Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco 1811 configuration help

Posted on 2009-06-30
6
Medium Priority
?
379 Views
Last Modified: 2012-05-07
Hello. I need help with a basic configuration on a Cisco 1811 for use as a guest/backup Internet connection. This is replacing a flaky Netgear ProSafe. The router was configured using Cisco SDM but the more I use it the more I am not liking SDM. This router is different from the other Cisco routers I have here so I thought I would try out SDM.

At this point, from the router I can ping outside. When I connect a PC with a static IP in the 192.168.123.x range, with this router as the gateway, and valid DNS, I get no Internet. I included a sanitized config.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FC_Outside_2
!
boot-start-marker
boot-end-marker
!
enable secret 5 *****************************
enable password 7 *****************************
!
no aaa new-model
!
resource policy
!
no ip routing
!
!
no ip cef
!
!
ip name-server 216.17.128.2
ip name-server 192.168.123.4
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 description $ETH-LAN$$FW_OUTSIDE$
 ip address 77.19.142.226 255.255.255.240
 ip access-group 101 in
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet1
 description $FW_INSIDE$
 ip address 192.168.123.2 255.255.252.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface FastEthernet9
 shutdown
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Async1
 no ip address
 encapsulation slip
 no ip route-cache
!
ip route 0.0.0.0 0.0.0.0 77.19.142.225
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.120.0 0.0.3.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 77.19.142.224 0.0.0.15 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq domain host X.19.142.226
access-list 101 deny   ip 192.168.120.0 0.0.3.255 any
access-list 101 permit icmp any host 77.19.142.226 echo-reply
access-list 101 permit icmp any host 77.19.142.226 time-exceeded
access-list 101 permit icmp any host 77.19.142.226 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
snmp-server community tobacco RO
!
!
!
!
!
!
control-plane
!
!
line con 0
 privilege level 15
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password 7 *****************************
 login
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
 
FC_Outside_2#

Open in new window

0
Comment
Question by:BDoellefeld
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24748860
First, add the line:  ip inspect name SDM_LOW http

Next, try a traceroute 4.2.2.2.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 24748992
Added the insoect on http and did a trace. Here is the result
FC_Outside_2#traceroute 4.2.2.2
 
Type escape sequence to abort.
Tracing the route to vnsc-bak.sys.gtei.net (4.2.2.2)
 
  1 225-142-19-77.skybeam.com (77.19.142.225) 4 msec 4 msec 8 msec
  2 197-253-73-208.skybeam.com (208.73.253.197) 12 msec 8 msec 12 msec
  3 193-253-73-208.skybeam.com (208.73.253.193) 8 msec 8 msec 8 msec
  4 2-253-73-208.skybeam.com (208.73.253.2) 12 msec 8 msec 8 msec
  5  *  *  *
  6 vnsc-bak.sys.gtei.net (4.2.2.2) 8 msec 8 msec 20 msec
FC_Outside_2#

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
ID: 24749012
I'm sorry, I meant run a trace from the PC.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Author Comment

by:BDoellefeld
ID: 24749159
I should have guessed that is what you meant :)

Trace was successful, in addition to being able to browse now.

Was adding ip inspect name SDM_LOW http the missing key I'm wondering? Other than adding that, the only other thing I did was power down, move the router, and power it back up.

Unless I find something else in the next 20 minutes or so I think I'm good to go.

 
0
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 24749248
The ip inspect rules affect what traffic the router will allow back in.  The TCP rule should really have allowed it back in, though.

I suspect the reboot is what fixed it; I've seen changes to the NAT configuration really confuse routers before.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 24749428
I appreciate you guidance asavener, thank you!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question