[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 716
  • Last Modified:

Cisco 877W Router Modem - Configure to support gaming server.

Gentlemen, Ladies,
I have a Cisco 877W router, I would like to run a game server located on my LAN and for that server to be available to players from the WAN. Ports to be forwarded are: UDP 1716, 1717, 1718, 8777, 27900 and TCP 20025 - 45, 20046, 20047, 20048, 14200.
I tend to use the Cisco SDM interface and it would be helpful if any solution incorporated that facility.
but if not, noting the obvious disdain in which SDM seems to be held in these parts, hey I'm sure that I can cope... all and any advice would be very much appreciated. Your help will save me an awful lot of dithering about. Many thanks to you all.
0
hippus
Asked:
hippus
  • 10
  • 5
1 Solution
 
hippusAuthor Commented:
My apologies, I forgot to add...

IP address of the server will be 192.168.3.6

Current running config is:

Building configuration...

Current configuration : 8324 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO877W
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$TkY1$GQYE40cnl3TaGstKJmId20
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.10
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 194.72.0.114 62.6.40.162
!
ip dhcp pool NETGEAR65362A
   host 192.168.3.2 255.255.255.0
   hardware-address 0018.4d65.362a
   client-name NETGEAR65362A
!
ip dhcp pool NETGEAR65358E
   host 192.168.3.3 255.255.255.0
   hardware-address 0018.4d65.358e
   client-name NETGEAR65358E
!
ip dhcp pool ATA18612-A
   host 192.168.3.4 255.255.255.0
   hardware-address 001a.6dca.a698
   client-name VOIP-ATA18612-A
!
ip dhcp pool IRONGOLEM
   host 192.168.3.5 255.255.255.0
   hardware-address 0013.7233.6f76
   client-name IRONGOLEM
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name de-pulford.com
ip name-server 194.72.0.114
ip name-server 62.6.40.162
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3702453916
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3702453916
 revocation-check none
 rsakeypair TP-self-signed-3702453916
!
!
crypto pki certificate chain TP-self-signed-3702453916
 certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373032 34353339 3136301E 170D3032 30333031 30303231
  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37303234
  35333931 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CF2F 1D5B83C3 A751D899 0FCEDE57 6E571AE6 15068DEB 5CEB1087 CF5DB01E
  2132ADED AB07CC25 6FD89701 7D8F98F7 C13A7C7A 0D107300 67B4FAE1 B0D68194
  3439A0A0 F46CABF6 2C998738 EE939714 FFF289EB 1CF46D4C 319F24B8 DE718EF1
  006B4128 51A3082D C9D81AA2 4183F1C2 C958DEC4 62883FEA 5EA46E36 735D3F0E
  E1AD0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
  551D1104 1C301A82 18434953 434F3837 37572E64 652D7075 6C666F72 642E636F
  6D301F06 03551D23 04183016 80145BD9 5F53ED32 DF72168B 7974E6AE 55791904
  2579301D 0603551D 0E041604 145BD95F 53ED32DF 72168B79 74E6AE55 79190425
  79300D06 092A8648 86F70D01 01040500 03818100 91DABE4A 1669FE66 9EC47F10
  B6678ABB 6E6652A6 21EA12E3 E0FDC073 B0D9FF9B B3217511 5CD07626 ED9E61D7
  A28B658B 1DCB4CAB 3DC3973D 27C2F085 302AC657 BF6FDEFB A160B5B7 77095FEF
  F68876EA 258D14FA C3FF7FC2 376B65F2 D8B7D3C1 4C8A0CF7 BB849239 600B815C
  D19581B9 7C42C971 2CE05E55 86D8A0A5 D1C219BA
  quit
username JdeP privilege 15 secret 5 $1$TGpn$RSSTMg3P2rrPZSmBtET0Z1
!
!
!
bridge irb
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 7 3C6A3709FD19C30AE82824731307 transmit-key
 encryption mode wep mandatory
 !
 ssid WIRELESS_LAN
    authentication open
    guest-mode
    infrastructure-ssid optional
    wpa-psk ascii 7 106C050A5F42450F4736202C7E71
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 217.36.210.59 255.255.0.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname A639590@hg40.btclick.com
 ppp chap password 7 020C005E1B545B701C1B
 ppp pap sent-username A639590@hg40.btclick.com password 7 020C005E1B545B701C1B
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.3.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.3.253 80 interface Dialer0 80
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 217.36.0.0 0.0.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 217.36.210.59 eq www
access-list 101 permit udp host 62.6.40.162 eq domain host 217.36.210.59
access-list 101 permit udp host 194.72.0.114 eq domain host 217.36.210.59
access-list 101 deny   ip 192.168.3.0 0.0.0.255 any
access-list 101 permit icmp any host 217.36.210.59 echo-reply
access-list 101 permit icmp any host 217.36.210.59 time-exceeded
access-list 101 permit icmp any host 217.36.210.59 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 102 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
 
