Archive for May, 2008

Erase PIX startup-config!!

Posted in Erase Pix startup-config on May 30, 2008 by itdaddy

Believe it or not pix is kind of hard to figure out the syntax from the IOS help. I had to do some searching on Google. and found this. very easy (write erase – confirm; reload – confirm done!) startup-config gone.Ready for the new config.


pix# sh ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

pix up 20 mins 24 secs

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0015.6340.566a, irq 9
1: ethernet1: address is 0015.6340.566c, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

Serial Number: 809361535 (0x303de07f)
Running Activation Key: 0x804a549d 0xd2471a4e 0x054ebfaa 0xfbf836aa
Configuration has not been modified since last system restart.
pix# write erase
Erase PIX configuration in flash memory? [confirm]
pix# relaod
Type help or ‘?’ for a list of available commands.
pix# reload
Proceed with reload? [confirm]

Pix Firewall Configuration 360! WOW

Posted in Pix Firewall Config! Great! on May 29, 2008 by itdaddy

by Jeremy Cioara CBT Nuggets Cisco Instructor – way cool Cisco blog! Make it your favorite! I have been looking all over for a pix config like Jeremy’s man is he cool! clear and concise! Check it out.

Everyone needs a good, basic PIX Firewall configuration on-hand from time to time. Here is one I set up for a client that does the following:

1. NAT overload from an inside network to an outside network
2. Accept incoming PPTP VPN connections from ouside clients
3. Turns on the web-based GUI on the PIX
: Saved
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
:These two lines activate the outside (Ethernet0) and inside (Ethernet1) interfaces
nameif ethernet0 outside security0
nameif ethernet1 inside security100
:These two lines assign names to the interfaces
enable password —— encrypted
:Sets the password for privileged mode
passwd ——– encrypted
:Sets the telnet password
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
:Fixup protocols allow advanced applications to work through NAT. All the above fixup protocol configuration is in the PIX by default.
access-list 101 permit ip
access-list 102 permit icmp any any
access-list 102 permit ip
access-list 103 permit ip any any
:Same access-list syntax as a router. These are used below.
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x
:Sets the outside interface IP address
ip address inside
:Sets the inside interface IP address
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool
:Defines a local DHCP pool of addresses for the PIX to give to incoming PPTP VPN clients
pdm logging informational 100
pdm history enable
:This tracks access to the PDM (the web-based GUI) built-in to the PIX
arp timeout 14400
global (outside) 1 interface
:This is a HUGE command. It turns on NAT translation for all addresses matching NAT rule 1 (shown below) to be translated through the outside interface (to the Internet, in this case)
nat (inside) 0 access-list 101
:This creates NAT rule 0 which tells NAT not to translate addresses that are defined in access list 101 (shown above). This keeps NAT from translating any communication between internal clients ( and VPN clients (
nat (inside) 1 0 0
:This creates NAT rule 1 which matches ALL addresses coming from the inside interface
conduit permit icmp any any
:Conduits are the old form of access-lists. This one permits all ICMP messages to the PIX
route outside x.x.x.x
:Sets a default route to the ISP router (represented with x.x.x.x)
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
:Turns on the HTTP interface to the PIX, but only allows internal users ( to access it. This enables the PDM (the web-based GUI) on the PIX
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
:Also a very huge command. This allows PPTP connections to the PIX firewall without the need for an access-list permitting PPTP. You can also use commands like sysopt connection permit-ipsec to permit IPSEC VPN connections
telnet inside
:Allows telnet access to the PIX only from the internal subnet
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
:Allows PIX to accept PPTP connections
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
:Allows PPTP users to authenticate using any of the above methods (listed from weakest to strongest)
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
:Points the PIX to hand out IP addresses to incoming VPN clients from the DHCP pool called “pptp-pool” (shown above in the config)
vpdn group 1 client configuration dns
vpdn group 1 client configuration wins
:Points the VPN clients to the right DNS and WINS server addresses
vpdn group 1 pptp echo 60
:Sends an “echo” (kinda like a keepalive) once every 60 seconds. If a response is not heard, VPN is torn down
vpdn group 1 client authentication local
:Authenticates VPN users using a local user database (shown below)
vpdn username jonesr password *********
vpdn username cepa password *********
vpdn username bob password *********
:Three VPN users allowed to connect
vpdn enable outside
:Turns on VPN connectivity on the outside interface
dhcpd lease 3600
dhcpd ping_timeout 750
username cisco password ——– encrypted privilege 15
:If I telnet with this username/password, I go straight to privileged mode
terminal width 80
: end




IOS Naming Convention Explained!!!

