xrmichael
asked on
Ciso 1801 Configuration Help FE0 Dhcp And Firewall
The credit crunch, has left me in charge of our network the full time IT guy has had to go so a steep learning curve probably follows.
I need to make some alterations to 1 of our small offices that has a 1801/k9 installed, i have reloaded the config via SDM (So I can hopefully maintain it via SDM from here on) and updated the IOS to the latest version.
I need to add FE/0 as a backup wan connection as the inbuilt ADSL is some time goes down.
FE/0 Has a adsl modem on it the will hand out the IP via dhcp, i have configured the FE/0 but it will not take a IP unless i dis the firewall, if i reapply the firewall and let SDM mod it to let DHCP through it still does not work.
Can someone help me mod this config to sort the DHCP and keep the firewall something like secure, any other points on the config greatly taken.
!This is the running config of the router: 192.168.16.1
!------------------------- ---------- ---------- ---------- ---------- ---------- -
!version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname AVSCOMM-R-A
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1456163444
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-14561 63444
revocation-check none
rsakeypair TP-self-signed-1456163444
!
!
crypto pki certificate chain TP-self-signed-1456163444
certificate self-signed 01
30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343536 31363334 3434301E 170D3039 30393139 31303434
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34353631
36333434 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D0AA 966483DB 6D3B2F93 99BF3BCB 0DE4728C 4C591346 00335888 F832CFAC
9893E367 78B157FF E19314AA 1D2F1510 17F91B2C 1766B15C A3200A8C C7AA91D3
EEBB02E7 B5084D63 AB4EFF75 D6649E18 7632B2F5 C60EEE43 F1C2D58A 01EDAF82
E41E3738 2CBAD22F 0C9516AE DA971D7F 0DFF8726 720F4678 23982E3F 42851EF3
9E030203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
551D1104 21301F82 1D415653 434F4D4D 2D522D41 2E617673 636F6D6D 2D6C7464
2E6C6F63 616C301F 0603551D 23041830 168014E9 2C9375D2 1285B79B CBB58BD4
DB8F230B 8AA4A430 1D060355 1D0E0416 0414E92C 9375D212 85B79BCB B58BD4DB
8F230B8A A4A4300D 06092A86 4886F70D 01010405 00038181 00722B38 A6AAB114
22B740DE 126FC116 CE4C5B4F 3E649DCE D148FACC 869B1C98 28391D4D 85BD1DBE
96C3C210 A830C9EA 501B9DC1 46A534EB FB1AE0D6 BA3331AA DB7E4499 9F113239
5CE76AC6 5FA275B2 922FD01B 6941E33D 3A4A1644 313475AA 5646CF90 7959A5BD
32725BD2 40BC070B 5139D990 BFC41B50 43A977DD 5D80C8D5 AB
quit
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name avscomm-ltd.local
ip name-server 90.207.238.97
ip name-server 192.168.16.2
ip name-server 158.152.1.58
ip port-map user-protocol--2 port udp 1025 description CCTV
ip port-map user-protocol--3 port udp 2074 description CCTV
ip port-map user-protocol--1 port tcp 81 description CCTV
ip port-map user-protocol--4 port udp 2075 description CCTV
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
license udi pid CISCO1801/K9 sn FHK131620Y1
archive
log config
hidekeys
username
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
!
crypto ikev2 diagnose error 50
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 107
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 106
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 105
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-1
match access-group 108
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 104
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFI C
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFI C
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 101
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-https-1
match access-group 103
match protocol https
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside -1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-http-1
inspect
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside- 1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside -1
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_Group
key
dns 192.168.16.2 158.152.1.58
wins 192.168.16.2
pool SDM_POOL_1
save-password
include-local-lan
max-users 5
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group VPN_Group
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 1800
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
mtu 1500
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
!
interface ATM0.1 point-to-point
description Demon ADSL
mtu 1500
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
interface FastEthernet0
description SKY ADSL$ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet1
description Lan Connection
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface Virtual-Template1 type tunnel
description This Is the VPN
ip unnumbered Dialer0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description Internal Network$ETH-SW-LAUNCH$$INT F-INFO-FE 1$$FW_INSIDE$
ip address 192.168.16.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
!