MrJemsonCommented:
There are two ways:

Either:
Cut and paste the following, replace <SERVER-LOCAL-!P> with the actual server local IP.

conf t
ip nat inside source static udp <SERVER-LOCAL-IP> 1716 interface Dialer0 1716
ip nat inside source static udp <SERVER-LOCAL-IP> 1717 interface Dialer0 1717
ip nat inside source static udp <SERVER-LOCAL-IP> 1718 interface Dialer0 1718
ip nat inside source static udp <SERVER-LOCAL-IP> 8777 interface Dialer0 8777
ip nat inside source static udp <SERVER-LOCAL-IP> 27900 interface Dialer0 27900
ip nat inside source static tcp <SERVER-LOCAL-IP> 20025 interface Dialer0 20025
ip nat inside source static tcp <SERVER-LOCAL-IP> 20026 interface Dialer0 20026
ip nat inside source static tcp <SERVER-LOCAL-IP> 20027 interface Dialer0 20027
ip nat inside source static tcp <SERVER-LOCAL-IP> 20028 interface Dialer0 20028
ip nat inside source static tcp <SERVER-LOCAL-IP> 20029 interface Dialer0 20029
ip nat inside source static tcp <SERVER-LOCAL-IP> 20030 interface Dialer0 20030
ip nat inside source static tcp <SERVER-LOCAL-IP> 20031 interface Dialer0 20031
ip nat inside source static tcp <SERVER-LOCAL-IP> 20032 interface Dialer0 20032
ip nat inside source static tcp <SERVER-LOCAL-IP> 20033 interface Dialer0 20033
ip nat inside source static tcp <SERVER-LOCAL-IP> 20034 interface Dialer0 20034
ip nat inside source static tcp <SERVER-LOCAL-IP> 20035 interface Dialer0 20035
ip nat inside source static tcp <SERVER-LOCAL-IP> 20036 interface Dialer0 20036
ip nat inside source static tcp <SERVER-LOCAL-IP> 20037 interface Dialer0 20037
ip nat inside source static tcp <SERVER-LOCAL-IP> 20038 interface Dialer0 20038
ip nat inside source static tcp <SERVER-LOCAL-IP> 20039 interface Dialer0 20039
ip nat inside source static tcp <SERVER-LOCAL-IP> 20040 interface Dialer0 20040
ip nat inside source static tcp <SERVER-LOCAL-IP> 20041 interface Dialer0 20041
ip nat inside source static tcp <SERVER-LOCAL-IP> 20042 interface Dialer0 20042
ip nat inside source static tcp <SERVER-LOCAL-IP> 20043 interface Dialer0 20043
ip nat inside source static tcp <SERVER-LOCAL-IP> 20044 interface Dialer0 20044
ip nat inside source static tcp <SERVER-LOCAL-IP> 20045 interface Dialer0 20045
ip nat inside source static tcp <SERVER-LOCAL-IP> 20046 interface Dialer0 20046
ip nat inside source static tcp <SERVER-LOCAL-IP> 20047 interface Dialer0 20047
ip nat inside source static tcp <SERVER-LOCAL-IP> 20048 interface Dialer0 20048
ip nat inside source static tcp <SERVER-LOCAL-IP> 14200 interface Dialer0 14200





*** OR ***

You can create a sort of DMZ where all ports are forwarded to the Server with the following command:

conf t
ip nat inside source static <LOCAL-SERVER-IP> interface Dialer 0
0
 
hippusAuthor Commented:
MrJemson, many thanks for taking the trouble to come back with a working proposal, I appreciate your time.

A couple of questions if I may?

1. Whereabouts into the running config displayed above would your lines be pasted?
2. Do I need to include the "conf t" line?
3. For those ports which are UDP designated I presume I just change the TCP designation to UDP?

Thank you in advance.
 
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
hippusAuthor Commented:
My apologies, one more question.


Do I need to set up specific firewall rules for these transports?

Thank you.
0
 
MrJemsonCommented:
1. Include it with these lines:
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.3.253 80 interface Dialer0 80

2. Not in the running config. If you have command line access you need to enter "conf t" to get to Configuration Mode and pass the commands.