Posted in IOS naming Convention! on May 21, 2008 by itdaddy

Understanding the IOS File Name Convention 
Before planning an upgrade or install of an IOS file, you will need

to understand the meaning of the name of each IOS file.  The IOS file name is usually similar to this form:

1. The xxxx is the platform. For example:

c1005 – For 1005 platform

c1600 – For 1600 platform

c1700 – For 1700, 1720, and 1750 platforms

c2500 – For 25xx, 3xxx, 5100, and AO (11.2 and later only) platforms

c2600 – For 2600 platform

c2800 – For Catalyst 2800 platform

c2900 – For 2910 and 2950 platforms

c3620 – For 3620 platform

c3640 – For 3640 platform

c4000 – For 4000 platform (11.2 and later only)

c4500 – For 4500 and 4700 platforms

 2. The yyy is the feature set. For example,

b – For Apple talk support

c – For CommServer lite (CiscoPro)

g – For ISDN subset (SNMP, IP, Bridging, ISDN, PPP, IPX, and AppleTalk)

i  – For IP sebset (SNMP, IP, Bridging, WAN, Remote Node, and Terminal Services)

n  – For IPX support

q  – For asynchronous support

t – For Telco return (12.0)

y – For reduced IP (SNMP, IP RIP/IGRP/EIGRP, Bridging, ISDN, and PPP)

(c1003 or c1004)

z – For managed modems

40 – For 40 bit encryption

50 – For 50 bit encryption

 3. The ww is for the format (where the IOS file runs in the router)

f – For flash

m – For RAM

r – For ROM

l – For the image will be relocated at run time

The file might also be compressed. The following letters denote the compression type,

z  – For zip compression

x – For mzip compression

w  – For “STAC” compression

 aaa-bb represent the version of the IOS. It is usually read like this

“Version aa.a(bb)”. The last part of the IOS file name might contain

letters like T (new feature release identifier), S (individual

release number), or XR (modular packages).



Password Recovery in Cisco Devices!Great!

Posted in Password Recovery Cisco on May 21, 2008 by itdaddy

How to Recover Cisco 2500 Router’s Password 
Cisco Routers – 2500 Series 

When would you need this: When you loose the secret, enable, or onsole password of a 2500 Cisco Router.

1. Interrupt the router booting operation. This is done by pressing

(Ctrl+Break) keys simultaneously as soon as you turn on the router. This step will get you to the ROM monitor mode (rommon). You will have the following:

System Bootstrap, Version 11.0(10c), SOFTWARE

Copyright (c) 1986-1996 by cisco Systems

2500 processor with 14336 Kbytes of main memory

Abort at 0x1098FEC (PC)


The  “>”prompt is for the ROM monitor mode. If you are having a problem interrupting the boot sequence of the router, you might be interested in this procedure to simulate break key sequence .

2. Now you should change the value of the configuration register in  order to make the router neglect the contents of the NVRAM in the next boot up. This is achieved using the following command:

> o/r 0x2142

This command will change the sixth bit (originally the configuration  register is 0x2102) to one. By doing so, the router will act as new in the next boot, i.e., the router will not look for the startup-config in the NVRAM.

3. Perform a restart to the router using the following command:  

> i

The (i) stands for (initialize).

4. The router now will restart and ask you if you want to use the setup mode and of course you will say no. Now, in order not to loose the configuration that you already have in the router, you should go to the USER privileged mode and perform:

Router#copy start run

This will get you back your old configuration but with one exception, you already are in the privileged mode without having to know the password..!!!!

Now you put a new password or passwords if you may:

Router(config)#enable secret blahblah

And you can also put new console and telnet passwords if you like.

5. To get things going back to normal, change the value of the configuration register to its original form (0x2102) using the following global configuration command:

Router(config)#config-register 0x2102

6. Now you should save the configuration including the new passwords  that you know:

Router#copy run start

7. Now reload and you are good to go:



configuration registry hex values to know!


In summary these Boot Registers are quite handy:

* The value range is from 0x0 to 0xFFFF.
* 0x2102 is the factory-default configuration register value.
* 0x2142 boots from flash without using NVRAM contents good for password recovery.
* 0x2101 boots from boot prom image (not flash), good for upgrading image on flash.
* 0x2141 boots from boot prom and ignores NVRAM contents.
* 0x141, which disables the Break key, ignores the NVRAM configuration, and
boots the default system image from ROM.



Changing IOS on Cisco Device TFTP!

Posted in TFTP update IOS on May 21, 2008 by itdaddy

How to Upgrade IOS on a Cisco Router  
When would you need this: The upgrade is required when you plan to add more duties to the router or new hardware. The installation is required when the IOS image you have on the router is corrupted.

Special Requirements: The new router’s flash size should fit on your flash device(show flash) tells you size of your flash?

Change Config-register to 2101 boot into rxboot. This released lockdown on the flash so you can overwrite it. Check the current value of the configuration register. You can see it in the bottom line of the show version output. It is usually set to

0x2102 or 0x102.

You need this configuration register value to restore the router to its normal operation status later.

Router#show version
System image file is “flash:c2500-p-l.113-0.11”, booted via flash

!— Output suppressed.

Configuration register is 0x2102Note: If you do not have the system image that is currently in Flash on the 2500, be sure to copy it to your TFTP server before proceeding any further. This way, you have a backup image in case you need it.

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#config-register 0x2101

!— Sets config register to boot from rxBoot.
Router#Note: The x in “0x2101” is significant to indicate hex input

to the router. Omitting the x will have an unexpected effect on the router. You can verify that you are entering it correctly by using the show version command.

Router#show version
Cisco Internetwork Operating System Software IOS ™
2500 Software (C2500-P-L), Version 11.3(0.11), BETA TEST SOFTWARE   
   System image file is “flash:c2500-p-l.113-0.11”, booted via flash

!— Output suppressed.

Configuration register is 0x2102 (will be 0x2101 at next reload)

Router#If the output is different from that shown above, stop here and repeat the previous step until it is correct. When you’ve  finished with verification, proceed as follows:

Router# reload

System configuration has been modified. Save? [yes/no]: y
Building configuration…
Proceed with reload? [confirm]If you are on the console port while booting, an error message such as: Bad arguments to line commandwill be displayed, because RxBoot only initializes the first five vty ports. The rest of the lines are ignored in the RxBoot mode. You can safely ignore these messages. Wait for the “router-name>” prompt to appear and continue with the instructions in Step 4.

Enter RxBoot mode in router.

If you Telneted into the router, your Telnet session will be dropped  at the time the router begins to reload. Wait for the router to complete its reload and log into the router again through Telnet. Otherwise, directly connected consoles can get started by simply pressing the return key (“to get started”).



Before starting the procedure of IOS upgrade or installation, you will need to install TFTP server (google pumpkin on or on a PC connected to the router Ethernet interface. There are many free downloadable TFTP servers’ software on the Internet, however, our recommendation is Free TFTP Server 6.0.

Afterwards, you make sure to direct the TFTP server to the folder containing the new IOS image that you have. We will put down two procedures for two different type of routers; a procedure for routers having Internal Flash (ex: 2600), and a slightly different procedure for routers with PCMCIA flash cards

(ex: 3600).


Upgrade Procedure for Cisco Routers with Internal Flash:

1. Create a console connection with the default settings (9600 baud, 8 databits, 0 parity bits, 1 stop bit, no flow control).

2. Verify the connectivity between the router and the TFTP server using ‘ping’. Make sure that the router interface and the TFTP server IP addresses are in the same range and the ping is responding well.

3. Although the upgrade will be happening in the flash and the configuration is saved in the NVRAM, make a backup of the configuration. This is recommended in case something goes wrong in the upgrade. Also, make a backup copy of the IOS you already have on the router. In case the new IOS image is corrupted, you will be on the safe side. For the backup process, please refer to the IOS backup procedure and configuration backup procedure.

