03-11-2007 12:34 AM - edited 03-03-2019 04:07 PM
I recently purchased a 877W for use at the centre of a mixed wired and wireless home LAN.
Using the SDM facility I was able to configure the unit with partial success. Wireless is fine and the WAN interface is up; however non of the existing users can access any web content, Skype is fine, two way conversations are possible. Can anybody give any guidance as to what the problem might be?
Thank you in advance
03-11-2007 08:52 AM
Can you post the config?
03-11-2007 09:56 AM
Yes of course Medan, sorry foolish of me not have done so already, will do it later this evening when I get home. Thank you for coming back.
03-11-2007 09:56 AM
Delete
03-11-2007 09:56 AM
Delete
03-11-2007 02:08 PM
Here's the running config...
Sorry I keep trying to post but the server keeps
I'm getting tired of this Cisco server already, I keep trying to Post and all I get is this HTTP Status 404 - /eforum/servlet/null... but true to Cisco form it does still post a blank entry...so yet another hurdle to climb over to achieve the objective of having a working router. I'll bet this posts though..
03-11-2007 02:10 PM
Ok here's the first half.. can't get the attachment facility to work so cut and paste half running conf each time...
Current configuration : 6928 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO877W
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret xxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.5
!
ip dhcp pool sdm-pool1
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name de-pulford.com
ip name-server 194.x.x.114
ip name-server 62.x.x.162
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3702453916
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3702453916
revocation-check none
rsakeypair TP-self-signed-3702453916
!
!
crypto pki certificate chain TP-self-signed-3702453916
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373032 34353339 3136301E 170D3032 30333031 30303231
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37303234
35333931 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CF2F 1D5B83C3 A751D899 0FCEDE57 6E571AE6 15068DEB 5CEB1087 CF5DB01E
2132ADED AB07CC25 6FD89701 7D8F98F7 C13A7C7A 0D107300 67B4FAE1 B0D68194
3439A0A0 F46CABF6 2C998738 EE939714 FFF289EB 1CF46D4C 319F24B8 DE718EF1
006B4128 51A3082D C9D81AA2 4183F1C2 C958DEC4 62883FEA 5EA46E36 735D3F0E
E1AD0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18434953 434F3837 37572E64 652D7075 6C666F72 642E636F
6D301F06 03551D23 04183016 80145BD9 5F53ED32 DF72168B 7974E6AE 55791904
2579301D 0603551D 0E041604 145BD95F 53ED32DF 72168B79 74E6AE55 79190425
79300D06 092A8648 86F70D01 01040500 03818100 91DABE4A 1669FE66 9EC47F10
B6678ABB 6E6652A6 21EA12E3 E0FDC073 B0D9FF9B B3217511 5CD07626 ED9E61D7
A28B658B 1DCB4CAB 3DC3973D 27C2F085 302AC657 BF6FDEFB A160B5B7 77095FEF
F68876EA 258D14FA C3FF7FC2 376B65F2 D8B7D3C1 4C8A0CF7 BB849239 600B815C
D19581B9 7C42C971 2CE05E55 86D8A0A5 D1C219BA
quit
username xxx privilege 15 secret xxxx
!
!
!
bridge irb
!
!
04-05-2007 06:58 AM
from what i can see of the first half of your config (can't see the rest of it so not sure) but it looks like your inspect rules aren't configured for HTTP - so if you have inspect applied to your external interface for CBAC then it wouldn't be creating the return path for http traffic
03-11-2007 02:16 PM
And the second half....
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit xxx transmit-key
encryption mode wep mandatory
!
ssid WIRELESS_LAN
authentication open
guest-mode
infrastructure-ssid optional
wpa-psk ascii xxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address 217.x.x.59 255.255.0.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password xxx
ppp pap sent-username A639590@hg40.btclick.com password xxxx
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.3.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 217.36.0.0 0.0.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 62.6.40.162 eq domain host 217.36.210.59
access-list 101 permit udp host 194.72.0.114 eq domain host 217.36.210.59
access-list 101 deny ip 192.168.3.0 0.0.0.255 any
access-list 101 permit icmp any host 217.36.210.59 echo-reply
access-list 101 permit icmp any host 217.36.210.59 time-exceeded
access-list 101 permit icmp any host 217.36.210.59 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
04-05-2007 07:08 AM
actually by allowing the traffic in the INSPECT rules aren't actually working for you. The way to setup CBAC is to deny everything on the inbound access list ie in your case 101. Permiting the icmp and specific hosts is ok as they are to allow inbound for pings, and access for specific external hosts.
so you need to add in 'ip inspect name DEFAULT100 http' rule as per my previous post, and one for https - then the rule on your Dialer0 interface 'ip inspet DEFAULT100 out' will do it's job and automatically create inbound rules for http and https traffic, the same way it is doing it for skype.
Cheers,
Peter
03-11-2007 02:22 PM
03-11-2007 04:33 PM
The access-list 101 permits some udp and icmp traffic and then it denies all ip traffic. I suggest you remove it from int dialer0 and see if get connectivity. Once you get connected, you can redesign the list and apply it to dialer0.
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 62.6.40.162 eq domain host 217.36.210.59
access-list 101 permit udp host 194.72.0.114 eq domain host 217.36.210.59
access-list 101 deny ip 192.168.3.0 0.0.0.255 any
access-list 101 permit icmp any host 217.36.210.59 echo-reply
access-list 101 permit icmp any host 217.36.210.59 time-exceeded
access-list 101 permit icmp any host 217.36.210.59 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
03-12-2007 12:47 AM
Thank you ahmednaas for coming back on my problem, seems blindingly obvious now that you've identified it...dohhhh, but much obliged though.
Regards
03-12-2007 11:14 PM
Thank you Gentlemen, problem solved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide