Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Need help - cisco 887 clients can't connect to internet

Hi folks, need help. Bit of a newbie when it comes to cisco gear. Purchased an 887 my my home office. ADSL ATM0 and Dialer get an address from my ISP, have tried to configure NAT but none of my clients can browse the internet. I can't ping outside the network but I can ping clients internally as my clients are connected via a switch, which is plugged in before the 887. I can get access to the router via the Command Line and CP Express and Config Pro seems to work. I'm stumped as to what might be wrong. Can someone take a look at my config and let me know what else to try? It may be my default route config but it looks correct to me.

Thanks

George

Building configuration...

Current configuration : 8900 bytes

!

! Last configuration change at 12:47:16 NewYork Wed Dec 14 2011 by elrooko

! NVRAM config last updated at 22:04:17 NewYork Wed Nov 30 2011

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$QaX9$6/I1yyUEptsC4QkS25CL2/

enable password 7 ******************

!

no aaa new-model

memory-size iomem 10

clock timezone NewYork -5

clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-1168234260

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1168234260

revocation-check none

rsakeypair TP-self-signed-1168234260

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-1168234260

certificate self-signed 02

3082023E 308201A7 A0030201 02020102 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31313638 32333432 3630301E 170D3131 31323031 30333334

30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363832

33343236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100EAD0 B620EAEB 6E3CB175 D3996716 04CFC479 FE7C5CAD 35066502 1DDE3030

4761EBFA 4EED4DF7 C942893B 5B5D7F72 AD1012F3 0CA23F68 7AA1C53F B02ECC54

EAD89E26 4A5486DE 9387AF91 6B6EC4F8 0EAE97DF 50DB63BB 3E368417 319630AB

9F88EAA2 D2BAF53C 22360606 F418B638 E9D53472 4C817CC9 105DA017 E2A7B5ED

90550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603

551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6B9C7015

D761BF15 22BAF7E3 4C2803C3 BA76AFEE 301D0603 551D0E04 1604146B 9C7015D7

61BF1522 BAF7E34C 2803C3BA 76AFEE30 0D06092A 864886F7 0D010104 05000381

8100A132 5E75A6AC F851F9A6 F9501063 9E0EAF93 A8F3788D EE4E9945 F073D2AF

3519D31B 3977AD26 E3D9C21F 5609D766 D86C5EE4 7DE7EFF4 E09034B0 C908BFA1

DFDAAD42 D1EE9C67 E4185CC4 14178632 77E52598 74F961BA 6D365B2D 46135B6F

E83C1871 F8835478 25AF7821 940FFEFF 0E9B32C8 3FF6F928 B2077D59 8D45D8A2 B4A7

quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

no ip source-route

no ip routing

!

!

ip dhcp excluded-address 10.0.0.1 10.1.1.2

ip dhcp excluded-address 10.1.1.254 10.255.255.254

!

ip dhcp pool ccp-pool1

import all

network 10.0.0.0 255.0.0.0

domain-name thedunphys.ca

default-router 10.1.1.1

dns-server 10.1.1.120 10.1.1.11

netbios-name-server 10.1.1.120 10.1.1.11

!

!

no ip cef

no ip bootp server

ip domain name thedunphys.ca

ip name-server 10.1.1.120

ip name-server 10.1.1.11

no ipv6 cef

!

!

license udi pid CISCO887-K9 sn FTX154380RQ

!

!

username e***** privilege 15 password 7 *******************

!

!

ip tcp synwait-time 10

!

class-map type inspect match-all sdm-nat-http-1

match access-group 101

match protocol http

class-map type inspect match-all sdm-nat-smtp-1

match access-group 101

match protocol smtp

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all sdm-nat-https-1

match access-group 101

match protocol https

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-smtp-1

inspect

class type inspect sdm-nat-http-1

inspect

class type inspect sdm-nat-https-1

inspect

class type inspect CCP_PPTP

pass

class class-default

drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

pass

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

policy-map type inspect ccp-permit

class class-default

drop

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

!

