It so happens that you have to face tasks that you seem to be not ready to solve, but you need to get the result here and now. Sound familiar, huh? Welcome to the world of Eastern European management with an appropriate management culture.
So, let’s say you are a representative of a local provider who already knows how to set up some ASUS, but by the will of fate has not yet received a CCNA certificate. Next to you is a local administrator, also without a certificate, with his eyes begging nothing to “reset to zero”, because “everything works, I just don’t know the password, only you don’t tell anyone.”
Such situations are not uncommon in our covid world, when departments with their infrastructure shuffle every quarter, directors of directions mysteriously disappear, and another manager, in order to demonstrate his own effectiveness, quarrels with the only ciscar in the district and concludes service contracts using an ad site.
Let’s conduct a session of black IT magic together with its subsequent exposure. Namely: reset the password, configure the interfaces (local and external), connect these networks with routes and address translation, and cover (no) with a firewall. A brick with a brand nameplate will magically turn into a useful networking device.
The device and the interfaces we need
Here she is, our girl. As experienced guys, we approach from the right side:
If you connect to the Ethernet ports, which are yellow, then you need to know the IP addresses on these interfaces and the entry passwords – the main and “high” (under which, in fact, everything needs to be configured). If any of this is not there, then welcome to the console. Its ports are marked with a light blue color. The same color has a proprietary Cisco console cable, which is usually lost by this time.
Nowadays, not every laptop has a COM port, so you have to take a standard COM-USB adapter to this lanyard. But you can take a closer look and see that next to the “old” console port there is a mini-usb port with the same purpose. The adapter in this case is built into the tsiska, and, yes, you need it driver… We install them, reboot and connect again. After connecting Cisco via miniusb cable in the list of equipment in the section Ports (COM and LPT) appeared Cisco Serial (COM14) (not necessarily exactly 14, well, what can you do). For further work, I recommend the terminal program Putty, for it has everything that is needed, and it is simple as a piece of wood. Today we will need to connect from it via the Serial (Com14) interface and subsequently Telnet (TCP23).
Turn on the tsiska and connect to Putty to the port Serial (name COM14, Baud Rate 9600). We make sure that there is a connection. Next, you need to reboot the router into ROMMON – the boot loader – a completely stripped-down version of the operating system that boots to cisco IOS and is used for service purposes (IOS update, password recovery). To reboot the router in ROMMON, you need to interrupt the normal boot process in IOS by sending an interrupt signal at the very beginning of the boot.
Turning off, and without breaking the console session, Turn on Cisco 1941 and press the Break key (aka the Pause key) or the Ctrl + Break combination on the keyboard (if this is not in the laptop, in Putty, you can call the special command – break by the right mouse button). A complete table with interrupt signals for different terminals is located here…
We see the invitation to rommon mode (ROM monitor):
rommon 1 >
We enter the command to change the register configuration with the confreg command and then restart the router with the reset command
rommon 1 > confreg 0x2142
rommon 2 > reset
We increase privileges as a team
enable or simply
en And she doesn’t ask for a password here 🙂
Copy the “password-protected” config into the router’s memory:
Router1#copy startup-config running-config
After that, the old config will be applied, which was password protected, but at the same time we are already in privileged mode, from where we can set new passwords for privileged mode, telnet and console.
Router1(config)#enable secret $$$NewPassword
Router1(config)#enable password $$$NewPassword
Router1(config)#line vty 0 4
Router1(config)#line console 0
The main thing is to remember to return the default register values at the end. If this is not done, then our new config will be ignored again after restarting the router.
Router1(config)# config-register 0x2102
Copy the downloaded config to the starting one and reboot:
Router1# copy running-config startup-config
The router now has a new password for console, telnet and privileged mode. Hooray. It is possible to give the tsiska to the brightened administrator together with the settings of the “new Internet” (we came from the provider, remember?). If indecision and fear lurk in the eyes of the local system administrator, then we will help the poor fellow.
In order not to come twice, let’s go over all the necessary settings “to take off”. The tsiska has two “yellow” interfaces: GigabitEthernet0 / 0 and GigabitEthernet0 / 1. Usually they should be looking towards WAN and LAN respectively, so be it.
