Cisco Configuration & tips

Show interfaces

Command: show interfaces

 ...

GigabitEthernet0 is up, line protocol is up
  Hardware is Gigabit Ethernet, address is f80b.cbd4.1f39 (bia f80b.cbd4.1f39)
  Description: -- Rede INTERNA --

  ...

GigabitEthernet8 is up, line protocol is up
  Hardware is PQ3_TSEC, address is f80b.cbd4.1f4a (bia f80b.cbd4.1f4a)
  Description: ### Router VDF ###

  ...

Port forwarding

RDP Example

Configure port 3389 to be forward to ip 192.168.0.21 when coming from interface GigabitEthernet8 (Router Vodafone)

conf t
ip nat inside source static tcp 192.168.0.21 3389 interface GigabitEthernet8 3389

To revome the port forward configuration

conf t
no ip nat inside source static tcp 192.168.0.21 3389 interface GigabitEthernet8 3389

Show port forwarding

show ip nat translation

Configure VPN users and privileges

Add new user

conf t
username <user> secret <password>

Remove user

conf t
no username <user>

List users

show running-config | include username

Setting user privilege level

conf t
username <user> privilege <level_number>

Define privileges

Privileges are defined by levels from 0 to 15.

Level 0 – Zero-level access only allows five commands- logout, enable, disable, help and exit.
Level 1 – User-level access allows you to enter in User Exec mode that provides very limited read-only access to the router.
Level 15 – Privilege level access allows you to enter in Privileged Exec mode and provides complete control over the router.

We can use levels from 2 to 14 to defined specific priveleges.

conf t
privilege exec level <level_number> <command>

Example:

conf t
privilege exec level 2 show running-config

IPSEC

Use the following commands to verify the state of the VPN tunnel: sh crypto isakmp sa

state should show QM_IDLE status should show ACTIVE

More:

• https://dcloud-cms.cisco.com/help/verify_vpn_tunnel
• https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

Misc

Reboot

Execute the command reload

Filtering results

Use pipe + include + text to filter after the command

Example:

show ip nat translation | include 8080

Show running configuration

show run

Add rules to access lists

NOTE: show running-config | in nat can be useful

Use show ip access-lists to view the checklists

Router#show ip access-lists
Extended IP access list 100
    10 permit ip 192.168.0.0 0.0.0.255 10.136.0.0 0.0.255.255
    20 permit ip 10.50.13.0 0.0.0.255 10.136.0.0 0.0.255.255 (46540318 matches)
Extended IP access list 120
    10 permit ip 192.168.0.0 0.0.0.255 10.136.0.0 0.0.255.255 (61 matches)
    20 permit ip 192.168.10.0 0.0.0.255 10.136.0.0 0.0.255.255 (1498 matches)
Extended IP access list 199
    10 deny ip 192.168.0.0 0.0.0.255 10.136.0.0 0.0.255.255
    20 deny ip 192.168.10.0 0.0.0.255 10.136.0.0 0.0.255.255
    30 permit ip 10.10.0.0 0.0.0.255 any (931220 matches)
    40 permit ip 192.168.0.0 0.0.0.255 any (1506486 matches)
    50 permit ip 192.168.10.0 0.0.0.255 any (920163 matches)

Extend the desired access list, example: ip access-list extend 120. 120 being the number of the access list

Then add the rule, example: 30 permit ip 192.168.0.0 0.0.0.255 10.214.0.0 0.0.255.255

Add rules to EDP IPSEC tunnel

You need the add the rules to the 100 and 120 access lists

Kron

Kron allows to schedule commands ans its periodicity

configure terminal 

kron policy-list NAME_OF_POLICY

cli <command to run>

exit

kron occurrence NAME_OF_OCCURENCE at <hour> recurring

policy-list NAME_OF_POLICY

end

Example of setting the command clear crypto ikev2 sa to run twice a day

configure terminal 

kron policy-list CLEAR_IKEV2_SA

cli clear crypto ikev2 sa

exit

kron occurrence DAILY_AT_13 at 13:00 recurring

policy-list CLEAR_IKEV2_SA

kron occurrence DAILY_AT_13 at 13:00 recurring

policy-list CLEAR_IKEV2_SA

end