4. Start the upgrade by the command:

Router#copy tftp flash

Now you will be prompted for the IP address of the TFTP server:

Address or name of remote host []? XXX.XXX.XXX.XXX

Afterwards, you will be asked for the name of the new IOS file being copied from the TFTP server:

Source filename []? cXXXX-X-XX.XXX-XX.bin

Please note that the file name is case sensitive, so be %100 sure of what you are writing.

Now you will be asked for the destination file name on your router,

Destination filename []? cXXXX-X-XX.XXX-XX.bin

It is preferred to keep it as the source file name, to be able to easily identify the files on the TFTP servers as compared to the ones on the routers. Now you will be asked whether to erase the existing file(s) in the flash or not. If you have enough free space on the flash, don’t erase the old IOS image, you might need it.

Erase flash: before copying? [confirm]

Afterwards, the router starts copying the new IOS file to the router, or start erasing the flash and then copying. Erasing the flash filesystem will remove all files! Continue? [confirm]y

Erasing device… eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

eeeeeeeeee …erased

Erase of flash: complete

Loading cXXXX-X-XX.XXX-XX.bin from XXX.XXX.XXX.XXX (via Ethernet0/0): !!!!!!!!



[OK – xxxxx/yyyyyyy bytes]

 Verifying checksum…  OK (0xAC8A)

xxxxxx bytes copied in xx.xx secs (yyyy bytes/sec)

The copying process takes several minutes; the time differs from network to network. During the copy process, messages are displayed to indicate which file has been accessed. The exclamation point “!” indicates that the copy process is taking place. Each exclamation point indicates that ten packets have been transferred successfully. A checksum verification of the image occurs after the image is written to flash memory.

5. Before reloading the router, you need to make sure of two things. The first is that the configuration register value is 0x2102. You can check that wit the ‘show version’ command. If the configuration register’s value is not 0x2102, you will need to set it to that value with the following command:

Router(config)#config-register 0x2102

The second thing is needed to be checked if you did not erase the contents of the flash. You will need to setup the router to boot from the new IOS file with the following commands:

Router(config)#no boot system

Router(config)#boot system flash cXXXX-X-XX.XXX-XX.bin

6. If you type the reload command, the router asks you if you want to save the configuration. You should be very cautious here. The reason is that if the router is in boot mode for instance, it is a subset of the full Cisco IOS software which is running and there is no routing functionality.  Therefore, all the routing configuration is gone in the running configuration and if you save the configuration at this time, then you erase the good startup-configuration in NVRAM and replace it by the incomplete running-configuration. Save the configuration only if you are sure that you have the full configuration in the output of show run. It is NOT necessary to save the configuration to take into account the new config-register if this one has been changed previously. That is done automatically.


System configuration has been modified. Save? [yes/no]: y 

Building configuration…


Proceed with reload? [confirm]y

7. To verify that the new image is loaded after the ‘reload’, use ‘show version’ command.

System returned to ROM by reload

System image file is “flash: cXXXX-X-XX.XXX-XX.bin ”     <<< Check it here


Upgrade Procedure for Cisco Routers with PCMCIA Flash:

1. Create a console connection with the default settings (9600 baud, 8 databits, 0 parity bits, 1 stop bit, no flow control). If your router does not boot regularly, refer to the note above.

2. Check if you have enough space in the flash card for the new IOS file:

Router#dir slot1:

If you find that there is not enough space, you can delete one or more files from the flash:

Router#delete slot1: FILENAME.bin

If you delete on or more files from the flash DO NOT reload or powercycle the router until you finish this procedure. The flash image you are working on is currently loaded into RAM, so you can keep working properly until you reload or powercycle the router.

3. Verify the connectivity to the TFTP sever with the ‘ping’ command. And make sure that the TFTP server software is running and the working directory of the TFTP server contains the new IOS file. It is also adviced that you backup the configuration and old IOS file before proceeding. For this purpose, you can refer to IOS backup procedure and configuration backup procedure.

4. Copy the new IOS file from the TFTP server to the router:

Router#copy tftp slot1:

Address or name of remote host []? XXX.XXX.XXX.XXX

Source filename []? cXXXX-X-XX.XXX-XX.bin

Destination filename [cXXXX-X-XX.XXX-XX.bin]?