3. Yes. You would see in the config the ones you designated as udp do have udp written in them.

4. You should not need to. Put the rules in and if you are having issues we will have a good look at access lists etc then,
0
 
hippusAuthor Commented:
Many thanks Mr J.

Three more questions if I may?

1. The way that I forsee incorporating your script into the running config (RC), is to export the RC from the router using the SDM, cut and paste into it your script, and then reimport the 'new 'RC' back into the router. This 'monkey cut monkey paste' routine, has worked quite well in the past for me. That's why I asked you whereabouts in the RC the your lines would be pasted.

If you think that just telneting into the router and using the command line conf t is the better way I'll give it a try, but my Cisco IOS is as rusty as sin. I haven't used CIOS for about three years now, and at my advanced age, my name and the date is of primary consideration.

2. In your response 1. above you wrote "Include it with these lines" etc etc... where would those lines fit into the initial port forwarding sequence, at the beginning or at the end.

My apologies for such elementary questions, but before I start I need to understand exactly what I am doing.

I have increased the points value as a thank you for your continued help.
0
 
hippusAuthor Commented:


The server IP address is 192.168.3.5
0
 
MrJemsonCommented:
1. Either of these would work.
When the router reboots it gets the saved config out of NVRAM and passes it through its CLI for the running config. It does this so if you copy a config from a different router, it will just ignore any irrelevant commands etc.

2. When you show the running config, they will appear like this: (I have included the Server IP for you also)

ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.3.253 80 interface Dialer0 80
ip nat inside source static udp 192.168.3.5 1716 interface Dialer0 1716
ip nat inside source static udp 192.168.3.5 1717 interface Dialer0 1717
ip nat inside source static udp 192.168.3.5 1718 interface Dialer0 1718
ip nat inside source static udp 192.168.3.5 8777 interface Dialer0 8777
ip nat inside source static udp 192.168.3.5 27900 interface Dialer0 27900
ip nat inside source static tcp 192.168.3.5 20025 interface Dialer0 20025
ip nat inside source static tcp 192.168.3.5 20026 interface Dialer0 20026
ip nat inside source static tcp 192.168.3.5 20027 interface Dialer0 20027
ip nat inside source static tcp 192.168.3.5 20028 interface Dialer0 20028
ip nat inside source static tcp 192.168.3.5 20029 interface Dialer0 20029
ip nat inside source static tcp 192.168.3.5 20030 interface Dialer0 20030
ip nat inside source static tcp 192.168.3.5 20031 interface Dialer0 20031
ip nat inside source static tcp 192.168.3.5 20032 interface Dialer0 20032
ip nat inside source static tcp 192.168.3.5 20033 interface Dialer0 20033
ip nat inside source static tcp 192.168.3.5 20034 interface Dialer0 20034
ip nat inside source static tcp 192.168.3.5 20035 interface Dialer0 20035
ip nat inside source static tcp 192.168.3.5 20036 interface Dialer0 20036
ip nat inside source static tcp 192.168.3.5 20037 interface Dialer0 20037
ip nat inside source static tcp 192.168.3.5 20038 interface Dialer0 20038
ip nat inside source static tcp 192.168.3.5 20039 interface Dialer0 20039
ip nat inside source static tcp 192.168.3.5 20040 interface Dialer0 20040
ip nat inside source static tcp 192.168.3.5 20041 interface Dialer0 20041
ip nat inside source static tcp 192.168.3.5 20042 interface Dialer0 20042
ip nat inside source static tcp 192.168.3.5 20043 interface Dialer0 20043
ip nat inside source static tcp 192.168.3.5 20044 interface Dialer0 20044
ip nat inside source static tcp 192.168.3.5 20045 interface Dialer0 20045
ip nat inside source static tcp 192.168.3.5 20046 interface Dialer0 20046
ip nat inside source static tcp 192.168.3.5 20047 interface Dialer0 20047
ip nat inside source static tcp 192.168.3.5 20048 interface Dialer0 20048
ip nat inside source static tcp 192.168.3.5 14200 interface Dialer0 14200
0
 
hippusAuthor Commented:
Ok.. Using SDM I merged the 'old' running config with your nat script the results are displayed below.
The server still cannot be seen on the WAN, but is working correctly as it can played on across the local LAN.
Also the bloody thing has taken to hiding from Vista machines, the only machine that I've got that can actually still access the router via SDM is an old XP laptop running an out of date java client. Why do Cisco always have to make things so difficult.
Anyway rant over....
Current configuration : 10599 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO877W
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$TkY1$GQYE40cnl3TaGstKJmId20
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.10
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 194.72.0.114 62.6.40.162
!
ip dhcp pool NETGEAR65362A
   host 192.168.3.2 255.255.255.0
   hardware-address 0018.4d65.362a
   client-name NETGEAR65362A
!
ip dhcp pool NETGEAR65358E
   host 192.168.3.3 255.255.255.0
   hardware-address 0018.4d65.358e
   client-name NETGEAR65358E
!
ip dhcp pool ATA18612-A
   host 192.168.3.4 255.255.255.0
   hardware-address 001a.6dca.a698
   client-name VOIP-ATA18612-A
!
ip dhcp pool IRONGOLEM
   host 192.168.3.5 255.255.255.0
   hardware-address 0013.7233.6f76
   client-name IRONGOLEM
!
ip dhcp pool TITANIUMVIXEN
   host 192.168.3.6 255.255.255.0
   hardware-address 0021.8597.52bd
   client-name TITANIUMVIXEN
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name de-pulford.com
ip name-server 194.72.0.114
ip name-server 62.6.40.162
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3702453916
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3702453916
 revocation-check none
 rsakeypair TP-self-signed-3702453916
!
!
crypto pki certificate chain TP-self-signed-3702453916
 certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373032 34353339 3136301E 170D3032 30333031 30303231
  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37303234
  35333931 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CF2F 1D5B83C3 A751D899 0FCEDE57 6E571AE6 15068DEB 5CEB1087 CF5DB01E
  2132ADED AB07CC25 6FD89701 7D8F98F7 C13A7C7A 0D107300 67B4FAE1 B0D68194
  3439A0A0 F46CABF6 2C998738 EE939714 FFF289EB 1CF46D4C 319F24B8 DE718EF1
  006B4128 51A3082D C9D81AA2 4183F1C2 C958DEC4 62883FEA 5EA46E36 735D3F0E
  E1AD0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
  551D1104 1C301A82 18434953 434F3837 37572E64 652D7075 6C666F72 642E636F
  6D301F06 03551D23 04183016 80145BD9 5F53ED32 DF72168B 7974E6AE 55791904
  2579301D 0603551D 0E041604 145BD95F 53ED32DF 72168B79 74E6AE55 79190425
  79300D06 092A8648 86F70D01 01040500 03818100 91DABE4A 1669FE66 9EC47F10
  B6678ABB 6E6652A6 21EA12E3 E0FDC073 B0D9FF9B B3217511 5CD07626 ED9E61D7
  A28B658B 1DCB4CAB 3DC3973D 27C2F085 302AC657 BF6FDEFB A160B5B7 77095FEF
  F68876EA 258D14FA C3FF7FC2 376B65F2 D8B7D3C1 4C8A0CF7 BB849239 600B815C
  D19581B9 7C42C971 2CE05E55 86D8A0A5 D1C219BA
  quit
username JdeP privilege 15 secret 5 $1$TGpn$RSSTMg3P2rrPZSmBtET0Z1
!
!
!
bridge irb
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 7 3C6A3709FD19C30AE82824731307 transmit-key
 encryption mode wep mandatory
 !
 ssid WIRELESS_LAN
    authentication open
    guest-mode
    infrastructure-ssid optional
    wpa-psk ascii 7 106C050A5F42450F4736202C7E71
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 217.36.210.59 255.255.0.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname A639590@hg40.btclick.com
 ppp chap password 7 020C005E1B545B701C1B
 ppp pap sent-username A639590@hg40.btclick.com password 7 020C005E1B545B701C1B
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.3.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.3.253 80 interface Dialer0 80
ip nat inside source static udp 192.168.3.5 1716 interface Dialer0 1716
ip nat inside source static udp 192.168.3.5 1717 interface Dialer0 1717
ip nat inside source static udp 192.168.3.5 1718 interface Dialer0 1718
ip nat inside source static udp 192.168.3.5 8777 interface Dialer0 8777
ip nat inside source static udp 192.168.3.5 27900 interface Dialer0 27900
ip nat inside source static tcp 192.168.3.5 20025 interface Dialer0 20025
ip nat inside source static tcp 192.168.3.5 20026 interface Dialer0 20026
ip nat inside source static tcp 192.168.3.5 20027 interface Dialer0 20027
ip nat inside source static tcp 192.168.3.5 20028 interface Dialer0 20028
ip nat inside source static tcp 192.168.3.5 20029 interface Dialer0 20029
ip nat inside source static tcp 192.168.3.5 20030 interface Dialer0 20030
ip nat inside source static tcp 192.168.3.5 20031 interface Dialer0 20031
ip nat inside source static tcp 192.168.3.5 20032 interface Dialer0 20032
ip nat inside source static tcp 192.168.3.5 20033 interface Dialer0 20033
ip nat inside source static tcp 192.168.3.5 20034 interface Dialer0 20034
ip nat inside source static tcp 192.168.3.5 20035 interface Dialer0 20035
ip nat inside source static tcp 192.168.3.5 20036 interface Dialer0 20036
ip nat inside source static tcp 192.168.3.5 20037 interface Dialer0 20037
ip nat inside source static tcp 192.168.3.5 20038 interface Dialer0 20038
ip nat inside source static tcp 192.168.3.5 20039 interface Dialer0 20039
ip nat inside source static tcp 192.168.3.5 20040 interface Dialer0 20040
ip nat inside source static tcp 192.168.3.5 20041 interface Dialer0 20041
ip nat inside source static tcp 192.168.3.5 20042 interface Dialer0 20042
ip nat inside source static tcp 192.168.3.5 20043 interface Dialer0 20043
ip nat inside source static tcp 192.168.3.5 20044 interface Dialer0 20044
ip nat inside source static tcp 192.168.3.5 20045 interface Dialer0 20045
ip nat inside source static tcp 192.168.3.5 20046 interface Dialer0 20046
ip nat inside source static tcp 192.168.3.5 20047 interface Dialer0 20047
ip nat inside source static tcp 192.168.3.5 20048 interface Dialer0 20048
ip nat inside source static tcp 192.168.3.5 14200 interface Dialer0 14200
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 217.36.0.0 0.0.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 217.36.210.59 eq www
access-list 101 permit udp host 62.6.40.162 eq domain host 217.36.210.59
access-list 101 permit udp host 194.72.0.114 eq domain host 217.36.210.59
access-list 101 deny   ip 192.168.3.0 0.0.0.255 any
access-list 101 permit icmp any host 217.36.210.59 echo-reply
access-list 101 permit icmp any host 217.36.210.59 time-exceeded
access-list 101 permit icmp any host 217.36.210.59 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 102 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