!

!

!

!

!

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

no ip route-cache

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip nat enable

ip virtual-reassembly

zone-member security out-zone

no ip route-cache

no atm ilmi-keepalive

!

interface ATM0.3 point-to-point

zone-member security out-zone

no ip route-cache

pvc 0/35

pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

shutdown

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface Vlan1

description $FW_INSIDE$

ip address 10.1.1.1 255.255.255.0

no ip unreachables

no ip proxy-arp

ip nat inside

ip nat enable

ip virtual-reassembly

zone-member security in-zone

no ip route-cache

ip tcp adjust-mss 1412

!

interface Dialer2

description $FW_OUTSIDE$

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username ******@ncf.ca password 7 ******************

no cdp enable

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source static tcp 10.1.1.120 25 interface Dialer0 25

ip nat inside source static tcp 10.1.1.120 80 interface Dialer0 80

ip nat inside source static tcp 10.1.1.120 443 interface Dialer0 443

ip nat inside source list 3 interface Dialer2 overload

ip route 10.1.1.0 255.255.255.0 Vlan1 2

ip route 0.0.0.0 0.0.0.0 Dialer0 dhcp

!

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

!

logging trap debugging

access-list 1 remark CCP_ACL Category=2

access-list 1 permit any

access-list 2 remark CCP_ACL Category=2

access-list 2 permit any

access-list 3 remark CCP_ACL Category=2

access-list 3 permit 10.0.0.0 0.255.255.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 10.1.1.120

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

password 7 03345A1815182E5E4A58

login

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

 

11 REPLIES

Re: Need help - cisco 887 clients can't connect to internet

I have several questions for you.

1) Do you see the ip address assigned to the arm 0.3 p2p connection?

2) If you get an ip address from your pppoe server can you ping your default route?

3) I don't see any configuration for dialer0? According to the first nat statement there should be on configured.

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source static tcp 10.1.1.120 25 interface Dialer0 25

ip nat inside source static tcp 10.1.1.120 80 interface Dialer0 80

ip nat inside source static tcp 10.1.1.120 443 interface Dialer0 443

ip route 0.0.0.0 0.0.0.0 Dialer0 dhcp

Your default route is pointing to Dialer0 which I couldn't find in the configuration???

Purple

Need help - cisco 887 clients can't connect to internet

Hi,

1) ip routing is disabled so reenable it with the global config command  ip routing

2) ip cef is also disabled so same thing as 1: ip cef

3) your default route should point out dialer 2:

no ip route 0.0.0.0 0.0.0.0 Dialer0 dhcp

ip route 0.0.0.0 0.0.0.0 dialer2

4) no ip nat inside source list 2 interface Dialer0 overload

5)

no ip nat inside source static tcp 10.1.1.120 25 interface Dialer0 25

no ip nat inside source static tcp 10.1.1.120 80 interface Dialer0 80

no ip nat inside source static tcp 10.1.1.120 443 interface Dialer0 443

ip nat inside source static tcp 10.1.1.120 25 interface Dialer2 25

ip nat inside source static tcp 10.1.1.120 80 interface Dialer2 80

ip nat inside source static tcp 10.1.1.120 443 interface Dialer2 443

6) int vlan 1

    no ip nat enable

7) add this command in global config: ip inspect log drop-pkt

Regards.

Alain

Don't forget to rate helpful posts.

Re: Need help - cisco 887 clients can't connect to internet

lol cadet, I didn't even notice ip routing was disabled

Need help - cisco 887 clients can't connect to internet

Hi George,

Modify the access-list 2 like below..

1. access-list 2 permit any any --->because you need to access from any LAN pc to any in the outside.

2. no ip nat inside source list 2 interface Dialer0 overload
   ip nat inside source list 2 interface Dialer2 overload

3. remove the "ip nat enable" command under the Vlan1 interface not required exactly. If you keep this then your nat statements config type will be change.
See the below explain for the same.
https://learningnetwork.cisco.com/message/124959

Please rate the helpfull posts.
Regards,
Naidu.

New Member

Need help - cisco 887 clients can't connect to internet

Hi guys - thanks for the help, still no access. Running config is now posted below. Anyone else have any ideas?


Building configuration...

Current configuration : 8731 bytes
!
! Last configuration change at 09:10:28 NewYork Thu Dec 15 2011 by elrooko
! NVRAM config last updated at 09:07:34 NewYork Thu Dec 15 2011 by elrooko
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ***********
enable password 7 ***********
!
no aaa new-model
memory-size iomem 10
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1168234260
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1168234260
revocation-check none
rsakeypair TP-self-signed-1168234260
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1168234260
certificate self-signed 02
  3082023E 308201A7 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313638 32333432 3630301E 170D3131 31323031 30333334
  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363832
  33343236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EAD0 B620EAEB 6E3CB175 D3996716 04CFC479 FE7C5CAD 35066502 1DDE3030
  4761EBFA 4EED4DF7 C942893B 5B5D7F72 AD1012F3 0CA23F68 7AA1C53F B02ECC54
  EAD89E26 4A5486DE 9387AF91 6B6EC4F8 0EAE97DF 50DB63BB 3E368417 319630AB
  9F88EAA2 D2BAF53C 22360606 F418B638 E9D53472 4C817CC9 105DA017 E2A7B5ED
  90550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6B9C7015
  D761BF15 22BAF7E3 4C2803C3 BA76AFEE 301D0603 551D0E04 1604146B 9C7015D7
  61BF1522 BAF7E34C 2803C3BA 76AFEE30 0D06092A 864886F7 0D010104 05000381
  8100A132 5E75A6AC F851F9A6 F9501063 9E0EAF93 A8F3788D EE4E9945 F073D2AF
  3519D31B 3977AD26 E3D9C21F 5609D766 D86C5EE4 7DE7EFF4 E09034B0 C908BFA1
  DFDAAD42 D1EE9C67 E4185CC4 14178632 77E52598 74F961BA 6D365B2D 46135B6F
  E83C1871 F8835478 25AF7821 940FFEFF 0E9B32C8 3FF6F928 B2077D59 8D45D8A2 B4A7
   quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.1.1.2
ip dhcp excluded-address 10.1.1.254 10.255.255.254
!
ip dhcp pool ccp-pool1
   import all
   network 10.0.0.0 255.0.0.0
   domain-name thedunphys.ca
   default-router 10.1.1.1
   dns-server 10.1.1.120 10.1.1.11
   netbios-name-server 10.1.1.120 10.1.1.11
!
!
ip cef
no ip bootp server
ip domain name thedunphys.ca
ip name-server 10.1.1.120
ip name-server 10.1.1.11
ip inspect log drop-pkt
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FTX154380RQ
!
!
username *********** privilege 15 password 7 ***************
!
!
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect CCP_PPTP
  pass
class class-default
  drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  pass
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security out-zone
no atm ilmi-keepalive
!
interface ATM0.3 point-to-point
zone-member security out-zone
pvc 0/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username fl383@ncf.ca password 7 0701224A1C031C160E05081502
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 10.1.1.120 25 interface Dialer2 25
ip nat inside source static tcp 10.1.1.120 80 interface Dialer2 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer2 443
ip nat inside source list 3 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.1.1.0 255.255.255.0 Vlan1 2
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark CCP_ACL Category=2
access-list 2 permit any
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.0.0.0 0.255.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.1.1.120
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 ***********
login
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

New Member

Re: Need help - cisco 887 clients can't connect to internet

Hi guys - thanks for the help, still no access. Running config is now posted below. Anyone else have any ideas?


Building configuration...

Current configuration : 8731 bytes
!
! Last configuration change at 09:10:28 NewYork Thu Dec 15 2011 by elrooko
! NVRAM config last updated at 09:07:34 NewYork Thu Dec 15 2011 by elrooko
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ***********
enable password 7 ***********
!
no aaa new-model
memory-size iomem 10
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1168234260
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1168234260
revocation-check none
rsakeypair TP-self-signed-1168234260
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1168234260
certificate self-signed 02
  3082023E 308201A7 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313638 32333432 3630301E 170D3131 31323031 30333334
  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363832
  33343236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EAD0 B620EAEB 6E3CB175 D3996716 04CFC479 FE7C5CAD 35066502 1DDE3030
  4761EBFA 4EED4DF7 C942893B 5B5D7F72 AD1012F3 0CA23F68 7AA1C53F B02ECC54
  EAD89E26 4A5486DE 9387AF91 6B6EC4F8 0EAE97DF 50DB63BB 3E368417 319630AB
  9F88EAA2 D2BAF53C 22360606 F418B638 E9D53472 4C817CC9 105DA017 E2A7B5ED
  90550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6B9C7015
  D761BF15 22BAF7E3 4C2803C3 BA76AFEE 301D0603 551D0E04 1604146B 9C7015D7
  61BF1522 BAF7E34C 2803C3BA 76AFEE30 0D06092A 864886F7 0D010104 05000381
  8100A132 5E75A6AC F851F9A6 F9501063 9E0EAF93 A8F3788D EE4E9945 F073D2AF
  3519D31B 3977AD26 E3D9C21F 5609D766 D86C5EE4 7DE7EFF4 E09034B0 C908BFA1
  DFDAAD42 D1EE9C67 E4185CC4 14178632 77E52598 74F961BA 6D365B2D 46135B6F
  E83C1871 F8835478 25AF7821 940FFEFF 0E9B32C8 3FF6F928 B2077D59 8D45D8A2 B4A7
   quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.1.1.2
ip dhcp excluded-address 10.1.1.254 10.255.255.254
!
ip dhcp pool ccp-pool1
   import all
   network 10.0.0.0 255.0.0.0
   domain-name thedunphys.ca
   default-router 10.1.1.1
   dns-server 10.1.1.120 10.1.1.11
   netbios-name-server 10.1.1.120 10.1.1.11
!
!
ip cef
no ip bootp server
ip domain name thedunphys.ca
ip name-server 10.1.1.120
ip name-server 10.1.1.11
ip inspect log drop-pkt
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FTX154380RQ
!
!
username *********** privilege 15 password 7 ***************
!
!
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect CCP_PPTP
  pass
class class-default
  drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  pass
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security out-zone
no atm ilmi-keepalive
!
interface ATM0.3 point-to-point
zone-member security out-zone
pvc 0/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username fl383@ncf.ca password 7 0701224A1C031C160E05081502
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 10.1.1.120 25 interface Dialer2 25
ip nat inside source static tcp 10.1.1.120 80 interface Dialer2 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer2 443
ip nat inside source list 3 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.1.1.0 255.255.255.0 Vlan1 2
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark CCP_ACL Category=2
access-list 2 permit any
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.0.0.0 0.255.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.1.1.120
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 ***********
login
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Purple

Need help - cisco 887 clients can't connect to internet

Hi,

interface ATM0.3 point-to-point

ip nat outside

also remove ip nat outside and ip nat enable  from physical interface

if it aint working then : sh ip nat translation


Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: Need help - cisco 887 clients can't connect to internet

Really appreciate all the help. Still no dice. ip nat out put is below

NAT OUTPUT

Router#sh ip nat translation

Pro Inside global      Inside local       Outside local      Outside global

tcp 69.196.181.162:25  10.1.1.120:25      ---                ---

tcp 69.196.181.162:80  10.1.1.120:80      ---                ---

tcp 69.196.181.162:443 10.1.1.120:443     66.110.7.180:18613 66.110.7.180:18613

tcp 69.196.181.162:443 10.1.1.120:443     ---                ---

Router#


Building configuration...

Current configuration : 8621 bytes
!
! Last configuration change at 11:12:40 NewYork Thu Dec 15 2011
! NVRAM config last updated at 09:58:47 NewYork Thu Dec 15 2011 by elrooko
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 **************
enable password 7 **************
!
no aaa new-model
memory-size iomem 10
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1168234260
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1168234260
revocation-check none
rsakeypair TP-self-signed-1168234260
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1168234260
certificate self-signed 02
  3082023E 308201A7 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313638 32333432 3630301E 170D3131 31323031 30333334
  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363832
  33343236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EAD0 B620EAEB 6E3CB175 D3996716 04CFC479 FE7C5CAD 35066502 1DDE3030
  4761EBFA 4EED4DF7 C942893B 5B5D7F72 AD1012F3 0CA23F68 7AA1C53F B02ECC54
  EAD89E26 4A5486DE 9387AF91 6B6EC4F8 0EAE97DF 50DB63BB 3E368417 319630AB
  9F88EAA2 D2BAF53C 22360606 F418B638 E9D53472 4C817CC9 105DA017 E2A7B5ED
  90550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6B9C7015
  D761BF15 22BAF7E3 4C2803C3 BA76AFEE 301D0603 551D0E04 1604146B 9C7015D7
  61BF1522 BAF7E34C 2803C3BA 76AFEE30 0D06092A 864886F7 0D010104 05000381
  8100A132 5E75A6AC F851F9A6 F9501063 9E0EAF93 A8F3788D EE4E9945 F073D2AF
  3519D31B 3977AD26 E3D9C21F 5609D766 D86C5EE4 7DE7EFF4 E09034B0 C908BFA1
  DFDAAD42 D1EE9C67 E4185CC4 14178632 77E52598 74F961BA 6D365B2D 46135B6F
  E83C1871 F8835478 25AF7821 940FFEFF 0E9B32C8 3FF6F928 B2077D59 8D45D8A2 B4A7
   quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.1.1.2
ip dhcp excluded-address 10.1.1.254 10.255.255.254
!
ip dhcp pool ccp-pool1
   import all
   network 10.0.0.0 255.0.0.0
   domain-name thedunphys.ca
   default-router 10.1.1.1
   dns-server 10.1.1.120 10.1.1.11
   netbios-name-server 10.1.1.120 10.1.1.11
!
!
ip cef
no ip bootp server
ip domain name thedunphys.ca
ip name-server 10.1.1.120
ip name-server 10.1.1.11
ip inspect log drop-pkt
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FTX154380RQ
!
!
username elrooko privilege 15 password 7 **************
!
!
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect CCP_PPTP
  pass
class class-default
  drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  pass
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security out-zone
no atm ilmi-keepalive
!
interface ATM0.3 point-to-point
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security out-zone
pvc 0/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ************** password 7 **************
no cdp enable
!
router rip
passive-interface Vlan1
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 10.1.1.120 25 interface Dialer2 25
ip nat inside source static tcp 10.1.1.120 80 interface Dialer2 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer2 443
ip nat inside source list 2 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.1.1.0 255.255.255.0 Vlan1 2
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark CCP_ACL Category=2
access-list 2 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 03345A1815182E5E4A58
login
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Re: Need help - cisco 887 clients can't connect to internet

Does the dialer-pool need to be 2 instead of 1?

Purple

Need help - cisco 887 clients can't connect to internet

Hi,

ip dhcp pool ccp-pool1

   import all

   network 10.0.0.0 255.0.0.0

interface Vlan1

description $FW_INSIDE$

ip address 10.1.1.1 255.255.255.0

you DHCP pool must have the same mask as the VLAN interface so change your pool to network 10.1.1.0 255.255.255.0

Also get rid of this:  ip route 10.1.1.0 255.255.255.0 Vlan1 2  it serves no purpose as this is a directly connected network already.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Resolved: Need help - cisco 887 clients can't connect to interne

So that wasn't it either....so in true fashion I reloaded the scratch OS config and started from the base config and applying changes based on the suggestions made by folks here. My config now works perfectly. Here is my final running config, with the firewall configured and my port forwarding enabled and NAT configured. Many thanks to everyone that helped out, much appreciated.


Building configuration...

Current configuration : 13799 bytes
!
! Last configuration change at 14:01:01 PCTime Thu Dec 15 2011
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 *******************
enable password 7 *******************
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name thedunphys.ca
ip name-server 10.1.1.120
ip name-server 10.1.1.11
ip port-map user-protocol--1 port tcp 1701
no ipv6 cef
!
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

license udi pid CISCO887-K9 sn FTX154380RQ
!
!
username elrooko privilege 15 view root secret 5 *******************
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect imap match-any ccp-app-imap
match  invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 102
match protocol pptp
class-map type inspect gnutella match-any ccp-app-gnutella
match  file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match  service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match  service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match  service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match  invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match  file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match  service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match  service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match  request method bcopy
match  request method bdelete
match  request method bmove
match  request method bpropfind
match  request method bproppatch
match  request method connect
match  request method copy
match  request method delete
match  request method edit
match  request method getattribute
match  request method getattributenames
match  request method getproperties
match  request method index
match  request method lock
match  request method mkcol
match  request method mkdir
match  request method move
match  request method notify
match  request method options
match  request method poll
match  request method propfind
match  request method proppatch
match  request method put
match  request method revadd
match  request method revlabel
match  request method revlog
match  request method revnum
match  request method save
match  request method search
match  request method setattribute
match  request method startrev
match  request method stoprev
match  request method subscribe
match  request method trace
match  request method unedit
match  request method unlock
match  request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match  file-transfer
match  text-chat
match  search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match  request port-misuse im
match  request port-misuse p2p
match  req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match  file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match  service text-chat
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect edonkey match-any ccp-app-edonkeychat
match  search-file-name
match  text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match  file-transfer
class-map type inspect http match-any ccp-http-allowparam
match  request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
  log
  allow
class type inspect edonkey ccp-app-edonkeydownload
  log
  allow
class type inspect fasttrack ccp-app-fasttrack
  log
  allow
class type inspect gnutella ccp-app-gnutella
  log
  allow
class type inspect kazaa2 ccp-app-kazaa2
  log
  allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
  log
  allow
class type inspect msnmsgr ccp-app-msn
  log
  allow
class type inspect ymsgr ccp-app-yahoo
  log
  allow
class type inspect aol ccp-app-aol-otherservices
  log
  reset
class type inspect msnmsgr ccp-app-msn-otherservices
  log
  reset
class type inspect ymsgr ccp-app-yahoo-otherservices
  log
  reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
  log
  reset
class type inspect http ccp-app-httpmethods
  log
  reset
class type inspect http ccp-http-allowparam
  log
  allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
  log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
  log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
  service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
  inspect
  service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
  inspect
  service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
  inspect
  service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
  inspect
  service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
  pass
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-nat-pptp-1
  inspect
class type inspect sdm-nat-user-protocol--1-1
  inspect
class class-default
  drop log
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ******************* password 7 *******************
!
ip forward-protocol nd
ip http server
ip http access-class 2
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.1.1.120 80 interface Dialer0 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer0 443
ip nat inside source static tcp 10.1.1.120 25 interface Dialer0 25
ip nat inside source static tcp 10.1.1.11 1723 interface Dialer0 1723
ip nat inside source static tcp 10.1.1.11 1701 interface Dialer0 1701
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.1.1.120
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.1.1.11
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
password 7 073F205F5D1E16171343
authorization exec local_author
login authentication local_authen
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
end

1169
Views
0
Helpful
11
Replies
CreatePlease to create content