Accessing tftp://XXX.XXX.XXX.XXX/cXXXX-X-XX.XXX-XX.bin…

Erase slot1: before copying? [confirm]n     <<< You can say ‘no’ here because you have already

emptied space for the new IOS file

Loading cXXXX-X-XX.XXX-XX.bin from XXX.XXX.XXX.XXX (via Ethernet1/0): 




[OK – xxxxxxx/yyyyyyy bytes]


Verifying checksum…  OK (0x13F0)

xxxxxxx bytes copied in 67.708 secs (zzzz bytes/sec)


5. Verify the new IOS file in the flash car:

Router#dir slot1:

6. Direct the router to load the new IOS file in the next boot:

Router(config)#no boot system

Router(config)#boot system flash slot1:cXXXX-X-XX.XXX-XX.bin

7. Make sure that the configuration register has the value of 0x2102. This is verified by the ‘show

version’ command. If the configuration register has a value other than 0x2102, use the following

command to change it:

Router(config)#config-register 0x2102

8. Save the configuration with one of the two following commands:

Router#write memory


Router#copy run start

9. Reload the router with ‘reload’ command. And after the reload, verify the new IOS version with

the ‘show version’ command. This command will also show you the name of the IOS file that has been





Only registered users can write comments.
Please login or register.

Thank you for leaving a comment

Close Window

OSPF – Link State Proctol in Multi-areas

Posted in OSPF Links State many areas on May 19, 2008 by itdaddy


ospf operations in a nutshell:

Instead of having every router flooding the network with LSAs after a network topology change, the change notification is sent straight to the DR and the DR then floods the network with the change. If the DR fails, the backup designated router (BDR) takes its place. The BDR is promoted to DR  and another election is held, this one to elect a new BDR.

The value use to elect the DR and BDR is the OSPF interface priority. By default, this value is one on all OSPF-enabled interfaces. To influence the election, the interface-level command “ip ospf priority” is used. Setting an interface’s priority to zero prevents it from becoming the DR and BDR.


OSPFv2 last but not least

How neighbors are formed
Hello packets
ABR + summarized routes
OSPF link state
Djikstra algorithm SPF algorithm
metric is cost
LSAs sent to adjacencies
show ip ospf database (looks like route table)
LSA –> database (form this)

– receives LSAs for other routers
– floods LSA change to all non DR and BDR
– non DR/BDR are called DROTHERS
– show ip ospf neighbor
If DR fails the BDR takes over when promoted to DR. Another election is held
for BDR.

How to influence  Connections
-interface priority
-default value = 1 on all interfaces
-influence election of BDR and DR by changeing interface priority.
  — R1(config-if)#ip ospf priority 0
     — will prevent a router from EVER becoming a BDR or DR!!!
     — keeps the router a permanet DROTHER.

Neighbors must form before anything happens
How neighbors form in OSPF:

Hello packets sent every 10 seconds on Ethernet (broadcast)
Hello packets sent every 30 seconds on NBMA (Serial/frame-relay type)

Hello pakets perform 2 roles:

1. Hellos allow neighbors to discover each other.
2. Hellos allow a type of keepalive!

Requirements for OSPF Neighbor Adjacencies to form
– subnet must be same
-subnet id must match
-hello timerss – keepalive must match
-dead timers must match (=10xhello)
  –dead timer for Ethernet 4 x 10 = 40seconds
  –dead timer for NBMA 4x 30=120seconds
If hello timer changes so does hold/dead timer changes by 4xhello timer

R1#debug ip ospf adjacencies

this shows election process and you can debug where it is failing.
R1#u all
R1#no debug all
R1#no debug ip ospf adjacencies

the above shuts of specific or all debugging.

How to read Debug ip ospf adj command output
Debug ip ospf adj – status

DOWN – no hello received from neighbor yet
ATTEMPT – NBMA(serial) unicast hello packets sent to neighbor.
INIT – 1 hello packet sent

2-WAY – is good meaning both sides recognize as neighbors. Each router recieved
its own RID. (highest ip address on router/or highest loopback..doesnt have to enabled to be a RID)

EXSTART – follow DR/BDR election – LSAs can begin.

Exchange – database  description of the link state database

Loading – router now sending LSR (link-state-request) to their potential neighbors

Full – router database in sync adn the adjacencies have been formed.

OSPF lab portion Hub and Spoke Topology


Nice link to some cools stuff on OSPF in multiple areas

CCNA 802 tests on only single area but I was told by CCIEs best to see it in more than one area.

