Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

861 configuration

Hello:

I'm having problems getting a 861 router on line through a cable broadband connection with 1 static ip address.  I have been able to NAT the internal and external ip and get on line but I don't think that this is proper.  Another issue is that when the two interfacees are natted, I cannot access a web server on the lan, the incoming http requests are answered by the web server in the router.  Any help on this would be greatly apperciated!

Scott

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco861

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$vwb3$TySirxZ.lm.YbMJNhhMQg1

!

no aaa new-model

memory-size iomem 10

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-3394879082

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3394879082

revocation-check none

rsakeypair TP-self-signed-3394879082

!

!

crypto pki certificate chain TP-self-signed-3394879082

certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33333934 38373930 3832301E 170D3036 30313032 31323030

  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393438

  37393038 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100F2A0 4D17DD07 6C76F385 E6F456EE 141C0F91 CA7C1175 B176CB8C A273E17D

  511530C9 850FBDCC 67670E5F 54E05D4F A33A083E 42E819F8 F7B4FD22 3C2C2219

  0EF72883 2F767849 7950307A A74D8CFA D44E2D6B D625D237 0C8C8DAF FE8B331D

  50EB2945 0187BDDA A56F05D1 9AB8DB22 05DDC74D 889FC0F5 74F6571B 8F5B1013

  AE7B0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

  301F0603 551D2304 18301680 14C27593 1F059686 3996F59E 93DBC11B 0E845AC9

  C8301D06 03551D0E 04160414 C275931F 05968639 96F59E93 DBC11B0E 845AC9C8

  300D0609 2A864886 F70D0101 04050003 818100DB 0FACA18D E9309BDD E742EA7A

  466B4562 945E8B25 9F5AAA74 2BE96A84 56547501 5D7FD1B6 618BFFCB 81001151

  3EFE5F89 0C752ECB 541885CD FCCF81E8 863BA75F 0F950D1A C8B631E9 1C77CA99

  7CA4C0B1 673DE637 4A953E58 0D11A85D 9CFC91B2 6DEF2E4E 527F1207 56B98BA6

  12E0F3CF 6CACE2C1 6CCCB16A 0CDDF155 E10A4A

  quit

no ip source-route

!

!

ip dhcp excluded-address 172.20.1.1 172.20.1.239

!

ip dhcp pool ccp-pool1

   import all

   network 172.20.1.0 255.255.255.0

   dns-server 65.24.0.168 4.2.2.2

   default-router 172.20.1.10

!

!

ip cef

no ip bootp server

ip name-server 65.24.0.168

ip name-server 4.2.2.2

!

!

license udi pid CISCO861-K9 sn FTX160784JB

!

!

username admin privilege 15 secret 5 $1$0TUG$bh270ROcyZGOINj0Ixisw/

!

!

ip tcp synwait-time 10

!

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 24.106.44.210 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

zone-member security out-zone

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 172.20.1.10 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

zone-member security in-zone

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 24.106.44.209

!

logging trap debugging

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 24.106.44.208 0.0.0.3 any

no cdp run

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Everyone's tags (1)
2 REPLIES
Hall of Fame Super Gold

861 configuration

Scott

Your description says that you were able to get address translation working to be able to get on line. But I do not see any evidence of that in the config that you posted. So there is not much that I can say about that other than to observe that it is a common solution to do nat overload when the router has a single public IP configured on the outside interface.

Do I understand correctly that you have a web server on your inside network that you want to be accessed from the Internet. To support that you generally need a static address translation. And that gets tricky when you only have a single public IP address. Usually when networks have servers inside that are accessed from the Internet they have negotiated with the ISP for more than one public address.

HTH

Rick

Community Member

861 configuration

Hi Rick - I did remove NAT from this config thinking that I first needed to get connectivity through the default route alone.

Regarding the NAT situation to the web server (the web server is to a standalone http server for security cameras) I was using the "virtual IP" function of a fortinet 50b for this and it worked very well via a default route to the address of the server.

223
Views
0
Helpful
2
Replies
CreatePlease to create content