WAN addressing, let’s say 220.127.116.11/30 with provider’s gateway 18.104.22.168
Addressing on the LAN, as usual, 192.168.1.1/24 with the local ciski interface 192.168.1.1
We do everything from under the root:
For configuration, use the configure terminal command, to exit – exit:
Setting up the local interface:
#ip address 192.168.1.1 255.255.255.0
We configure DHCP (for the entire subnet except for .1-.50 and .200-.254).
#ip dhcp excluded-address 192.168.1.200 192.168.1.254
#ip dhcp excluded-address 192.168.1.1 192.168.1.50
#ip dhcp ping packets 4
The pool itself:
#ip dhcp pool MY_DHCP_POOL_1
#network 192.168.1.0 255.255.255.0
Everything, after this setting, you can connect by telnet from the LAN if desired (convenient for checks)
When connecting, the address from the DHCP pool must be applied and the tsiska must respond. I advise you to run ping -t to monitor just in case.
Configuring the external interface:
#ip address 22.214.171.124 255.255.255.252
Here the Provo gateway should start pinging – 126.96.36.199 – but only from the tsiska itself, not from the laptop (packets do not go between networks yet)
#ip forward-protocol nd
#ip route 0.0.0.0 0.0.0.0 188.8.131.52
Here from the tsiska itself I should start ping 184.108.40.206
#ip domain timeout 2
#ip name-server 220.127.116.11
#ip name-server 18.104.22.168
Here from the tsiska itself should begin to respond ya.ru
#copy running-config startup-config (or simply
As a result, we configured two networks on the tsiska, in which it will live and work. Next, you will need to connect them.
His majesty firewall
Actually, his majesty fire. In the form of NAT and access lists (ACL)
A lot is built on these very lists, links to them are hammered into the rules of interfaces (access-group) and in the rules NAT, so you need to enter it carefully. Lists work strictly from top to bottom. Therefore, the rules for any usually the latter (and they are not needed – by default for any everything is prohibited). The access list can be standard (access-list) or extended (access-list extended). They differ in detail – the standard only has an action and a source of packages, for example.
Putting together a local area for masquerading (yes, I know this is a term for iptables, but the essence is the same):
#ip access-list standard 10
#permit 192.168.1.0 0.0.0.255
Assign masquerading sides (interfaces):
#ip nat inside
#ip nat outside
Most importantly, we include the rule itself (in one line):
#ip nat inside source list 10 interface gigabitethernet0/0 overload
Closing the TCPSYN attack:
#ip tcp synwait-time 30
We configure the access list – for the external interface (if configured for the internal one, then you need permissions for dhcp traffic). First of all, we will close the only network access – telnet (tcp 23). If http (s) or ssh are up – also close
We write a list (special attention – the icmp protocol)
#ip access-list extended 101
#deny tcp any any eq 23
#permit tcp any any
#permit udp any any
#permit icmp any any echo-reply
#permit icmp any any time-exceeded
#permit icmp any any unreachable
#deny ip any any
We hang the list at the entrance to the external interface:
#ip access-group 101 in
#copy running-config startup-config (or simply
So the list only provides basic “protection”, but this is an admin’s headache already. After raising all the services and testing them, you can write stricter and apply.
Everything from the inside and the tsiska outside responds to us. The Internet works, mail goes. Everyone is happy, dancing, hugging, putting money in their pockets. Your social rating is growing before our eyes.
PS Useful commands
Almost all monitoring is a command
show. She has a short form
sh, which I do not recommend, because the command has the same short form
Actually, enabling something, for example, an interface, looks like this:
Let’s display the entire config to read / copy:
You can see the capabilities of the show command:
Viewing summary information on interfaces:
#show ip interface brief
Viewing information on L2 interfaces:
#show interface summary
Viewing addresses issued via DHCP:
#show ip dhcp bind
Deleting config lines:
#no [строка конфига]
For example, let’s remove the default gateway:
#no ip default-gateway
Delete the ENTIRE access list:
#no ip access-list extended 101
Removing a static route:
#no ip route [маршрут]
Well enough for the first visit. With the help of this simple magic, you will make many friends for yourself, young Padawan 🙂 And do not forget to warn the local admin that if he does not properly configure the ACL, their grid may soon be in big trouble. But that’s a completely different story.
We have fast servers for any experiments.
Register using the link above or by clicking on the banner and get a 10% discount for the first month of renting a server of any configuration!