They are the top dog. Click here.

Great lab by RouterAlley! here:


Force DR and BDR elections

ip ospf priority 0 on all spokes so they do not EVER become
DR or BDR. the priority defaults = 1.

NOTE: elections go to the highest prioriy in OSPF.

– priority defaults to 1
– DR highest priority
– BDR 2nd highest priority most of the time.
– Prevent R2/R3 spokes from being elected DR/BDR use:
config-if)#ip ospf priority 0

How OSPF routers become neighor adjacencies
                              NBMA(serial)     Broadcast(Ethernet)
Hellos go out                 30                              10
Dead/hold time          4xhello=120        4xhello=40
subnet mask             same                   same
Subnet ID                   same                 same

note: must all match.
Hub required command hub/spoke topology – HOT!!!!!!
***neighbor statements needed on hub!***


Common Issue with NBMA topologies – Fix

Sometimes the default will be Network_Type broadcast
when building a Frame-relay circuit. So need to change
the network_type to point-to-point.

this is how to change network_type – fix
R1#(config-if)#ip ospf network (non-broadcast)(broadcast)(point-to-point)

show ip ospf interface (serial1 as example)

will show you the type of network for that interface.
debug ip ospf adj (shows elections of DR/BDR and other)

fixed! – neighbor relations can form

2nd Part of OSPF Routing

Topics Covered:
– Broadcast networks
– ospf RID
– OSPF router types
– Advantage of OSPF
– Point-to-point OSPF networks
-OSPF Authentication Text/MD5 message-digest
No DR/BDR in a point-to-point with 2 routers only.

R2 ———–SWITCH————-R3   /

show ip ospf neighbor                    FULL/ – both routers no DR or BDR!

                   (Area 51)



show ip route ospf
ospf cost 


equal cost load balancing is in effect.
metric is cost:

cost = ((10^7/band(bps)) + delay sum)256

OSPF costs:

56 kbps             = 1788
T1 1.544 MBps = 64
Ethernet             = 10


Cost dilemm on serial default 64 thinks it is T1 line 1.544 MBps

R1(config)#int serial1
R1(config-if)#ip ospf cost 100

2 routes same
by default runs
Equal cost load balancing is taking effect.
RID – highest ip address (doesnt have to be active; but if loopback
address exists will take the highest loopback over serial./ethernet.
How to force or hard code the RID ?

ip ospf #
reload or **clear ip ospf process** (choose the later)

Types of routers in OSPF
Internal Router – all in the same area (not multiple area router)

ABR – area border router – 1 interface in area 0 (backbone)
                                            – 1 interface in another area
                                            – connects area 0 to other areas
ASBR – area system border router – connects other protocols
                                             to OSPF networks. Called Route                  


Backbone Router – 1 interface in area 0.

Note: All ABRs are backbone routers but not all Backbone routers
are ABRs

OSPF authentication Text or MD5 message-digest
clear text authentication
R1(config)#int serial 0
ip ospf authentication-key ccna
ip ospf authentication
note: both routers need the same on each interface.
MD5 authentication
R1(config)#int s0
ip ospf authentication message-digest
ip ospf authentication message-digest-key 1 md5 ccie
note: both routers need the same on each interface.
Gosh Darn it this what a lot to digets! Done OSPF!!!!!

Windows VPN config in Cisco 2600 series router

Posted in VPN PPTP config w/ 2600 on May 19, 2008 by itdaddy

How to configure Cisco 2600 router using dhcp and NAT to allow VPN? (#14347) This is a simple configuration for a Cisco 2600 series router with one interface connected to your ISP using DHCP and NAT, and the second interface connected to your private network. With this configuration remote users can access your private network via a Windows VPN connection.

