Solved

Configuring a Cisco 851 W

Posted on 2009-07-08
17
297 Views
Last Modified: 2012-05-07
My office just switched from DSL to T1.

I cannot get my Cisco 851W to see the outside world

I have contacted the ISP, there end is fine. I can hook my laptop up directly to the T1 router (Cisco IAD 2400) and ping anywhere, internet works great.

Currently my router is back online utilizing the DSL connection till I can figure out the T1 issue.

I configured FE04 (WAN) with my static IP provided and the class 29 mask.
I configured the firewall to allow traffic from the new NS servers provided.
I reconfigured all the NAT.
any suggestions?
I cannot paste a running config as stated my router is currently running the DSL config. I wont beable to try again till we are "closed" at 6pmEST.
0
Comment
Question by:dubeaukb
  • 10
  • 7
17 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24803997
Did you change the default route?  Any access lists using the old IPs?

Can you show the configuration (sanitized)?
0
 

Author Comment

by:dubeaukb
ID: 24804296
The default route remained the same just utilizing FE04.

Do you think I may need to add the T1 router as a hop?

I don't believe there are any access lists.

I will reconfigure later tonight and post the actual running config.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24804395
If your next hop is out the serial interface, then you need to change your default route.
0
 

Author Comment

by:dubeaukb
ID: 24804664
I am coming out of FE04 on the 851W and going into FE05 on the IAD 2400.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24804715
I misread that, sorry.  Yes a sanitized running config would be helpful.
0
 

Author Comment

by:dubeaukb
ID: 24831154
Okay.
I can now ping my default gateway but still nothing beyond that.

nslookup will not resolve the dns server.

I opened the firewall up completely.

If I simply change FE04 to my DSL Ipconfigurations and Plug in the modem it works fine.

When I change it to the T1 Static IP and mask it does not work.

Could it be because the T1 requires a 255.255.255.248 mask?

Like previously stated I can configure my laptop to T1's static address and ping the world.

I apologize I still haven't copied the running config.

0
 

Author Comment

by:dubeaukb
ID: 24842289
Here is the current Running Config with the DSL connections.

The only difference is the T1 would be 72.xx.xxx.xxx with 255.255.255.248 mask

Could the  LAN being 192.10.0.xxx affect this? (don't know why it's not 192.168.xxx.xx)

I think i am going to just wipe the router, not knowing how much SDM actually put on this router.
Using command syntax would appear much cleaner. I am now 100% against SDM. anyhow.


aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect alert-off
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 dns
ip inspect name DEFAULT100 pptp
ip inspect name DEFAULT100 l2tp
ip inspect name DEFAULT100 gtpv0
ip inspect name DEFAULT100 gtpv1
ip inspect name DEFAULT100 pop3
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 pop3s
ip inspect name sdm_ins_out_100 appfw DEFAULT100
ip inspect name sdm_ins_out_100 h323
ip inspect name sdm_ins_out_100 icmp
ip inspect name sdm_ins_out_100 rcmd
ip inspect name sdm_ins_out_100 sqlnet
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 dns
ip inspect name sdm_ins_out_100 pptp
ip inspect name sdm_ins_out_100 l2tp
ip inspect name sdm_ins_out_100 gtpv0
ip inspect name sdm_ins_out_100 gtpv1
ip inspect name sdm_ins_out_100 pop3
ip inspect name sdm_ins_out_100 smtp
ip inspect name sdm_ins_out_100 pop3s
ip inspect name sdm_ins_out_100 802-11-iapp
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip tcp synwait-time 10
no ip bootp server
ip domain name energyelectric.org
ip name-server 66.189.0.30
ip name-server 192.10.0.2
ip name-server 66.189.0.29
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name DEFAULT100
  application im aol
    service default action reset
    service text-chat action reset
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
  application im msn
    service default action reset
    service text-chat action reset
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
  application http
    port-misuse im action reset alarm
  application im yahoo
    service default action reset
    service text-chat action reset
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name messenger.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-3751714289
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3751714289
 revocation-check none
 rsakeypair TP-self-signed-3751714289
!
!
crypto pki certificate chain TP-self-signed-3751714289
 certificate self-signed 01 nvram:IOS-Self-Sig#3902.cer
username xadmin privilege 15 secret 5 $1$kE25$SyB1PsKIBo8WZJNQwKnSF/
!
!
!
bridge irb
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 66.189.82.252 255.255.255.0
 ip access-group sdm_fastethernet4_in in
 ip access-group sdm_fastethernet4_out_100 out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 in
 ip inspect sdm_ins_out_100 out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 ssid EEC WILAN
    authentication open
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.10.0.1 255.255.255.0
 ip access-group 100 in
 ip access-group 101 out
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source static tcp 192.10.0.49 65530 interface BVI1 65530
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.10.0.2 4125 interface FastEthernet4 4125
ip nat inside source static tcp 192.10.0.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.10.0.2 443 interface FastEthernet4 443
ip nat inside source static tcp 192.10.0.2 80 interface FastEthernet4 80
ip nat inside source static udp 192.10.0.34 7100 interface FastEthernet4 7100
ip nat inside source static tcp 192.10.0.34 7100 interface FastEthernet4 7100
ip nat inside source static tcp 192.10.0.2 110 interface FastEthernet4 110
ip nat inside source static tcp 192.10.0.2 143 interface FastEthernet4 143
ip nat inside source static tcp 192.10.0.101 8100 66.189.82.252 8100 extendable
ip nat inside source static tcp 192.10.0.29 58928 66.189.82.252 58928 extendable

ip nat inside source static udp 192.10.0.29 58928 66.189.82.252 58928 extendable

!
ip access-list extended sdm_fastethernet4_in
 remark auto generated by Cisco SDM Express firewall configuration
 remark SDM_ACL Category=1
 permit udp host 66.189.0.29 eq domain any
 permit udp host 66.189.0.30 eq domain any
 permit icmp any any
 permit ip any any
 permit udp any any
 permit tcp any any
ip access-list extended sdm_fastethernet4_out
 remark SDM_ACL Category=1
 permit tcp any any
 permit udp any any
ip access-list extended sdm_fastethernet4_out_100
 remark SDM_ACL Category=1
 permit icmp any any
 permit udp any any
 permit tcp any any
 permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.10.0.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.10.0.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.10.0.2 eq domain any
access-list 100 permit icmp any any
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any
access-list 101 permit icmp any any
access-list 101 permit udp any any
access-list 101 permit tcp any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.10.0.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip 72.248.185.240 0.0.0.7 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host 72.248.185.242 eq www
access-list 104 permit udp any host 72.248.185.242 eq 58928
access-list 104 permit tcp any host 72.248.185.242 eq 58928
access-list 104 permit tcp any host 72.248.185.242 eq 8100
access-list 104 permit tcp any host 72.248.185.242 eq 143
access-list 104 permit tcp any host 72.248.185.242 eq pop3
access-list 104 permit tcp any host 72.248.185.242 eq 7100
access-list 104 permit udp any host 72.248.185.242 eq 7100
access-list 104 permit tcp any host 72.248.185.242 eq 443
access-list 104 permit tcp any host 72.248.185.242 eq 3389
access-list 104 permit tcp any host 72.248.185.242 eq 4125
access-list 104 permit udp host 64.65.223.6 eq domain host 72.248.185.242
access-list 104 permit udp host 64.65.208.6 eq domain host 72.248.185.242
access-list 104 deny   ip 192.10.0.0 0.0.0.255 any
access-list 104 permit icmp any host 72.248.185.242 echo-reply
access-list 104 permit icmp any host 72.248.185.242 time-exceeded
access-list 104 permit icmp any host 72.248.185.242 unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
 

Author Comment

by:dubeaukb
ID: 24842294
I know the firewall is wide open right now.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 24849224
Can you post a copy of the router config?

If you re-IP FE04 on the 851 and FE05 on the router, can you ping FE04 from the router?

And, are you public IPs being announced upstream from your T1?
0
 

Author Comment

by:dubeaukb
ID: 24854486
jesper,
I am currently waiting for the employees to vacate the building.

I am going to wipe the router. reconfigure for the T1 (for a fourth time).

I will let you know how I make out and post the revised running config (851 W).

I cannot access the cisco !AD 2500 as it belongs to the ISP and all attempts to gain access have failed.

thank you for all your assistance so far.
0
 

Author Comment

by:dubeaukb
ID: 24859767
can someone provide a config for this?
I am having zero luck and now my network is down hard. I have been booted by th DSL ISP and need to bring this T1 up.

Router: Cisco 851W

FastEthernet04 needs to be 72.248.185.242 (WAN ISP) 255.255.255.248 (29 bit mask)
LAN is 192.10.0.x 255.255.255.0 (24 bit mask)

DHCP Server is 192.10.0.2
DNS is 65.64.208.6 and 65.64.223.6

tcp NAT (FE04)
143
5892
4125
7100
443
3389

UDP NAT (FE04)
5892
7100

Low Security Firewall

Thank you.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24860618
Can you please post your netblocks that you have and that are not working on the T1and tell me who your T1 provider is.

I will look up the routes and find out if they are being announced.   It sounds like an upstream routing issue.
0
 

Author Comment

by:dubeaukb
ID: 24860699
i dont think i have any netblocks.

the ISP is one communications utilizing a Verizon T1 line.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24860711
Are you changing providers?  Did the public IPs from the DSL move to the T1?
0
 

Author Comment

by:dubeaukb
ID: 24860932
I am changing providers. The IP addresses did change.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24861027
Ok.  If you can take the DSL config and make the correct changes to the text (not the actual config) for the T1 and post it, I can verify the config and the routing.
0
 

Accepted Solution

by:
dubeaukb earned 0 total points
ID: 24868485
Here is the solution I came up with.
This config is working, I still need to configure the ACL's tho.
Current configuration : 4159 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EECROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
!
!
ip cef
ip domain name energyelectric.org
ip name-server 64.65.208.6
ip name-server 64.65.223.6
!
!
crypto pki trustpoint TP-self-signed-3751714289
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3751714289
 revocation-check none
 rsakeypair TP-self-signed-3751714289

!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description WAN$ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 72.248.185.242 255.255.255.248
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Vlan1
 description LAN$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.10.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 72.248.185.241
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list ACL1 interface FastEthernet4 overload
!
ip access-list standard ACL1
 remark SDM_ACL Category=2
 permit any
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now