Solved

Cisco 1811 configuration help

Posted on 2009-06-30
6
374 Views
Last Modified: 2012-05-07
Hello. I need help with a basic configuration on a Cisco 1811 for use as a guest/backup Internet connection. This is replacing a flaky Netgear ProSafe. The router was configured using Cisco SDM but the more I use it the more I am not liking SDM. This router is different from the other Cisco routers I have here so I thought I would try out SDM.

At this point, from the router I can ping outside. When I connect a PC with a static IP in the 192.168.123.x range, with this router as the gateway, and valid DNS, I get no Internet. I included a sanitized config.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FC_Outside_2
!
boot-start-marker
boot-end-marker
!
enable secret 5 *****************************
enable password 7 *****************************
!
no aaa new-model
!
resource policy
!
no ip routing
!
!
no ip cef
!
!
ip name-server 216.17.128.2
ip name-server 192.168.123.4
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 description $ETH-LAN$$FW_OUTSIDE$
 ip address 77.19.142.226 255.255.255.240
 ip access-group 101 in
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet1
 description $FW_INSIDE$
 ip address 192.168.123.2 255.255.252.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface FastEthernet9
 shutdown
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Async1
 no ip address
 encapsulation slip
 no ip route-cache
!
ip route 0.0.0.0 0.0.0.0 77.19.142.225
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.120.0 0.0.3.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 77.19.142.224 0.0.0.15 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq domain host X.19.142.226
access-list 101 deny   ip 192.168.120.0 0.0.3.255 any
access-list 101 permit icmp any host 77.19.142.226 echo-reply
access-list 101 permit icmp any host 77.19.142.226 time-exceeded
access-list 101 permit icmp any host 77.19.142.226 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
snmp-server community tobacco RO
!
!
!
!
!
!
control-plane
!
!
line con 0
 privilege level 15
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password 7 *****************************
 login
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
 
FC_Outside_2#

Open in new window

0
Comment
Question by:BDoellefeld
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24748860
First, add the line:  ip inspect name SDM_LOW http

Next, try a traceroute 4.2.2.2.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 24748992
Added the insoect on http and did a trace. Here is the result
FC_Outside_2#traceroute 4.2.2.2
 
Type escape sequence to abort.
Tracing the route to vnsc-bak.sys.gtei.net (4.2.2.2)
 
  1 225-142-19-77.skybeam.com (77.19.142.225) 4 msec 4 msec 8 msec
  2 197-253-73-208.skybeam.com (208.73.253.197) 12 msec 8 msec 12 msec
  3 193-253-73-208.skybeam.com (208.73.253.193) 8 msec 8 msec 8 msec
  4 2-253-73-208.skybeam.com (208.73.253.2) 12 msec 8 msec 8 msec
  5  *  *  *
  6 vnsc-bak.sys.gtei.net (4.2.2.2) 8 msec 8 msec 20 msec
FC_Outside_2#

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
ID: 24749012
I'm sorry, I meant run a trace from the PC.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 9

Author Comment

by:BDoellefeld
ID: 24749159
I should have guessed that is what you meant :)

Trace was successful, in addition to being able to browse now.

Was adding ip inspect name SDM_LOW http the missing key I'm wondering? Other than adding that, the only other thing I did was power down, move the router, and power it back up.

Unless I find something else in the next 20 minutes or so I think I'm good to go.

 
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 24749248
The ip inspect rules affect what traffic the router will allow back in.  The TCP rule should really have allowed it back in, though.

I suspect the reboot is what fixed it; I've seen changes to the NAT configuration really confuse routers before.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 24749428
I appreciate you guidance asavener, thank you!
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA DHCP setup 5 39
SSG50 Firewall Rules 17 43
Receiving wifi on an underground station 22 123
Palo Alto Networks Security Rule Additions via CLI - multiple objects 3 30
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question