Configuring a Cisco 877 in full bridge mode

Accessing the device

When sshing into this device with a recent version of ssh you may need to use this command:

  ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o KexAlgorithms=diffie-hellman-group1-sha1 \
-o Ciphers=aes128-cbc,3des-cbc -o MACs=hmac-md5,hmac-sha1 admin@192.168.0.1

As there is a bug here and here with new versions of OpenSSH and Cisco's old sshd.

Configuration of a Cisco 877 ADSL Modem

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <HOSTNAME>
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 <SECRET>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_auth local
aaa authorization exec default local none 
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
no ip routing
!
!
!
!
no ip cef
ip domain name <DOMAIN NAME>
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 <SECRET>
username USER privilege 15 password 7 <SECRET>
! 
!
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
ip scp server enable
!
bridge irb
!
!
interface ATM0
 no ip address
 no ip route-cache
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5snap
 !
 bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 no ip address
 no ip route-cache
 bridge-group 1
!
interface BVI1
 ip address 192.168.0.1 255.255.255.252
 no ip route-cache
!
ip default-gateway 192.168.0.2
ip default-network 192.168.0.0
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list standard SSH_ACCESS
!This is a list of the addresses you want to allow
 permit <IP>
 permit <IP>
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login 
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!


!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class SSH_ACCESS in
 authorization exec local_author
 login authentication login_local
 transport input ssh
!
scheduler max-task-time 5000
end

Besides changing the obvious things such as the hostname, domain name, and permitted IPs, you'll also need to verify the ATM0 settings match your ISP's configuration. Specifically: "pvc 8/35" and "encapsulation aal5snap" works for me but may not for you. You will also need to generate the passwords and replace all the instances of <SECRET>.

Generating the passwords

Secret 5 Password

You can generate the hash for the "secret 5" passwords with this OpenSSL command:

   openssl passwd -salt `openssl rand -base64 3` -1 "<YOUR PASSWORD>"

Put the output in <SECRET>

Secret 7 Password

To encrypt the secret 7 password you can use this perl script thanks to m00nie.

#!/usr/bin/perl 
# Cisco (type 7) password tool from www.m00nie.com :D 
# Will either decrypt a _TYPE 7_ password from a cisco device
# or will encrypt a string so that it can be used in a cisco
# device. 
# 
# I made this code to learn more Perl and just out of interest 
# about the type 7 "encryption". The decryption code is already 
# and from a mailing list. The original header from that is below.
#
# Credits for original code and description hobbit@avian.org,
# SPHiXe, .mudge et al. and for John Bashinski <jbash@CISCO.COM>
# for Cisco IOS password encryption facts.
#
# Use for any malice or illegal purposes strictly prohibited!
#

@xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41,
          0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
          0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 );

$loop = 0;
while ($loop == 0) {
	print "\n\n***************************************************************\n";
	print "*    Cisco (type 7) password tool from www.m00nie.com :D      *\n";
	print "* Use for any malice or illegal purposes strictly prohibited! *\n";
        print "***************************************************************\n\n";
	print "1. Decrypt a password\n";
	print "2. Encrypt plain text\n";
	print "3. Quit\n\n";
	print "Pick either 1, 2 or 3: ";
	chomp ($choice = <STDIN>);
	if ( $choice == 1 ) {
		decrypt()
	} elsif ( $choice == 2) {
		encrypt()
	} elsif ($choice == 3) {
		exit
	} else {
		print "$choice is not a valid option\n";
	}		
}

sub decrypt {
print "Enter the encrypted password: ";
chomp ($epass = <STDIN>);

        	if (!(length($epass) & 1)) {
                	$ep = $epass; 
			$dpass = "";
                	($s, $e) = ($ep =~ /^(..)(.+)/);
                	for ($i = 0; $i < length($e); $i+=2){
                  		$dpass .= sprintf "%c",hex(substr($e,$i,2))^$xlat[$s++];
			}
            	}
		print "\nEncrypted pass was: $epass\n";
		print "Decrypted pass is: $dpass\n";
}

sub encrypt {
	print "Enter the string to encrypt:\n";
	chomp ($ptext = <STDIN>);
	$pt = $ptext;
	$etext = "";
	$n = 2;
	$etext .=  sprintf("%.2o", $n);
	for ($k = 0; $k < length($pt); $k+=1){
		$tmp = ord(substr($pt,$k,1))^$xlat[$n++];
		$etext .= sprintf("%.2X", $tmp);
	} 
	print "\nPlain string was: $ptext\n";
	print "Encrypted string is: $etext\n";
}
# eof