To create access on Cisco router that only allow outgoing tcp connection, and block all incoming traffic, except traffic initiated by incoming users, you need to allow established connection initiated by inside host.
Thos post will gives example for creating access list that only allow connection initiated by inside host or itjust allow TCP sync from inside host.  In other word, this access list will block all TCP sync traffic from outside network.

ip access-list extended OUTGOING-ONLY
 permit tcp any any gt 1023 established
 permit tcp any eq ftp-data any
 permit udp any eq 53 any

As normal TCP sync request is initiated from port greater than 1023, in this access list we just only permit traffic established from port greater than 1023.  To allow FTP traffic, ftp data port (TCP 20) from FTP server must be allowed.  Also UDP 53 port need to be allowed cause DNS server use port 53 UDP to reply data.
Place this access-list in outgoing interface to inside direction

interface FastEthernet0/0

 description TO-ISP

 ip access-group OUTGOING-ONLY in

 ip address 192.168.1.2 255.255.255.252

Cisco router can be used as VPN server, using L2TP and IPSec, for client from internet accesing private network.

Below are steps for configuring L2TP IPSec on Cisco router,
1. Enable aaa authentication and create user,

aaa new-model

aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local

user cisco password cisco

2. Enable VPDN and configure VPDN group

vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication

3. Configure authentication methode.  Using pre-shared key is the best and simple methode.

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600

4. Configure IPSec

crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map

interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
 crypto map cisco

5. Create Vitrual_Template

interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool poolipnetconfig
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2

6. Create IP Pool for user

ip local pool poolipnetconfig 172.31.1.1 172.31.1.6

7. Test your configuration

Complete configuration on Cisco router:

L2TP-Server#sh run
Building configuration...

Current configuration : 5669 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname L2TP-Server
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$WMq0$BZpIxsWnzmEI0fCvWADGd0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
ip domain name ipnetconfigs.com
ip name-server 192.168.0.1
ip ssh version 2
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
!
!
crypto pki trustpoint TP-self-signed-417945430
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-417945430
 revocation-check none
 rsakeypair TP-self-signed-417945430
!
!
crypto pki certificate chain TP-self-signed-417945430
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313739 34353433 30301E17 0D313030 33313331 30303434
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3431 37393435
  34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  CBB11B58 6E347C78 1FB62626 0FD03CCB 5AA26CC3 A0E17634 B905978F DF0FCA60
  2A8CD0EE 1BF4428A 53F23038 7BF8C209 B0FEF57B 08233D2C F49826BB 938113DE
  C6D25DD0 E8AA51B0 F4BAE931 0C4C19A6 7657EB6F 4A0CF980 92C54B48 F927BF00
  1E3F25E1 A28EA8F6 B941BC0A E6F2FA20 6A73F969 A8B523F0 0B25C927 85C649BD
  02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355
  1D110424 30228220 50504A2D 47572E6C 61646F6D 61696E2E 6C696E74 61736172
  74612E63 6F2E6964 301F0603 551D2304 18301680 14167006 97518BA4 E4F9BA7A
  82A17511 CE1A4870 8B301D06 03551D0E 04160414 16700697 518BA4E4 F9BA7A82
  A17511CE 1A48708B 300D0609 2A864886 F70D0101 04050003 8181006B D63609D0
  F61D11FF FB4CC38C 231FA679 B6A3AD68 DF7BEDC3 CCE85778 5D7E4FE7 ADFA6A8B
  4BBDED0F 20137B37 C445F0D9 14E55313 2553284B DCB49472 3E56BF3D 140F3E58
  047833BD 4F6D0719 29233D33 8F681B69 613FF4A5 B527E059 06B655E3 06BBFA37
  B3F43E6B 67DF84DF 5D3B0FC9 ECFB16E3 9AB4E1F1 D61D0523 A95A44
  quit
username root privilege 15 secret 5 $1$E1t3$.GKaPz1xFuph9r/fRqxTO.
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
 crypto map cisco
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool poolipnetconfig
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2
!
!
ip local pool poolipnetconfig 172.31.1.1 172.31.1.6
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

L2TP-Server#

 For configuring L2TP IPSec on Windows 7, see my other post on this blog.

Cisco router can be used as VPN server, using PPTP, for client from internet accesing private network.

Below are steps for configuring PPTP on Cisco router,
1. Enable aaa authentication and create user,

aaa new-model

aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local

user cisco password cisco

2. Enable VPDN and configure VPDN group

vpdn enable
!
!
vpdn-group PPTP
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 2

3. Create Vitrual_Template

interface Virtual-Template2
 ip unnumbered FastEthernet0/0
 peer default ip address pool poolipnetconfig
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2

4. Create IP Pool for user

ip local pool poolipnetconfig 172.31.1.1 172.31.1.6

5. Test your configuration

Complete configuration on Cisco router:

PPTP-Server#sh run
Building configuration...

