-->

CISCO IOS commands

Network Site Protection Cisco IOS Commands

General commands

Here are some general and simple commands shown

How do I telnet to the router?
How to enable telnet from the outside
How to go into Privileged (Enable) mode
How to go into Configuration mode
How to restart the router
How to view the configuration
How to configure timeout
How to change password
How to see the actual line speed
How to see the external IP-adresse
How to set the time
How to run a HotLine server

NAT Entries

Network Address Translation (NAT) entries is used for translating the where traffic a specific port should be sent. I.e. traffic from the outside WAN on port 21 should go to the FTP server and traffic on port 80 should end up at the WWW server. This is accomplished using NAT.

How to view the NAT entries
How to add NAT entries
How to remove NAT entries
How to disable NAT and use multiple external addresses
How to change where the external traffic is routed to

Uploading and downloading configurations and IOS to the router

The FLASH memory is the memory area that contains the IOS. NVRAM is the memory that holds the configuration.

How to copy configuration to a TFTP server
How to copy configuration from a TFTP server
How to remove a configuration
How to back up the Cisco IOS to a TFTP server
How to upgrade or restore Cisco IOS

Monitoring of router and swiche

To monitor IOS equipment using Simple Network Management Protocol (SNMP) require that community stings are defined

How to set community strings
How to delete community strings

DHCP

How to limit the DHCP scope
How to disable the DHCP scope

In case you did not finde what you where looking for try this page

How do I telnet to the router

Choose "Start" -> "Run" and type:

telnet 192.168.1.1

Where 192.168.1.1 is the IP-adresse of the router

How to enable telnet from the outside

By default routers are configured to accept telnet on port 23 from the inside. In order to get telnet access from the outside, you need to create a NAT entry for this popores.

Connect to the router -> enable -> config. Type:

ip nat ins sou sta tcp 192.168.1.1 23 int dialer0 23000

Now you have outside telnet access on port 23000. NB. This also makes your router more open for hacker attack.

How to go into privileged (enable) mode

Connect to the router. After the initial password you are in user mode. The prompt will like Router>. This mode is mostly used to view statistics, though it is also a stepping-stone for logging into more privileged mode. You can only view and change the configuration of a Cisco router in privileged mode, which you enter by typing:

enable or en

After a succesfull login the prompt will have changed to Router#

To end Priviliged mode type:

disable

How to go into configuration mode

Connect to the router -> enable and type:

configure terminal or conf t

To end the config mode press <CTRL>+Z (^Z).

Remember to save any changes that are made by typing: write

How to restart the router

Connect to the router, go to enable mode and type:

reload

Press enter when prompted to confirm.

How to view the configuration

In enable mode type:

sh run or wr t

How to configure timeout

Connect to the router -> enable -> Config mode, type:

int dialer0 time abs <minutter>

How to change password

Connect to the router -> enable -> Config mode, type:

line vty 0 4 password <PASS> line con 0 password <PASS>

To change the Enable password:

no enable secret enable secret <PASS>

How to see the actual line speed

Connect to the router and type:

sh dsl int atm0

How to see the external IP adresse

Connect to the router and type:

sh ip in br dial0

How to set the time

Connect to the router -> enable mode and type:

clock set 10:17:00 14 june 2001

The format is "hh:mm:ss day month year". NB. clock set ? does not show the correct format.

How to run a HotLine server

In config mode type :

ip nat ins sou sta tcp w.x.y.z 5500 int dialer0 5500 ip nat ins sou sta tcp w.x.y.z 5501 int dialer0 5501 ip nat ins sou sta tcp w.x.y.z 5502 int dialer0 5502 ip nat ins sou sta tcp w.x.y.z 5503 int dialer0 5503

Hvor w.x.y.z is the internal IP.

How to view the NAT entries

Connect to the router and type:

sh ip nat trans

How to add NAT entries

Connect to the router -> enable -> Config mode. The format is:

ip nat inside source static <protocol> <internal ip> <port> interface dialer0 <port>

Protocol is either tcp or udp. I.e. a NAT entry for port 4000 to 192.168.1.10 is done by typing:

ip nat inside source static tcp 192.168.1.10 4000 interface dialer0 4000

How to remove NAT entries?

