Creating a PPP Connection to a Cisco Aux Port
In this article, we set up MRTG to monitor an old Cisco 1720 router. Now, it is nice to have *two* interfaces on a lab router so that you can route between two physical interfaces. We tried adding a second FastEthernet module instead of the T1 module we have, but the firmware was too old. It makes it more complicated that the router doesn't have much memory. Here is the version info:
router>show version
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY56I-M), Version 12.0(5)T1,
RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 17-Aug-99 12:52 by cmong
Image text-base: 0x80008088, data-base: 0x807B37B0
ROM: System Bootstrap, Version 12.0(1)XA1, RELEASE SOFTWARE (fc1)
router uptime is 2 days, 1 hour, 45 minutes
System returned to ROM by power-on
System image file is "flash:120-5"
cisco 1720 (MPC860) processor (revision 0x301) with 18432K/2048K
bytes of memory.
Processor board ID JAD98504058 (230041443), with hardware revision 0000
M860 processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
1 Serial network interface(s)
1 Serial(sync/async) network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
4096K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
router>
|
This version of IOS has some security vulnerabilities, but it is fine for lab use. To create another usable interface, then, the best bet we have is to use the AUX port. First, you need to cable it. All you need is a terminal adapter (the beige thing with RJ-45 on one side and DB-9 on the other, marked terminal). You have to use a rollover cable to connect the AUX port on the Cisco to the terminal adapter. The terminal adapter can then plug into a regular DB-9 port on a PC. For more options and detailed explanations, see this article. For us, the regular light blue console cable *was* a rollover cable. Our working router configuration is:
router#show run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot system flash 120-5
no logging console
enable password password
!
username username password 0 password
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
!
!
cns event-service server
!
!
process-max-time 200
!
interface Serial0
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
interface FastEthernet0
ip address 10.50.100.200 255.255.255.0
ip access-group 100 in
ip access-group 100 out
no ip directed-broadcast
!
interface Async5
ip address 10.10.10.10 255.255.255.0
ip access-group 100 in
ip access-group 100 out
no ip directed-broadcast
encapsulation ppp
async mode interactive
peer default ip address 10.10.10.11
fair-queue 64 16 0
no cdp enable
ppp authentication chap
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.50.100.82
no ip http server
!
access-list 100 permit ip any any
snmp-server engineID local 00000009020000500F0254CC
snmp-server community public RO
snmp-server enable traps snmp
snmp-server enable traps isdn call-information
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps rsvp
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
password password
autoselect during-login
autoselect ppp
login
modem InOut
transport input all
escape-character NONE
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
password password
login
!
end
router#
|
Security is wide open on this. We may mess with some of the filters in the future. The SNMP is also not secure. Not only is the config not secure, but the version of IOS is not secure. Read our terms of use. The point of this article is just to get the AUX port to do PPP. For us, the AUX port was interface Async5. We connected an XP box to the PPP interface using the mdmcbx.inf file from this site. There is an excellent write-up on how to do this at the Cisco site here.
The network config we have is:
XP Box (10.10.10.11)<->(noip)Router(10.50.100.200)<->(LAN)<->(.82)GW<->ISP
|
The hosts on the LAN go through the gateway for everything that isn't on 10.50.100. So, with the above setup, you can't communicate with anything but the router, since anything from 10.10.10 is assumed to come in via .82. What is needed to get this all working correctly is a static route on the default gateway. This is a GNU/Linux box that we have been using for many, many years as a NAT/Firewall box. It is an old Pentium 133. It is extremely secure, since we allow nothing at all. The only access is via the console. About the only thing that could be vulnerable on it is the kernel itself. Anyway, the following command to add the static route is probably specific to GNU/Linux, or at least *NIX:
route add -net 10.10.10.0 netmask 255.255.255.0 gw 10.50.100.200 dev eth0
|
Eth0 is the interface on the LAN side of this box. All this means is that in the one case where the destination is the 10.10.10 network, send the traffic to 10.50.100.200. This is the Cisco router, so at that point the Cisco will make sure that the traffic gets back to the XP box.
Now, when we look at this with the MRTG monitoring we set up in this article, we see traffic going through the router:
|
|