Cisco 1811 configuration help

Hello. I need help with a basic configuration on a Cisco 1811 for use as a guest/backup Internet connection. This is replacing a flaky Netgear ProSafe. The router was configured using Cisco SDM but the more I use it the more I am not liking SDM. This router is different from the other Cisco routers I have here so I thought I would try out SDM.

At this point, from the router I can ping outside. When I connect a PC with a static IP in the 192.168.123.x range, with this router as the gateway, and valid DNS, I get no Internet. I included a sanitized config.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FC_Outside_2
!
boot-start-marker
boot-end-marker
!
enable secret 5 *****************************
enable password 7 *****************************
!
no aaa new-model
!
resource policy
!
no ip routing
!
!
no ip cef
!
!
ip name-server 216.17.128.2
ip name-server 192.168.123.4
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 description $ETH-LAN$$FW_OUTSIDE$
 ip address 77.19.142.226 255.255.255.240
 ip access-group 101 in
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet1
 description $FW_INSIDE$
 ip address 192.168.123.2 255.255.252.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface FastEthernet9
 shutdown
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Async1
 no ip address
 encapsulation slip
 no ip route-cache
!
ip route 0.0.0.0 0.0.0.0 77.19.142.225
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.120.0 0.0.3.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 77.19.142.224 0.0.0.15 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq domain host X.19.142.226
access-list 101 deny   ip 192.168.120.0 0.0.3.255 any
access-list 101 permit icmp any host 77.19.142.226 echo-reply
access-list 101 permit icmp any host 77.19.142.226 time-exceeded
access-list 101 permit icmp any host 77.19.142.226 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
snmp-server community tobacco RO
!
!
!
!
!
!
control-plane
!
!
line con 0
 privilege level 15
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password 7 *****************************
 login
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
 
FC_Outside_2#

Open in new window

LVL 9
BDoellefeldAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
First, add the line:  ip inspect name SDM_LOW http

Next, try a traceroute 4.2.2.2.
0
BDoellefeldAuthor Commented:
Added the insoect on http and did a trace. Here is the result
FC_Outside_2#traceroute 4.2.2.2
 
Type escape sequence to abort.
Tracing the route to vnsc-bak.sys.gtei.net (4.2.2.2)
 
  1 225-142-19-77.skybeam.com (77.19.142.225) 4 msec 4 msec 8 msec
  2 197-253-73-208.skybeam.com (208.73.253.197) 12 msec 8 msec 12 msec
  3 193-253-73-208.skybeam.com (208.73.253.193) 8 msec 8 msec 8 msec
  4 2-253-73-208.skybeam.com (208.73.253.2) 12 msec 8 msec 8 msec
  5  *  *  *
  6 vnsc-bak.sys.gtei.net (4.2.2.2) 8 msec 8 msec 20 msec
FC_Outside_2#

Open in new window

0
asavenerCommented:
I'm sorry, I meant run a trace from the PC.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

BDoellefeldAuthor Commented:
I should have guessed that is what you meant :)

Trace was successful, in addition to being able to browse now.

Was adding ip inspect name SDM_LOW http the missing key I'm wondering? Other than adding that, the only other thing I did was power down, move the router, and power it back up.

Unless I find something else in the next 20 minutes or so I think I'm good to go.

 
0
asavenerCommented:
The ip inspect rules affect what traffic the router will allow back in.  The TCP rule should really have allowed it back in, though.

I suspect the reboot is what fixed it; I've seen changes to the NAT configuration really confuse routers before.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BDoellefeldAuthor Commented:
I appreciate you guidance asavener, thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.