Cisco IOS - MOTD, Exec and Login Banner

There are a few banners that you can have on your Cisco router, Login Banner, MOTD (Message of the Day) and EXEC Banner.

These banners have been put onto a Cisco 857 Rotuer but the code should work on most cisco routers that have the CLI.

Message of the Day (MOTD) - Shown before the login prompt. For temporary messages that may change from time to time, such as “Router1 down for maintenance at midnight.”

Login - Shown before the login prompt but after the MOTD banner. For
permanent messages such as “Unauthorized Access Prohibited.”

Exec - Shown after the login prompt. Used to supply information that
should be hidden from unauthorized users.

I have all three banners on my rotuer the MOTD banner, Exec banner and Login Banner, i did this just for an example of how to create them and also because they look great.

They are really easy to do, follow the steps below to enable the banner you want to put onto your router.

Exec Banner
Login to your router via console cable or via telnet
Type enable and then enter
Then you need to go into config mode by typing "conf t" and enter.

Type banner exec $ (the $ can be replaced by any symbol but you must not use it in your banner as it is used for symbolysing the end of your banner).
I save my text that i want to input in a notepad file first, so that i can manipulate it easier then i copy and paste it in line by line.

When you have finished make sure that you put in the $ symbol or the same symbol that you used in the start of the code and press the enter key followed by "end" to exit config mode then "wr" to write the config back to the router.



MOTD Banner
Login to your router via console cable or via telnet
Type enable and then enter
Then you need to go into config mode by typing "conf t" and enter.

Type banner motd $ and the press enter (the $ can be replaced by any symbol but you must not use it in your banner as it is used for symbolysing the end of your banner).

I save my text that i want to input in a notepad file first, so that i can manipulate it easier then i copy and paste it in line by line.

When you have finished make sure that you put in the $ symbol or the same symbol that you used in the start of the code and press the enter key followed by "end" to exit config mode then "wr" to write the config back to the router.




Login Banner
Login to your router via console cable or via telnet
Type enable and then enter
Then you need to go into config mode by typing "conf t" and enter.

Type banner login $ and the press enter (the $ can be replaced by any symbol but you must not use it in your banner as it is used for symbolysing the end of your banner).

I save my text that i want to input in a notepad file first so that i can manipulate it easier, then i copy and paste it in line by line.

When you have finished make sure that you put in the $ symbol or the same symbol that you used in the start of the code and press the enter key followed by "end" to exit config mode then "wr" to write the config back to the router.

Cisco IOS - Tips

If you have a Cisco 857 router and a vpn setup, you may notice that you can connect to the vpn but may not be able to connect to servers and other resources internally, i had a problem where i wanted to be able to connect to my server from both externally and internally when on my vpn.

To achieve this you need to setup Bypass NAT and attach it to your ACL

I did this by doing the following.

I first setup my ACL so that i had access to the local network when on the VPN

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

Make sure to add the deny statement first.

I also added a 3rd access-list number 120 for matching ip address's for the route-map i was about to create 

access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

Once i had this in place i setup a Route-map and named it Bypass-NAT

route-map Bypass-NAT deny 10
match ip address 120
!
route-map Bypass-NAT permit 20

Once i saved all the above settings i then added two more extendable entries into my firewall as per below

ip nat inside source static tcp 192.168.2.120 5800 122.***.***.*** 5800 route-map Bypass-NAT extendable
ip nat inside source static tcp 192.168.2.120 5900 122.***.***.*** 5900 route-map Bypass-NAT extendable

I added in my route-map for this to be accepted you have to put in your external IP, once you have put in the rules connect to your VPN and try to connect to the server check to see if this works, then also disconnect and try connecting back to the server but this time using your external IP address. the above rule is for me to connect to my laptop using VNC which works on the private IP when on the VPN and also the Public IP when im not on the VPN.

I have also used these settings on my work Cisco 881 Router.