Current configuration : 5669 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PPTP-Server
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$WMq0$BZpIxsWnzmEI0fCvWADGd0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
ip domain name ipnetconfig.com
ip name-server 192.168.0.1
ip ssh version 2
vpdn enable
!
!
vpdn-group PPTP
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 2
!
!
!
username root privilege 15 secret 5 $1$E1t3$.GKaPz1xFuph9r/fRqxTO.
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
!
!
interface Virtual-Template2
 ip unnumbered FastEthernet0/0
 peer default ip address pool poolipnetconfig
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
ip local pool poolipnetconfig 172.31.1.1 172.31.1.6
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

PPTP-Server#

To configure PPTP client on Windows 7, see my post How To Configure PPTP Client On Windows 7.

As using route reflector is a way simplifying and scaling iBGP configuration, it is recommended to use if you have many routers in your AS.

To configure route reflector in Cisco router is really simple.
1. Add command

neighbor <ip address client> route-reflector client

2. Ordinary BGP configuration in client router

BGP configuration template on route reflector will be:

router bgp xxxx
neighbor y.y.y.y remote-as zzzz
neighbor y.y.y.y route-reflector client

On the client side, BGP configuration will be as usual.

Example

Router 1 is route reflector, and will peer with router 2, route reflector client, and router 3, non client router.  The BGP configuration will be like this.

Router 1 Configuration:

router bgp 65535
neighbor 10.1.2.4 remote-as 65535
neighbor 10.1.2.4 update-source loopback0
neighbor 10.1.2.4 route-reflector client

neighbor 10.1.2.5 remote-as 65000
neighbor 10.1.2.5 update-source loopback0

Router 2 Configuration

router bgp 65535
neighbor 10.1.2.3 remote-as 65535
neighbor 10.1.2.3 update-source loopback0

Router 3 Configuration

router bgp 65000
neighbor 10.1.2.3 remote-as 65535
neighbor 10.1.2.3 update-source loopback0

Cisco has support EIGRP as PE CPE routing protocol in MPLS VPN.  It is just like another routing protocol using for PE CPE roituing protocol.  The mechanism is common.  EIGRP in PE talk with EIGRP in CPE to exchange routing, then routing receive from CPE is redistribute to MP BGP (multi protocol BGP) running under address family configuration.  EIGRP receive all VPN routing from reditributing form MP BGP (multi protocol BGP) running under address family configuration.


Example Configuration

BGP Configuration

router bgp 65000
no syncronization
neighbor 10.10.10.1 remote-as 65000
neighbor 10.10.10.1 update-source loopback0
address-family vpnv4
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 send-community extended
exit-address-family
address-family ipv4 vrf TEST
reditribute eigrp 100
no syncronization
exit-address-family

EIGRP Configuration

router eigrp 1
address-family ipv4 vrf TEST
network 192.168.1.0 0.0.0.255
reditribute bgp 65000 metric 10000 100 255 1 1500
autonomous-system 100
exit address-family

EIGRP 100, EIGRP autonomus system running between PE and CPE, is reditribute into BGP so that the routing from PCE receive by EIGRP can be send across MPLS network and receive by another PE.  Also, routing form BGP AS 65000 is reditribute into EIGRP, so that it can send to CPE through EIGRP 100.  Autonomous system in EIGRP is that autonomous system running in CPE router.

Blogged with the Flock Browser

This procedure is used for recover switch 2900, 3500, and 3750 series.
1. Connect to switch with console
2. Unplug power cable
3. Hold down mode button when reconnect the power cable to bring to switch: mode


Catalyst Switch Series
LED Behavior and Mode Button Release Action

2900XL, 3500XL, 3550
Release the Mode button when the LED above Port1x goes out.

2940, 2950
Release the Mode button after approximately 5 seconds when the Status (STAT) LED goes out. When you release the Mode button, the SYST LED blinks amber.

2960, 2970
Release the Mode button when the SYST LED blinks amber and then turns solid green. When you release the Mode button, the SYST LED blinks green.

3560, 3750
Release the Mode button after approximately 15 seconds when the SYST LED turns solid green. When you release the Mode button, the SYST LED blinks green.

4. Type flash_init
switch: flash_init
5. Issue load_helper command
switch: load_helper
6. Issue dir flash: command
switch: dir flash:
7. Type rename flash:config.txt flash:config.old to rename configuration file
switch: rename flash:config.txt flash:config.old
8. Issue boot command to boot the system
switch: boot
9. Enter "n" to abort initial configuration dialog
10. Enter enable mode
switch>en
switch#
11. Restore configuration file using rename flash:config.old flash:config.txt
switch#rename flash:config.old flash:config.txt
12. Copy configuration file into memory
switch#copy flash:config.txt system:running-config
13. Overwrite current password
switch#conf t
switch(config)#ena sec cisco
switch(config)#line vty 0 4
switch(config-line)#login
swicth(config-line)#pass cisco
switch(config)#line con 0
switch(config)#line con 0
switch(config-line)#pass cisco
14. Save configuration
switch#wr mem

Sometimes you lost your router password, or you work as network administrator in new places, that no one knows the password of your new company router. Here the procedure for recover the password.