Connect to the router -> enable mode -> Config mode. The format is:

no ip nat inside source static <protocol> <internal ip> <port> interface dialer0 <port>

I.e. the NAT entry for port 4000 to 192.168.1.10 removed by:

no ip nat inside source static tcp 192.168.1.10 4000 interface dialer0 4000

In some cases the command above will not be succesfull, because the entry is in use. If this is the case type the following before going into config mode.

clear ip nat translation *

How to disable NAT and use multible external addresses

To enable an external ip range - i.e. 212.52.72.184 - 191. Connect to the router -> enable mode -> Config mode and type:

int eth0 ip address 212.52.72.185 255.255.255.248

(Change the ip number to the external numbers that is desired)

end write reload

Login again and delete the access list that controls the access inside out
(decide what IP's that is given access through the router), in config mode:

no access-list 1 access-list 1 permit 212.52.72.184 0.0.0.255

Notice the subnet mask 0.0.0.255 is opposite and equals 255.255.255.0

To disable NAT completely on the inside

no ip nat inside end write reload

This satisfy the requirement from some firewalls that the routers ip address have to be on the same network as the wan link on the firewall. Trafic to DMZ and firewall is now going directly through the router to the firewall.

How to change the address where external traffic is routed to

By default most routers will route all external traffic to 192.168.1.2. If this is needs to be change to somethin else i.e. a firewall address. Connect to the router - > enable mode and type:

clear ip nat translation * configure terminal no ip nat inside source static 192.168.1.2 <external ip> ip nat inside source static 192.168.0.2 <external ip> write reload

How to copy configuration to a TFTP server

Connect to the router -> enable mode

copy nvram tftp://xx.xx.xx.xx/config.cfg

This saves a configuration file to the TFTP server at ip xx.xx.xx.xx

How to copy configuration from a TFTP server

Connect to the router -> enable mode

copy tftp://xx.xx.xx.xx/config.cfg nvram

This loads a configuration file to the TFTP server at ip xx.xx.xx.xx

How to remove a configuration

Connect to the router -> enable mode

delete nvram

This removes all configuration parameters and returns the router/switch to factory default settings.

How to back up the Cisco IOS

Connect to the router -> enable mode and type :

sh flash

This will show the files stored in the flash memory.

System flash directory: File Length Name/status 1 3641684 soho70-y1-mz.123-6.bin [3641748 bytes used, 4746860 available, 8388608 total] 8192K bytes of processor board System flash (Read/Write)

In this case an image called soho70-y1-mz.123-6.bin

To back up this file type:

copy flash tftp://192.168.1.2/xxxxx.bin Source filename [soho70-y1-mz.123-6.bin]? Address or name of remote host [192.168.1.2]? Destination filename [xxxxx.bin]?

Where 192.168.1.2 is the ip-address of the tftp server. When prompted for the source file name type the file name found using the sh flash command. xxxxxx.bin will be the file name the IOS is stored under on the server.

How to restore or upgrade the Cisco Router IOS

Connect to the router -> enable mode and type :

copy tftp://192.168.1.2/xxxxx.bin flash Destination filename [xxxxx.bin]? Accessing tftp://192.168.1.2/xxxxx.bin...

Where 192.168.1.2 is the ip-address of the tftp server and xxxxx.bin is the image in the tftp root. If you do not have enough room in the flash memory to store both copies the router will ask to erase the contents of the flash before writing the new file to the memory.

How to set community strings

Connect to the router -> enable mode - config mode and type:

snmp-server community XXXXX RO snmp-server location YYYY snmp-server contact ZZZZ snmp-server enable traps tty

Where XXXXX is the community name that the software which is collecting the SNMP trap must use. YYYY and ZZZZ are optional.

How to delete community strings

Connect to the router -> enable mode - config mode and type:

no snmp-server community XXXXX RO

How to limit the DHCP scope

There are 2 ways to do this. The first and most difficult is done by connecting to the router -> enable mode - config mode and type:

ip dhcp pool <SCOPE name> network <network> <subnet> default-router <the routers internal ip> dns-server 212.54.64.170 212.54.64.171 lease 0 1

Default the routers IP is 192.168.1.1.

I.e. you only want to use the following address pool 192.168.1.32-192.168.1.63 (Not include).
The you have to change <network> to 192.168.1.32 and <subnet> tol 255.255.255.224.

This page can used to help you calculating the subnet for you address pool: Subnet calculator.

The second and much easier way is just to reserve some address in the existing DHCP scope. I.e. you don't want to use the IP from 192.168.1.40 tol 192.168.1.72. In config mode type :

ip dhcp exclude 192.168.1.40 192.168.1.72

How to disable DHCP

Connect to the router -> enable mode - config mode and type:

no service dhcp