0
 
MrJemsonCommented:
Add to the TOP of Access List 101:

access-list 101 permit ___ any host 217.36.210.59 eq ....

.... = Port number you are forwarding.
___ = tcp or udp

If you add an entry for each port/protocol you should be fine.

As I said earlier:
"Put the rules in and if you are having issues we will have a good look at access lists etc then,"

This is the work around for your access list.
0
 
hippusAuthor Commented:
Many thanks Mr J...

Ok I have carried out your latest instructions and have attached the new running config to this comment for you to check out prior to uploading that to the 877W.

Have solved the problem of the bashful 877W by installing Win XP SP3 and IE6 in a virtual PC environment, downloading an old/er Java client, and then installing SDM over that combination. It works a treat, and starts up every time. Just how do Cisco get away with it though? Can you see having to go through that degree of palava with say a Netgear DG834, or a Zyxel SoHo router, they'd never sell any. I

I await your ok for the new script.
Many thanks.


 
877W-runconfig-new-1.txt
0
 
MrJemsonCommented:
Looks good to me.
Nonetheless make a backup of your old config.

Goodluck!
0
 
hippusAuthor Commented:
Hi Mr J.
That didnt work either.
I have downloaded the user manual.. and cracked on myself using the SDM... and despite the fact that I have spent hours on this it still will not work. I have of course saved an original running config at each stage of development
I have attempted to configure the firewall using the SDM.....and Im sure that despite the downright ambiguity of the language used by Cisco, that I am doing it correctly.
I include the latest running config for your amusement, and advice.
Bumped up the points again.
John de-P
Copy-of-SDMConfig.txt
0
 
hippusAuthor Commented:
Hi Mr J....

Thank you for all your help, but you're off the hook, I have finally configured the thing properly. The NAT translation was in the wrong direction, and once all the NAT 'services' had been set up correctly, and the firewall rules put in place everything was fine. I used the SDM facility backed up by the console to check what I was doing as I went along. The SDM facility worked without a hitch.
Many thanks for your support... I

0
 
hippusAuthor Commented:
Thank you for your help, configuring a Cisco Anything via a third party must be a nightmare in anyone's language. In the end the solution was found through just sitting down and working through the Cisco manual. As a somewhat wry afternote I configured a Netgear DG834G ADSL Router to do the same job in less than ten minutes flat, and despite the smaller unit's limitations it performed very well indeed.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 10
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now