning SSH on a differnt port is probably a good idea (but try leaving it on the default 22 and see how many connection attempts you get!). The number of authentication-retries default is 3 – which is fair enough, and the timeout default is 120 seconds (maybe a bit long?).

Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!

Cisco: A Beginner’s Guide

CCNA – Cisco Certified Network Associate Study Guide

Cisco Networking for Dummies

Cisco IOS in a Nutshell – O’Reilly