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname myrouter
no logging console
aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common
enable secret 5 XXXXXXXXXXX
enable password 7 XXXXXXXXX
username admin privilige 15 password 7 XXXXXXXXXXX
username johndoe password 7 XXXXXXXXXXXXXXXXXX
ip routing
ip subnet 0
ip domain-name
ip name-server
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable DF 2000
no ip source route
no ip finger
no ip bootp server
no service tcp-small-servers
no service udp-small-servers
no boot network
no service config
router rip
version 2
passive-interface FastEthernet 0/0
no auto-summary
ip audit notify log
ip audit smtp spam 25
ip audit po max-events 50
ip audit name AUDIT.1 info action alarm
ip audit name AUDIT.1 attack action alarm drop reset
vpdn enable
vpdn-group 1
protocol pptp
virtual-template 1
local name my-vpn
async-bootp dns-server
async-bootp nbns-server
interface FastEthernet0/0
description WAN Interface
ip address dhcp
ip nat outside
ip access-group filter_wan_in in
ip audit AUDIT.1 in
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
no ip route-cache
no cdp enable
duplex auto
speed auto
interface FastEthernet0/1
description LAN Interface
ip address
ip nat inside
ip access-group filter_lan_in in
ip access-group filter_lan_out out
cdp enable
duplex auto
speed auto
interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip mroute-cache
peer default ip address pool VPN-IN
ppp encrypt mppe 40 required
ppp authentication ms-chap
ip local pool VPN-IN
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 1723 interface FastEthernet0/0 1723
ip classless
no ip http server
ip access-list extended filter_wan_in
! use this to deny any incoming traffic
permit ip any any
deny ip any any log
ip access-list extended filter_lan_in
permit ip any host
permit ip any host
permit ip any host
deny udp any eq 137 any
deny udp any eq 138 any
deny tcp any eq 135 any
deny tcp any eq 139 any
deny tcp any eq 445 any
permit icmp any any
permit ip any
deny ip any log
deny ip any log
deny ip any log
deny ip any log
deny ip any log
deny ip any any log
ip access-list extended filter_lan_out
permit ip host any
permit ip host any
permit ip host any
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny icmp any any
deny udp any any eq 137
deny udp any any eq 138
deny tcp any any eq 135
deny tcp any any eq 139
deny tcp any any eq 445
deny ip any any log
access-list 1 remark NAT Source Restrictions
access-list 1 permit any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
line con 0
line aux 0
line vty 0 4

The majority of the above configuration is fairly standard and can be found in other FAQs so I will just stick to the settings for getting the router to accept VPN connections.

The first bit:

aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common

simply enables the access control model for logins.

username admin privilige 15 password 7 XXXXXXXXXXX
username johndoe password 7 XXXXXXXXXXXXXXXXXX

defines the users and their passwords. These users can log in either over VPN or directly via telnet (or ssh if configured)

vpdn enable
vpdn-group 1
protocol pptp
virtual-template 1
local name my-vpn

this enables virtual private dialup networking (vpdn) using point-to-point tunneling protocol (pptp)

interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip mroute-cache
peer default ip address pool VPN-IN
ppp encrypt mppe 40 required
ppp authentication ms-chap

creates a virtual-template bound to the LAN port of the router and assigns an ip address to the client from the VPN-IN pool

ip local pool VPN-IN

defines the ip addresses available to the VPN clients (3 in this case)

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 1723 interface FastEthernet0/0 1723

defines the static port mappings for NAT 1723 is the port for pptp

The ACLs can be customized to you needs but note how the VPN client addresses are reversed….
–> Fa0/1 In –>
–> Fa0/1 In –>

Now all that left is to configure the client computers. With windows XP it’s easy….
1) open up the Network Connections folder
2) click “Create a new connection”
3) click Next
4) choose “Connect to the network at my workplace” then click Next
5) select “Virtual Private Network connection” then click Next
6) Enter a name for the connection and lick Next
7) Now you can set the VPN connection to auto-dial or not, choose either, then click Next
 Enter the IP address of your Router (this is the public address). Since in our case it’s assigned by dhcp we could use a dyndns address here
9) Click Next
10) Click Finish

Once the Wizard has completed right-click the new connection, then click Properties. On the Security tab select “Advanced (custom settings)” and click the Settings button.

Verify that the Data encryption drop-down has “Require Encryption” selected. Then make sure Microsoft CHAP (MS-CHAP) and (MS-CHAP v2) are enabled and click Ok.

Finally goto the Networking tab and change the “type of VPN” from Automatic to “PPTP VPN”, then click the Settings button and verify that:
1) Enable LCP Extensions – is checked
2) Enable software compression – is checked
3) Negotiate multi-link – is not checked

Now your all set and ready to go…..