877W Router will not access web

admin_2 · ‎03-11-2007

I recently purchased a 877W for use at the centre of a mixed wired and wireless home LAN.

Using the SDM facility I was able to configure the unit with partial success. Wireless is fine and the WAN interface is up; however non of the existing users can access any web content, Skype is fine, two way conversations are possible. Can anybody give any guidance as to what the problem might be?

Thank you in advance

Danilo Dy · ‎03-11-2007

Can you post the config?

Report Inappropriate Content · ‎03-11-2007

Yes of course Medan, sorry foolish of me not have done so already, will do it later this evening when I get home. Thank you for coming back.

Report Inappropriate Content · ‎03-11-2007

Delete

Report Inappropriate Content · ‎03-11-2007

Delete

Report Inappropriate Content · ‎03-11-2007

Here's the running config...

Sorry I keep trying to post but the server keeps

I'm getting tired of this Cisco server already, I keep trying to Post and all I get is this HTTP Status 404 - /eforum/servlet/null... but true to Cisco form it does still post a blank entry...so yet another hurdle to climb over to achieve the objective of having a working router. I'll bet this posts though..

Report Inappropriate Content · ‎03-11-2007

Ok here's the first half.. can't get the attachment facility to work so cut and paste half running conf each time...

Current configuration : 6928 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname CISCO877W

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret xxx

!

no aaa new-model

!

resource policy

!

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

ip subnet-zero

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.3.1 192.168.3.5

!

ip dhcp pool sdm-pool1

import all

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

!

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip tcp synwait-time 10

no ip bootp server

ip domain name de-pulford.com

ip name-server 194.x.x.114

ip name-server 62.x.x.162

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto pki trustpoint TP-self-signed-3702453916

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3702453916

revocation-check none

rsakeypair TP-self-signed-3702453916

!

crypto pki certificate chain TP-self-signed-3702453916

certificate self-signed 01

30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33373032 34353339 3136301E 170D3032 30333031 30303231

30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37303234

35333931 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100CF2F 1D5B83C3 A751D899 0FCEDE57 6E571AE6 15068DEB 5CEB1087 CF5DB01E

2132ADED AB07CC25 6FD89701 7D8F98F7 C13A7C7A 0D107300 67B4FAE1 B0D68194

3439A0A0 F46CABF6 2C998738 EE939714 FFF289EB 1CF46D4C 319F24B8 DE718EF1

006B4128 51A3082D C9D81AA2 4183F1C2 C958DEC4 62883FEA 5EA46E36 735D3F0E

E1AD0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603

551D1104 1C301A82 18434953 434F3837 37572E64 652D7075 6C666F72 642E636F

6D301F06 03551D23 04183016 80145BD9 5F53ED32 DF72168B 7974E6AE 55791904

2579301D 0603551D 0E041604 145BD95F 53ED32DF 72168B79 74E6AE55 79190425

79300D06 092A8648 86F70D01 01040500 03818100 91DABE4A 1669FE66 9EC47F10

B6678ABB 6E6652A6 21EA12E3 E0FDC073 B0D9FF9B B3217511 5CD07626 ED9E61D7

A28B658B 1DCB4CAB 3DC3973D 27C2F085 302AC657 BF6FDEFB A160B5B7 77095FEF

F68876EA 258D14FA C3FF7FC2 376B65F2 D8B7D3C1 4C8A0CF7 BB849239 600B815C

D19581B9 7C42C971 2CE05E55 86D8A0A5 D1C219BA

quit

username xxx privilege 15 secret xxxx

!

bridge irb

!

bporter78 · ‎04-05-2007

from what i can see of the first half of your config (can't see the rest of it so not sure) but it looks like your inspect rules aren't configured for HTTP - so if you have inspect applied to your external interface for CBAC then it wouldn't be creating the return path for http traffic

Report Inappropriate Content · ‎03-11-2007

And the second half....

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

!

encryption key 1 size 128bit xxx transmit-key

encryption mode wep mandatory

!

ssid WIRELESS_LAN

authentication open

guest-mode

infrastructure-ssid optional

wpa-psk ascii xxx

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface Dialer0

description $FW_OUTSIDE$

ip address 217.x.x.59 255.255.0.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxx

ppp chap password xxx

ppp pap sent-username A639590@hg40.btclick.com password xxxx

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 192.168.3.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=BVI1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip 217.36.0.0 0.0.255.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp host 62.6.40.162 eq domain host 217.36.210.59

access-list 101 permit udp host 194.72.0.114 eq domain host 217.36.210.59

access-list 101 deny ip 192.168.3.0 0.0.0.255 any

access-list 101 permit icmp any host 217.36.210.59 echo-reply

access-list 101 permit icmp any host 217.36.210.59 time-exceeded

access-list 101 permit icmp any host 217.36.210.59 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

bporter78 · ‎04-05-2007

actually by allowing the traffic in the INSPECT rules aren't actually working for you. The way to setup CBAC is to deny everything on the inbound access list ie in your case 101. Permiting the icmp and specific hosts is ok as they are to allow inbound for pings, and access for specific external hosts.

so you need to add in 'ip inspect name DEFAULT100 http' rule as per my previous post, and one for https - then the rule on your Dialer0 interface 'ip inspet DEFAULT100 out' will do it's job and automatically create inbound rules for http and https traffic, the same way it is doing it for skype.

Cheers,

Peter

Report Inappropriate Content · ‎03-11-2007

ahmednaas · ‎03-11-2007

The access-list 101 permits some udp and icmp traffic and then it denies all ip traffic. I suggest you remove it from int dialer0 and see if get connectivity. Once you get connected, you can redesign the list and apply it to dialer0.

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp host 62.6.40.162 eq domain host 217.36.210.59

access-list 101 permit udp host 194.72.0.114 eq domain host 217.36.210.59

access-list 101 deny ip 192.168.3.0 0.0.0.255 any

access-list 101 permit icmp any host 217.36.210.59 echo-reply

access-list 101 permit icmp any host 217.36.210.59 time-exceeded

access-list 101 permit icmp any host 217.36.210.59 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any

Report Inappropriate Content · ‎03-12-2007

Thank you ahmednaas for coming back on my problem, seems blindingly obvious now that you've identified it...dohhhh, but much obliged though.

Regards

Report Inappropriate Content · ‎03-12-2007

Thank you Gentlemen, problem solved.