ip local pool SDM_POOL_1 192.168.17.1 192.168.17.5
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 15
sort-by bytes
cache-timeout 3600000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.16.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.16.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.16.6 81 interface Dialer0 81
ip nat inside source static udp 192.168.16.6 1025 interface Dialer0 1025
ip nat inside source static udp 192.168.16.6 2074 interface Dialer0 2074
ip nat inside source static udp 192.168.16.6 2075 interface Dialer0 2075
ip nat inside source static tcp 192.168.16.9 80 interface Dialer0 888
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 remark Demon ADSL Out Rule
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.16.0 0.0.0.255 log
access-list 2 permit 192.168.17.0 0.0.0.255 log
access-list 2 deny any
access-list 23 remark Telnet and SSH Rule I THINK
access-list 23 remark SDM_ACL Category=17
access-list 23 permit 192.168.16.0 0.0.0.255 log
access-list 23 deny any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.16.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.16.2
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.16.6
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.16.6
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.16.6
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.16.6
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 192.168.16.9
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
control-plane
!
banner login ^CPlease log out, only AVS IT department permitted to log in.
^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
Thanks
I need to make some alterations to 1 of our small offices that has a 1801/k9 installed, i have reloaded the config via SDM (So I can hopefully maintain it via SDM from here on) and updated the IOS to the latest version.
I need to add FE/0 as a backup wan connection as the inbuilt ADSL is some time goes down.
FE/0 Has a adsl modem on it the will hand out the IP via dhcp, i have configured the FE/0 but it will not take a IP unless i dis the firewall, if i reapply the firewall and let SDM mod it to let DHCP through it still does not work.
Can someone help me mod this config to sort the DHCP and keep the firewall something like secure, any other points on the config greatly taken.
!This is the running config of the router: 192.168.16.1
!-------------------------
!version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname AVSCOMM-R-A
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1456163444
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1456163444
!
!
crypto pki certificate chain TP-self-signed-1456163444
certificate self-signed 01
30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343536 31363334 3434301E 170D3039 30393139 31303434
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34353631
36333434 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D0AA 966483DB 6D3B2F93 99BF3BCB 0DE4728C 4C591346 00335888 F832CFAC
9893E367 78B157FF E19314AA 1D2F1510 17F91B2C 1766B15C A3200A8C C7AA91D3
EEBB02E7 B5084D63 AB4EFF75 D6649E18 7632B2F5 C60EEE43 F1C2D58A 01EDAF82
E41E3738 2CBAD22F 0C9516AE DA971D7F 0DFF8726 720F4678 23982E3F 42851EF3
9E030203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
551D1104 21301F82 1D415653 434F4D4D 2D522D41 2E617673 636F6D6D 2D6C7464
2E6C6F63 616C301F 0603551D 23041830 168014E9 2C9375D2 1285B79B CBB58BD4
DB8F230B 8AA4A430 1D060355 1D0E0416 0414E92C 9375D212 85B79BCB B58BD4DB
8F230B8A A4A4300D 06092A86 4886F70D 01010405 00038181 00722B38 A6AAB114
22B740DE 126FC116 CE4C5B4F 3E649DCE D148FACC 869B1C98 28391D4D 85BD1DBE
96C3C210 A830C9EA 501B9DC1 46A534EB FB1AE0D6 BA3331AA DB7E4499 9F113239
5CE76AC6 5FA275B2 922FD01B 6941E33D 3A4A1644 313475AA 5646CF90 7959A5BD
32725BD2 40BC070B 5139D990 BFC41B50 43A977DD 5D80C8D5 AB
quit
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name avscomm-ltd.local
ip name-server 90.207.238.97
ip name-server 192.168.16.2
ip name-server 158.152.1.58
ip port-map user-protocol--2 port udp 1025 description CCTV
ip port-map user-protocol--3 port udp 2074 description CCTV
ip port-map user-protocol--1 port tcp 81 description CCTV
ip port-map user-protocol--4 port udp 2075 description CCTV
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
license udi pid CISCO1801/K9 sn FHK131620Y1
archive
log config
hidekeys
username
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
!
crypto ikev2 diagnose error 50
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 107
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 106
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 105
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-1
match access-group 108
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 104
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFI
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFI
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 101
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-https-1
match access-group 103
match protocol https
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-http-1
inspect
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-
service-policy type inspect sdm-pol-NATOutsideToInside
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_Group
key
dns 192.168.16.2 158.152.1.58
wins 192.168.16.2
pool SDM_POOL_1
save-password
include-local-lan
max-users 5
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group VPN_Group
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 1800
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
mtu 1500
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
!
interface ATM0.1 point-to-point
description Demon ADSL
mtu 1500
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
interface FastEthernet0
description SKY ADSL$ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet1
description Lan Connection
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface Virtual-Template1 type tunnel
description This Is the VPN
ip unnumbered Dialer0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description Internal Network$ETH-SW-LAUNCH$$INT
ip address 192.168.16.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
!
ip local pool SDM_POOL_1 192.168.17.1 192.168.17.5
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 15
sort-by bytes
cache-timeout 3600000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.16.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.16.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.16.6 81 interface Dialer0 81
ip nat inside source static udp 192.168.16.6 1025 interface Dialer0 1025
ip nat inside source static udp 192.168.16.6 2074 interface Dialer0 2074
ip nat inside source static udp 192.168.16.6 2075 interface Dialer0 2075
ip nat inside source static tcp 192.168.16.9 80 interface Dialer0 888
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 remark Demon ADSL Out Rule
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.16.0 0.0.0.255 log
access-list 2 permit 192.168.17.0 0.0.0.255 log
access-list 2 deny any
access-list 23 remark Telnet and SSH Rule I THINK
access-list 23 remark SDM_ACL Category=17
access-list 23 permit 192.168.16.0 0.0.0.255 log
access-list 23 deny any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.16.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.16.2
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.16.6
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.16.6
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.16.6
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.16.6
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 192.168.16.9
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
control-plane
!
banner login ^CPlease log out, only AVS IT department permitted to log in.
^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
Thanks
ASKER
Is this best done via SDM if so is it in the Out zone to self, also am i opening up any undue risk is the most secure way to do it, Ciso is not my thing and as the company i work for has already got rid of the other IT guy i dont want to get blaseted if i mess anything up.
ynd you must to add higher metric route for second connection
ASKER
I have altered the metric but still havent manged to sort the firewall alteration mentioned above to permit the DHCP
ASKER
Also inthe syslog i am getting a Looping Packet Detected and Dropped message, that looks like its something to do with the problem, it originating ip is the DHCP Server of the cable modem
could you show me the log?
did you putted the acl that I recommended?
did you putted the acl that I recommended?
ASKER
Sorry i havent figured out what location to ad the acl the log reads
Looping Packet Detected And Dropped src= external ip dst=192.168.15.1 "cable modem" hl=20, tl=330 prot=17 sport=68 dport=67 in=FE0 nexthop = external ip
Looping Packet Detected And Dropped src= external ip dst=192.168.15.1 "cable modem" hl=20, tl=330 prot=17 sport=68 dport=67 in=FE0 nexthop = external ip
ASKER
I have removed SDM and installed CCP, recreated the firewall but still have the same problem, i have managed to add the acl above but i does not seem to work, can some one please help i really need to sort this.
the acl is ,matching?
sh access-list
sh access-list
ASKER
I will repost the config in a moment, to recap cisco is not really my thing so i am flying blind and stuggeling to implement what you suggested but i think i have it in the right place
ASKER
This is the cunning config now, i still cannot get the bootpc boopt pc to work. And dhcp still wont work on FE0
service timestamps log datetime msec localtime show-timezone
service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 10000
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.16.1 192.168.16.99
ip dhcp excluded-address 192.168.16.111 192.168.16.254
!
ip dhcp pool sdm-pool1
network 192.168.16.0 255.255.255.0
domain-name
dns-server 192.168.16.2 158.152.1.58
default-router 192.168.16.1
!
!
ip cef
no ip bootp server
ip domain name
ip name-server
ip name-server
ip name-server
ip port-map user-protocol--2 port udp 1025 description CCTV
ip port-map user-protocol--3 port udp 2074 description CCTV
ip port-map user-protocol--1 port tcp 81 description CCTV
ip port-map user-protocol--4 port udp 2075 description CCTV
ip ips config location flash:/IPS retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
ip ddns update method sdm_ddns2
HTTP
add http://
remove http://
!
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
license
archive
log config
hidekeys
username
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
!
crypto ikev2 diagnose error 50
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-smtp-2
match access-group 103
match protocol smtp
class-map type inspect match-any SDM_BOOTPC0
match access-group name SDM_BOOTPC0
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC0
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-2
match access-group 104
match protocol https
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside -1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-smtp-2
inspect
class type inspect sdm-nat-https-2
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside- 1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside -1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
interface Null0
no ip unreachables
!
interface ATM0
mtu 1500
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
!
interface ATM0.1 point-to-point
description
mtu 1500
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
interface FastEthernet0
description
ip dhcp client update dns server none
ip ddns update hostname
ip ddns update
ip address dhcp client-id FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet1
description Lan Connection
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface Vlan1
description Internal Network$ETH-SW-LAUNCH$$INT F-INFO-FE 1$$FW_INSIDE$
ip address 192.168.16.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.16.2 443 interface Dialer0 443
ip nat inside source list 5 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any eq bootps any eq bootpc
ip access-list extended SDM_BOOTPC0
remark CCP_ACL Category=0
permit udp any eq bootps any eq bootpc
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
!
logging trap debugging
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.16.0 0.0.0.255 log
access-list 2 permit 192.168.17.0 0.0.0.255 log
access-list 2 deny any
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 192.168.16.0 0.0.0.255
access-list 5 remark CCP_ACL Category=2
access-list 5 permit 192.168.16.0 0.0.0.255
access-list 23 remark Telnet and SSH Rule I THINK
access-list 23 remark SDM_ACL Category=17
access-list 23 permit 192.168.16.0 0.0.0.255 log
access-list 23 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.16.2
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.16.2
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.16.2
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.16.2
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CPlease log out
^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
ntp server 192.168.16.2 prefer source FastEthernet1
end
service timestamps log datetime msec localtime show-timezone
service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 10000
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.16.1 192.168.16.99
ip dhcp excluded-address 192.168.16.111 192.168.16.254
!
ip dhcp pool sdm-pool1
network 192.168.16.0 255.255.255.0
domain-name
dns-server 192.168.16.2 158.152.1.58
default-router 192.168.16.1
!
!
ip cef
no ip bootp server
ip domain name
ip name-server
ip name-server
ip name-server
ip port-map user-protocol--2 port udp 1025 description CCTV
ip port-map user-protocol--3 port udp 2074 description CCTV
ip port-map user-protocol--1 port tcp 81 description CCTV
ip port-map user-protocol--4 port udp 2075 description CCTV
ip ips config location flash:/IPS retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
ip ddns update method sdm_ddns2
HTTP
add http://
remove http://
!
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
license
archive
log config
hidekeys
username
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
!
crypto ikev2 diagnose error 50
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-smtp-2
match access-group 103
match protocol smtp
class-map type inspect match-any SDM_BOOTPC0
match access-group name SDM_BOOTPC0
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC0
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-2
match access-group 104
match protocol https
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-smtp-2
inspect
class type inspect sdm-nat-https-2
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-
service-policy type inspect sdm-pol-NATOutsideToInside
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
interface Null0
no ip unreachables
!
interface ATM0
mtu 1500
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
!
interface ATM0.1 point-to-point
description
mtu 1500
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
interface FastEthernet0
description
ip dhcp client update dns server none
ip ddns update hostname
ip ddns update
ip address dhcp client-id FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet1
description Lan Connection
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface Vlan1
description Internal Network$ETH-SW-LAUNCH$$INT
ip address 192.168.16.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.16.2 443 interface Dialer0 443
ip nat inside source list 5 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any eq bootps any eq bootpc
ip access-list extended SDM_BOOTPC0
remark CCP_ACL Category=0
permit udp any eq bootps any eq bootpc
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
!
