866VAE - cant acces web pages from LAN

picusciscus · ‎03-06-2015

Hi everyone,

im fighting with Cisco 866VAE-K9 for few days. I have got ADSL2+ line in Cisco, i can ping anything from router (like 8.8.8.8 or www.google.com), test of connection in CCP runs successfully, but i cant acces web pages from LAN computers. From LAN i can ping to any IP adress in internet (like 8.8.8.8), but i cant ping or access domain names of web pages (like www.google.com). I know there is probably something wrong in my config, but after 2 days of googling i cant find where the problem is. Can anybody help?

Here is my running config:

Building configuration...

Current configuration : 8181 bytes

!

! Last configuration change at 11:31:15 UTC Fri Mar 6 2015 by admin

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cisco_866vae

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 xx

enable password xx

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

wan mode dsl

!

ip port-map user-protocol--1 port tcp 3500

!

ip name-server 8.8.8.8

ip cef

no ipv6 cef

!

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

!

crypto pki trustpoint TP-self-signed-2886901321

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2886901321

revocation-check none

rsakeypair TP-self-signed-2886901321

!

crypto pki certificate chain TP-self-signed-2886901321

certificate self-signed 01

!

controller VDSL 0

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all ccp-cls--1

match access-group name all

class-map type inspect match-all ccp-cls--2

match access-group name all1

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

!

policy-map type inspect ccp-policy-ccp-cls--1

class type inspect ccp-cls--1

pass

class class-default

drop

policy-map type inspect ccp-policy-ccp-cls--2

class type inspect ccp-cls--2

pass

class class-default

drop

!

zone security out

zone security in

zone-pair security sdm-zp-in-out source in destination out

service-policy type inspect ccp-policy-ccp-cls--1

zone-pair security sdm-zp-out-in source out destination in

service-policy type inspect ccp-policy-ccp-cls--2

!

interface Loopback0

ip address 192.168.100.1 255.255.255.0

zone-member security in

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 8/48

oam-pvc manage

pppoe-client dial-pool-number 1

!

interface Ethernet0

description $ETH-WAN$

no ip address

shutdown

pppoe-client dial-pool-number 2

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

no ip address

!

interface GigabitEthernet1

description $ETH-WAN$$FW_OUTSIDE$

ip address dhcp client-id GigabitEthernet1

ip tcp adjust-mss 1412

shutdown

duplex auto

speed auto

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in

ip tcp adjust-mss 1412

!

interface Dialer1

no ip address

!

interface Dialer2

description $FW_OUTSIDE$

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly in

zone-member security out

encapsulation ppp

dialer pool 1

dialer-group 3

ppp authentication chap pap callin

ppp chap hostname o2

ppp chap password 0 o2

ppp pap sent-username o2 password 0 o2

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat source list 101 interface Dialer2 overload

ip nat inside source static tcp 192.168.7.39 3500 interface Dialer2 3500

ip nat inside source list 101 interface Dialer2 overload

ip nat inside source route-map MAP_ACL interface Dialer2 overload

ip route 0.0.0.0 0.0.0.0 Dialer2 permanent

ip route 192.168.2.0 255.255.255.0 192.168.7.3 permanent

!

ip access-list extended NAT_ACL

deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

ip access-list extended all

remark CCP_ACL Category=128

permit ip any any

ip access-list extended all1

remark CCP_ACL Category=128

permit ip any any

!

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 192.168.7.0 0.0.0.255

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any any

access-list 101 permit udp any any eq domain

access-list 101 permit udp any eq domain any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

dialer-list 3 protocol ip permit

mac-address-table aging-time 15

!

route-map MAP_ACL permit 10

!

line con 0

no modem enable

line aux 0

line vty 0 4

exec-timeout 40 0

password xxxxxxx

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 60000 1000

!

end

Peter Paluch · ‎03-09-2015

Hi,

I would be happy to help but I have one question first: Your configuration contains a lot of cruft generated from SDM/CCP and I am not sure if any of that is really required by you. Do you believe you would be fine with having this entire configuration trimmed down and do just what's supposed to do (routing and NAT), and we had security measures added in later? Just by the way, I do not believe you need the zone-based firewall. In your simple setup with just a few inside/outside interfaces, it does not add any real value apart from making the configuration virtually unreadable. We can easily do the same with IP Inspect.

Best regards,
Peter