mistyfly
asked on
No HTTP access
I'm new to ciscos and I managed to ban HTTP access on my 1841 possibly using an ACL, whats the best fault finding methos for me to use to try and recify this. Do I need to attach the config
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap password 7 00280A080A5E
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 2
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool SIP 192.168.1.5 192.168.1.9 netmask 255.255.255.0
ip nat inside source static tcp 192.168.1.5 69 interface Dialer0 69
ip nat inside source static tcp 192.168.1.5 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.5 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.5 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.5 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.6 8080 interface Dialer0 8080
ip nat inside source static 192.168.1.8 79.121.245.210
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login Authorized access only!
banner motd
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 100 in
password 7 1517050B5C7C73757E6365
authorization exec local_author
login authentication local_authen
transport input telnet
line vty 5 15
access-class 100 in
authorization exec local_author
login authentication local_authen
transport input telnet
!
scheduler allocate 4000 1000
end
jjmartineziii
Are you saying that you want to deny all http traffic through the 1947?
ASKER
No, I have managed to apply soemthing that has restricted it and I just need how to recify it. Or even set it too factory default?
Your clients are located on FA0/0 and your internet is on ATM port?
ASKER
yeah thats right
oh wait,
do you mean, you are trying to manage the device via http? You want to access the web interface of the 1841?
do you mean, you are trying to manage the device via http? You want to access the web interface of the 1841?
ASKER
my clients dont have web access
What happens when you run a tracert from a client computer to google.com? Can you post the results?
ASKER
It says it cannot resolve it, it I log onto the cisco CLI and ping say www.bbc.co.uk then I get a reply so it seems I may be blocking it in some of way
ASKER
ping request could not find host www.google.com, please check name and try again
ASKER
ping request could not find host www.google.com, please check name and try again
not a ping. i need a tracert from a client that's trying to access the internet.
go to command prompt and type "tracert google.com" and post here.
go to command prompt and type "tracert google.com" and post here.
ASKER
try "tracert 209.85.171.99"
then try "ping 209.85.171.99"
then try "ping 209.85.171.99"
ASKER
ok, but instead of using google.com use the ip address.
ASKER
ASKER
See attached
Ping.bmp
Ping.bmp
try:
interface Dialer0
no dialer-group 1
and test the internet connection.
interface Dialer0
no dialer-group 1
and test the internet connection.
Don't have any experience with the ATM connections, looks to me like its a PPP connection that requires the dialer to connect on demand. Is the initial connection being made? can you connect to anything from the router?
try telnet 209.85.237.25 25 and see if you get anything at all. If not, you're most likely not connecting to your ISP and no ACL statements will help you at all. Contact your ISP and ask if they can see you connecting.
try telnet 209.85.237.25 25 and see if you get anything at all. If not, you're most likely not connecting to your ISP and no ACL statements will help you at all. Contact your ISP and ask if they can see you connecting.
ASKER
jjmartineziii - that "no dialer-group 1" didn't work
jcs5003 - My ATM connection seems to be OK, I can ping www.google.com and various other websites when I telnet to the cisco, but I cannot gain web access form my clients...
jcs5003 - My ATM connection seems to be OK, I can ping www.google.com and various other websites when I telnet to the cisco, but I cannot gain web access form my clients...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.