1. Connect to your router through console
2. Power off your router
3. Power on while press the ctrl-break key until you get romon
4. Type confreg 0x2142 at romon
romon>confreg 0x2142
5. Type reset to reboot the router
romon>reset
6. Type no when router prompt to using automatic configuration
7. Type enable to get into configuration mode
Router>enable
Router#
8. Type copy start run. When you sho run, you will gte the old configuration
Router#copy start run
9. Change line vty password, console password, and enable password
Router(config)#ena sec cisco
Router(config)#line console 0
Router(config-line)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco
Router(config)#line con 0
Router(config-line)#pass cisco
10. Change configuration register to 0x2102
Router(config)#config-register 0x2102
11. Quit from configuration mode then save configuration
Router#copy run start
or
Router#wr mem

Configuring nat and without nat is pretty simple. It's just configuring nat and global configuration. Nat id correspond with with same global id. For example, you want all traffic from inside interface will be been nat to outside interface ip address when going to internet through outside interface, then you need configure this.


nat (inside) 1 0 0
global (outside) 1 interface

If you don't want particular ip address will no be been nat, for example network 192.168.1.0/24, the you need configure like this.

nat (inside) 0 192.168.1.0 255.255.255.0

Configuring RIP for routing protocol between PE and CPE on MPLS VPN cover three steps.
1. Configure RIP on CPE
2. Configure RIP on address-family level on MPLS PE
3. Redistribute RIP to BGP vice versa on MPLS PE


Configure RIP on CPE.
Cpe(config)#router rip
Cpe(config-router)#version 2
Cpe(config-router)#network 10.0.0.0

Configure RIP on MPLS PE.
Pe(config)#router rip
Pe(config-router)#version 2
Pe(config-router)#address-family ipv4 vrf NETWORKING-PARTNER
Pe(config-router-af)#network 10.0.0.0

Reditribute BGP into MP BGP so that routing from another PE can be sent to CPE.
Pe(config-router-af)#redistribute bgp 65000 metric 1

Redistributing RIP into MP BGP so that routing from CPE can be sent to another PE.
Pe(config)#router bgp 65000
Pe(config-router)#address-family ipv4 vrf NETWORKING-PARTNER
Pe(config-router-af)#redistributing rip

Configuring BGP on Cisco router is simple enough. Before start configuring BGP, you need two consideration:
1. BGP only advertise routing entry that exist in IGP routing table
2. BGP is classfull routing protocol, you must include netmask in network statement BGP configuration if the network is not classfull.


Step for confiuring BGP
1. Check whether the network that you want advertise in in the IGP routing table.Simply check routing in the router. For example you want to advertise network 192.168.1.0/24, simply type this command
router#show ip route 192.168.1.0

If the network exist in the routing table, then you can go to next step, but if the network doesn't exist, or only the routing that more specific exist, you need statically route the network to Null0 using administrative distance that high enough. Example,
router(config)#ip route 192.168.1.0 255.255.255.0 null0 255

2. Configure BGP. Say your AS is 65000, and your neighbor AS is 65001 and peer IP 10.10.10.2
router(config)#router bgp 65000
router(config-router)#neigbor 10.10.10.2 remote-as 65001
router(config-router)#network 192.168.1.0 mask 255.255.255.0

That's it. If everything ok, then you can see the BGP is up.
router#sho ip bgp sum

The result will be something like this,
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.2 4 65001 382168 300922 537070 0 0 13w0d 5007

When state is Active or Idle, then connection have been up. You need check connectivity, with ping, or try telnet to port 179 (BGP use port 179 TCP), when it's not open, something doesn't allow port 179, so BGP doesn't up.

To check the routing that you received,
sh ip bgp neigh 10.10.10.2 received-route

To check the routing that you send,
sh ip bgp neigh 10.10.10.2 advertised-route

Using Next-Hop Self
BGP will advertise to network that have valid next-hop. Next-hop usually coming from IGP routing table. For the border router, that connect with internal router and external router, it is good useing next-hop-self for the following reason :
1. Sometime you don't redistribute connected interface to IGP routing protocol
2. For stability reason

By using next-hop feature, the next-hop address of the external BGP routing when advertised to internal peer will be point to next-hop address inside local AS.
Configure next-hop self in Cisco router is simply.
router(config)#router bgp 65000
router(config-router)#neighbor 172.16.1.1 remote-as 65000 ----> internal peer
router(config-router)#neighbor 172.16.1.1 next-hop-self