Solved

Cisco 1811 configuration help

Posted on 2009-06-30
6
370 Views
Last Modified: 2012-05-07
Hello. I need help with a basic configuration on a Cisco 1811 for use as a guest/backup Internet connection. This is replacing a flaky Netgear ProSafe. The router was configured using Cisco SDM but the more I use it the more I am not liking SDM. This router is different from the other Cisco routers I have here so I thought I would try out SDM.

At this point, from the router I can ping outside. When I connect a PC with a static IP in the 192.168.123.x range, with this router as the gateway, and valid DNS, I get no Internet. I included a sanitized config.
version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname FC_Outside_2

!

boot-start-marker

boot-end-marker

!

enable secret 5 *****************************

enable password 7 *****************************

!

no aaa new-model

!

resource policy

!

no ip routing

!

!

no ip cef

!

!

ip name-server 216.17.128.2

ip name-server 192.168.123.4

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

!

!

!

!

!

!

!

!

!

interface FastEthernet0

 description $ETH-LAN$$FW_OUTSIDE$

 ip address 77.19.142.226 255.255.255.240

 ip access-group 101 in

 ip nat outside

 ip inspect SDM_LOW out

 ip virtual-reassembly

 no ip route-cache

 duplex auto

 speed auto

!

interface FastEthernet1

 description $FW_INSIDE$

 ip address 192.168.123.2 255.255.252.0

 ip access-group 100 in

 ip nat inside

 ip virtual-reassembly

 no ip route-cache

 duplex auto

 speed auto

!

interface FastEthernet2

 shutdown

!

interface FastEthernet3

 shutdown

!

interface FastEthernet4

 shutdown

!

interface FastEthernet5

 shutdown

!

interface FastEthernet6

 shutdown

!

interface FastEthernet7

 shutdown

!

interface FastEthernet8

 shutdown

!

interface FastEthernet9

 shutdown

!

interface Vlan1

 no ip address

 no ip route-cache

 shutdown

!

interface Async1

 no ip address

 encapsulation slip

 no ip route-cache

!

ip route 0.0.0.0 0.0.0.0 77.19.142.225

!

!

ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0 overload

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.120.0 0.0.3.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip 77.19.142.224 0.0.0.15 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp any eq domain host X.19.142.226

access-list 101 deny   ip 192.168.120.0 0.0.3.255 any

access-list 101 permit icmp any host 77.19.142.226 echo-reply

access-list 101 permit icmp any host 77.19.142.226 time-exceeded

access-list 101 permit icmp any host 77.19.142.226 unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

snmp-server community tobacco RO

!

!

!

!

!

!

control-plane

!

!

line con 0

 privilege level 15

line 1

 modem InOut

 stopbits 1

 speed 115200

 flowcontrol hardware

line aux 0

line vty 0 4

 password 7 *****************************

 login

!

!

webvpn context Default_context

 ssl authenticate verify all

 !

 no inservice

!

end
 

FC_Outside_2#

Open in new window

0
Comment
Question by:BDoellefeld
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24748860
First, add the line:  ip inspect name SDM_LOW http

Next, try a traceroute 4.2.2.2.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 24748992
Added the insoect on http and did a trace. Here is the result
FC_Outside_2#traceroute 4.2.2.2
 

Type escape sequence to abort.

Tracing the route to vnsc-bak.sys.gtei.net (4.2.2.2)
 

  1 225-142-19-77.skybeam.com (77.19.142.225) 4 msec 4 msec 8 msec

  2 197-253-73-208.skybeam.com (208.73.253.197) 12 msec 8 msec 12 msec

  3 193-253-73-208.skybeam.com (208.73.253.193) 8 msec 8 msec 8 msec

  4 2-253-73-208.skybeam.com (208.73.253.2) 12 msec 8 msec 8 msec

  5  *  *  *

  6 vnsc-bak.sys.gtei.net (4.2.2.2) 8 msec 8 msec 20 msec

FC_Outside_2#

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
ID: 24749012
I'm sorry, I meant run a trace from the PC.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 9

Author Comment

by:BDoellefeld
ID: 24749159
I should have guessed that is what you meant :)

Trace was successful, in addition to being able to browse now.

Was adding ip inspect name SDM_LOW http the missing key I'm wondering? Other than adding that, the only other thing I did was power down, move the router, and power it back up.

Unless I find something else in the next 20 minutes or so I think I'm good to go.

 
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 24749248
The ip inspect rules affect what traffic the router will allow back in.  The TCP rule should really have allowed it back in, though.

I suspect the reboot is what fixed it; I've seen changes to the NAT configuration really confuse routers before.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 24749428
I appreciate you guidance asavener, thank you!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now