logging trap debugging
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.16.0 0.0.0.255 log
access-list 2 permit 192.168.17.0 0.0.0.255 log
access-list 2 deny any
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 192.168.16.0 0.0.0.255
access-list 5 remark CCP_ACL Category=2
access-list 5 permit 192.168.16.0 0.0.0.255
access-list 23 remark Telnet and SSH Rule I THINK
access-list 23 remark SDM_ACL Category=17
access-list 23 permit 192.168.16.0 0.0.0.255 log
access-list 23 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.16.2
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.16.2
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.16.2
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.16.2
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CPlease log out
^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
ntp server 192.168.16.2 prefer source FastEthernet1
end
Which version of IOS is your 1801 running? A few specific versions of IOS had issues with some of the config that CCP is applying.
Were you completely removing the firewall to get the FA 0 interface to pick up an address, or did you merely remove the zone assignment from the FA 0 interface, then put it back after DHCP completed?
Were you completely removing the firewall to get the FA 0 interface to pick up an address, or did you merely remove the zone assignment from the FA 0 interface, then put it back after DHCP completed?
ASKER
The latest Enterprise IP Services released just before Xmas, I removed the whole firewall config and the interface picksup an IP after a few seconds. I allso tried SDM before CCP and had the same problem.
There were several versions released before Christmas. 12.4(24)T4? 15.0(1)M1? 15.1(1)XB?
Are you comfortable making changes on the Command-Line Interface, if I provide the specific commands you need? It can be a real challenge to describe the changes that you'd need to make in CCP.
There are terms in the firewall configuration that *should* be allowing the dhcp client (bootpc) to receive replies from the dhcp server (bootps). I'm not sure why it's not working, but this seems somehow familiar. I'll look back over my notes. In the meantime, can you please post your present config, if it's changed from that you posted above on 4 JAN?
Are you comfortable making changes on the Command-Line Interface, if I provide the specific commands you need? It can be a real challenge to describe the changes that you'd need to make in CCP.
There are terms in the firewall configuration that *should* be allowing the dhcp client (bootpc) to receive replies from the dhcp server (bootps). I'm not sure why it's not working, but this seems somehow familiar. I'll look back over my notes. In the meantime, can you please post your present config, if it's changed from that you posted above on 4 JAN?
please add this rule for fa0/0 zone security:
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
ikalmar, you haven't provided sufficient detail for xrmichael to implement your suggestion. However, that's a moot point, because your suggestion is already accommodated in the firewall.
As I said, there are terms in the firewall configuration that *should* be allowing the dhcp client (bootpc) to receive replies from the dhcp server (bootps). Furthermore, the outbound bootp client requests are handled by the "pass" action on class class-default of the self -> out-zone policy.
As I said, there are terms in the firewall configuration that *should* be allowing the dhcp client (bootpc) to receive replies from the dhcp server (bootps). Furthermore, the outbound bootp client requests are handled by the "pass" action on class class-default of the self -> out-zone policy.
ASKER
I will grab the current config now and post it, I have no problem using CLI to add in your changes.
ASKER
The config is the same as it was on the 4th, is you let me know the commands i can do the alteration the IOS is C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)XB, RELEASE SOFTWARE (fc1)
Please give me a little time. I'll reproduce a similar configuration and have a look at this.
ASKER
Will the amended config you generate get broken if i open it in CCP ?, as i have to use CCP to open up ports then shut tem again this need me to run the firewall wizard.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i will give it ago today and report back.
ASKER
Thank you Fist Rate, sorted my problem well worth 5000 points
ASKER
Mr Dirt i am stuggeling to follow the Cisco guide you linked me too the DHCP is now sorted but i cannot ge the FE0 to act as a fail over, can we go over it here or shall i post another ?
You might wish to post a new question to attract more people to provide an answer. If you'd prefer not to, I can address it here as I get an opportunity.
you have to ad the following rule:
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps