Password Reset and Basic Cisco 1941 Configuration

It so happens that you have to face tasks that you seem to be not ready to solve, but you need to get the result here and now. Sound familiar, huh? Welcome to the world of Eastern European management with an appropriate management culture.

So, let’s say you are a representative of a local provider who already knows how to set up some ASUS, but by the will of fate has not yet received a CCNA certificate. Next to you is a local administrator, also without a certificate, with his eyes begging nothing to “reset to zero”, because “everything works, I just don’t know the password, only you don’t tell anyone.”

Such situations are not uncommon in our covid world, when departments with their infrastructure shuffle every quarter, directors of directions mysteriously disappear, and another manager, in order to demonstrate his own effectiveness, quarrels with the only ciscar in the district and concludes service contracts using an ad site.

Let’s conduct a session of black IT magic together with its subsequent exposure. Namely: reset the password, configure the interfaces (local and external), connect these networks with routes and address translation, and cover (no) with a firewall. A brick with a brand nameplate will magically turn into a useful networking device.

The device and the interfaces we need

Here she is, our girl. As experienced guys, we approach from the right side:

We are interested in its right side, where all the ports are.  Console ones are marked in blue, Ethernet
We are interested in its right side, where all the ports are. Console are marked blue, Ethernet is yellow.

If you connect to the Ethernet ports, which are yellow, then you need to know the IP addresses on these interfaces and the entry passwords – the main and “high” (under which, in fact, everything needs to be configured). If any of this is not there, then welcome to the console. Its ports are marked with a light blue color. The same color has a proprietary Cisco console cable, which is usually lost by this time.

The cable is "special" Cisco.  Desoldering is everywhere.
The cable is “special” Cisco. Desoldering is everywhere.

Nowadays, not every laptop has a COM port, so you have to take a standard COM-USB adapter to this lanyard. But you can take a closer look and see that next to the “old” console port there is a mini-usb port with the same purpose. The adapter in this case is built into the tsiska, and, yes, you need it driver… We install them, reboot and connect again. After connecting Cisco via miniusb cable in the list of equipment in the section Ports (COM and LPT) appeared Cisco Serial (COM14) (not necessarily exactly 14, well, what can you do). For further work, I recommend the terminal program Putty, for it has everything that is needed, and it is simple as a piece of wood. Today we will need to connect from it via the Serial (Com14) interface and subsequently Telnet (TCP23).

Resetting passwords

Turn on the tsiska and connect to Putty to the port Serial (name COM14, Baud Rate 9600). We make sure that there is a connection. Next, you need to reboot the router into ROMMON – the boot loader – a completely stripped-down version of the operating system that boots to cisco IOS and is used for service purposes (IOS update, password recovery). To reboot the router in ROMMON, you need to interrupt the normal boot process in IOS by sending an interrupt signal at the very beginning of the boot.

Turning off, and without breaking the console session, Turn on Cisco 1941 and press the Break key (aka the Pause key) or the Ctrl + Break combination on the keyboard (if this is not in the laptop, in Putty, you can call the special command – break by the right mouse button). A complete table with interrupt signals for different terminals is located here

We see the invitation to rommon mode (ROM monitor):

rommon 1 >

We enter the command to change the register configuration with the confreg command and then restart the router with the reset command

rommon 1 > confreg 0x2142

rommon 2 > reset

We increase privileges as a team enable or simply en And she doesn’t ask for a password here 🙂

Router1>en

Copy the “password-protected” config into the router’s memory:

Router1#copy startup-config running-config

After that, the old config will be applied, which was password protected, but at the same time we are already in privileged mode, from where we can set new passwords for privileged mode, telnet and console.

Router1#conf terminal

Router1(config)#enable secret $$$NewPassword

Router1(config)#enable password $$$NewPassword

Router1(config)#line vty 0 4

Router1(config-line)#password $$$NewPassword

Router1(config-line)#login

Router1(config-line)#exit

Router1(config)#line console 0

Router1(config-line)#password $$$NewPassword

Router1(config-line)#login

Router1(config-line)#exit

The main thing is to remember to return the default register values ​​at the end. If this is not done, then our new config will be ignored again after restarting the router.

Router1(config)# config-register 0x2102

Router1(config)#exit

Copy the downloaded config to the starting one and reboot:

Router1# copy running-config startup-config

Router1# reload

The router now has a new password for console, telnet and privileged mode. Hooray. It is possible to give the tsiska to the brightened administrator together with the settings of the “new Internet” (we came from the provider, remember?). If indecision and fear lurk in the eyes of the local system administrator, then we will help the poor fellow.

Configuring interfaces

In order not to come twice, let’s go over all the necessary settings “to take off”. The tsiska has two “yellow” interfaces: GigabitEthernet0 / 0 and GigabitEthernet0 / 1. Usually they should be looking towards WAN and LAN respectively, so be it.

WAN addressing, let’s say 100.200.100.202/30 with provider’s gateway 100.200.100.201

Addressing on the LAN, as usual, 192.168.1.1/24 with the local ciski interface 192.168.1.1

We do everything from under the root:

>en

#

For configuration, use the configure terminal command, to exit – exit:

#conf t

#exit

Setting up the local interface:

#conf t

#interface GigabitEthernet0/1

#description LAN

#ip address 192.168.1.1 255.255.255.0

#no shutdown

#exit

We configure DHCP (for the entire subnet except for .1-.50 and .200-.254).

Exceptions:

#ip dhcp excluded-address 192.168.1.200 192.168.1.254

#ip dhcp excluded-address 192.168.1.1 192.168.1.50

#ip dhcp ping packets 4

The pool itself:

#ip dhcp pool MY_DHCP_POOL_1

#import all

#network 192.168.1.0 255.255.255.0

#default-router 192.168.1.1

#dns-server 77.88.8.8

#lease 3

#exit

Everything, after this setting, you can connect by telnet from the LAN if desired (convenient for checks)

When connecting, the address from the DHCP pool must be applied and the tsiska must respond. I advise you to run ping -t to monitor just in case.

Configuring the external interface:

#conf t

#interface GigabitEthernet0/0

#ip address 100.200.100.202 255.255.255.252

#no shutdown

#exit

Here the Provo gateway should start pinging – 100.200.100.201 – but only from the tsiska itself, not from the laptop (packets do not go between networks yet)

#ip forward-protocol nd

#ip route 0.0.0.0 0.0.0.0 100.200.100.201

Here from the tsiska itself I should start ping 8.8.8.8

#ip domain timeout 2

#ip name-server 8.8.8.8

#ip name-server 77.88.8.8

#ip cef

Here from the tsiska itself should begin to respond ya.ru

#copy running-config startup-config (or simply #wr)

As a result, we configured two networks on the tsiska, in which it will live and work. Next, you will need to connect them.

His majesty firewall

Actually, his majesty fire. In the form of NAT and access lists (ACL)

A lot is built on these very lists, links to them are hammered into the rules of interfaces (access-group) and in the rules NAT, so you need to enter it carefully. Lists work strictly from top to bottom. Therefore, the rules for any usually the latter (and they are not needed – by default for any everything is prohibited). The access list can be standard (access-list) or extended (access-list extended). They differ in detail – the standard only has an action and a source of packages, for example.

NAT setup

Putting together a local area for masquerading (yes, I know this is a term for iptables, but the essence is the same):

#ip access-list standard 10

#permit 192.168.1.0 0.0.0.255

#deny any

#exit

Assign masquerading sides (interfaces):

#interface gigabitethernet0/1

#ip nat inside

#exit

#interface gigabitethernet0/0

#ip nat outside

#exit

Most importantly, we include the rule itself (in one line):

#ip nat inside source list 10 interface gigabitethernet0/0 overload

Closing the TCPSYN attack:

#ip tcp synwait-time 30

We configure the access list – for the external interface (if configured for the internal one, then you need permissions for dhcp traffic). First of all, we will close the only network access – telnet (tcp 23). If http (s) or ssh are up – also close

We write a list (special attention – the icmp protocol)

#ip access-list extended 101

#deny tcp any any eq 23

#permit tcp any any

#permit udp any any

#permit icmp any any echo-reply

#permit icmp any any time-exceeded

#permit icmp any any unreachable

#deny ip any any

#exit

We hang the list at the entrance to the external interface:

#int gigabitethernet0/0

#ip access-group 101 in

#exit

#copy running-config startup-config (or simply #wr)

So the list only provides basic “protection”, but this is an admin’s headache already. After raising all the services and testing them, you can write stricter and apply.

Everything from the inside and the tsiska outside responds to us. The Internet works, mail goes. Everyone is happy, dancing, hugging, putting money in their pockets. Your social rating is growing before our eyes.

PS Useful commands

Almost all monitoring is a command show. She has a short form sh, which I do not recommend, because the command has the same short form shutdown

Actually, enabling something, for example, an interface, looks like this:

#no shutdown

Let’s display the entire config to read / copy:

#show running-config

You can see the capabilities of the show command:

#show ?

Anyone:

#ip ?

Viewing summary information on interfaces:

#show ip interface brief

Viewing information on L2 interfaces:

#show interface summary

Viewing addresses issued via DHCP:

#show ip dhcp bind

Deleting config lines:

#no [строка конфига]

For example, let’s remove the default gateway:

#no ip default-gateway

Delete the ENTIRE access list:

#no ip access-list extended 101

Removing a static route:

#no ip route [маршрут]

Well enough for the first visit. With the help of this simple magic, you will make many friends for yourself, young Padawan 🙂 And do not forget to warn the local admin that if he does not properly configure the ACL, their grid may soon be in big trouble. But that’s a completely different story.


We have fast servers for any experiments.

Register using the link above or by clicking on the banner and get a 10% discount for the first month of renting a server of any configuration!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *