?
Solved

Ciso 1801 Configuration Help FE0 Dhcp And Firewall

Posted on 2010-01-03
26
Medium Priority
?
746 Views
Last Modified: 2013-11-22
The credit crunch, has left me in charge of our network the full time IT guy has had to go so a steep learning curve probably follows.

I need to make some alterations to 1 of our small offices that has a 1801/k9 installed, i have reloaded the config via SDM (So I can hopefully maintain it via SDM from here on) and updated the IOS to the latest version.

I need to add FE/0 as a backup wan connection as the inbuilt ADSL is some time goes down.

FE/0 Has a adsl modem on it the will hand out the IP via dhcp, i have configured the FE/0 but it will not take a IP unless i dis the firewall, if i reapply the firewall and let SDM mod it to let DHCP through it still does not work.

Can someone help me mod this config to sort the DHCP and keep the firewall something like secure, any other points on the config greatly taken.

!This is the running config of the router: 192.168.16.1
!----------------------------------------------------------------------------
!version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname AVSCOMM-R-A
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1456163444
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1456163444
 revocation-check none
 rsakeypair TP-self-signed-1456163444
!
!
crypto pki certificate chain TP-self-signed-1456163444
 certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31343536 31363334 3434301E 170D3039 30393139 31303434
  35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34353631
  36333434 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D0AA 966483DB 6D3B2F93 99BF3BCB 0DE4728C 4C591346 00335888 F832CFAC
  9893E367 78B157FF E19314AA 1D2F1510 17F91B2C 1766B15C A3200A8C C7AA91D3
  EEBB02E7 B5084D63 AB4EFF75 D6649E18 7632B2F5 C60EEE43 F1C2D58A 01EDAF82
  E41E3738 2CBAD22F 0C9516AE DA971D7F 0DFF8726 720F4678 23982E3F 42851EF3
  9E030203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
  551D1104 21301F82 1D415653 434F4D4D 2D522D41 2E617673 636F6D6D 2D6C7464
  2E6C6F63 616C301F 0603551D 23041830 168014E9 2C9375D2 1285B79B CBB58BD4
  DB8F230B 8AA4A430 1D060355 1D0E0416 0414E92C 9375D212 85B79BCB B58BD4DB
  8F230B8A A4A4300D 06092A86 4886F70D 01010405 00038181 00722B38 A6AAB114
  22B740DE 126FC116 CE4C5B4F 3E649DCE D148FACC 869B1C98 28391D4D 85BD1DBE
  96C3C210 A830C9EA 501B9DC1 46A534EB FB1AE0D6 BA3331AA DB7E4499 9F113239
  5CE76AC6 5FA275B2 922FD01B 6941E33D 3A4A1644 313475AA 5646CF90 7959A5BD
  32725BD2 40BC070B 5139D990 BFC41B50 43A977DD 5D80C8D5 AB
        quit
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name avscomm-ltd.local
ip name-server 90.207.238.97
ip name-server 192.168.16.2
ip name-server 158.152.1.58
ip port-map user-protocol--2 port udp 1025 description CCTV
ip port-map user-protocol--3 port udp 2074 description CCTV
ip port-map user-protocol--1 port tcp 81 description CCTV
ip port-map user-protocol--4 port udp 2075 description CCTV
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
  category all
   retired true
  category ios_ips advanced
   retired false
!
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type regex sdm-regex-nonascii
 pattern [^\x00-\x80]

!
!
license udi pid CISCO1801/K9 sn FHK131620Y1
archive
 log config
  hidekeys
username
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub signature
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
   F3020301 0001
  quit
!
!
crypto ikev2 diagnose error 50
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-user-protocol--4-1
 match access-group 107
 match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 106
 match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 105
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-1
 match access-group 108
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 104
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 102
 match protocol smtp
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 101
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect match-all sdm-nat-https-1
 match access-group 103
 match protocol https
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class type inspect sdm-nat-user-protocol--3-1
  inspect
 class type inspect sdm-nat-user-protocol--4-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class class-default
  drop
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_Group
 key
 dns 192.168.16.2 158.152.1.58
 wins 192.168.16.2
 pool SDM_POOL_1
 save-password
 include-local-lan
 max-users 5
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group VPN_Group
   client authentication list sdm_vpn_xauth_ml_2
   isakmp authorization list sdm_vpn_group_ml_2
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set security-association idle-time 1800
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 mtu 1500
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
 dsl operating-mode adsl2
!
interface ATM0.1 point-to-point
 description Demon ADSL
 mtu 1500
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation hdlc
 shutdown
!
interface FastEthernet0
 description SKY ADSL$ETH-WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
!
interface FastEthernet1
 description Lan Connection
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface Virtual-Template1 type tunnel
 description This Is the VPN
 ip unnumbered Dialer0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description Internal Network$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
 ip address 192.168.16.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname
 ppp chap password
 no cdp enable
!
ip local pool SDM_POOL_1 192.168.17.1 192.168.17.5
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
 top 15
 sort-by bytes
 cache-timeout 3600000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.16.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.16.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.16.6 81 interface Dialer0 81
ip nat inside source static udp 192.168.16.6 1025 interface Dialer0 1025
ip nat inside source static udp 192.168.16.6 2074 interface Dialer0 2074
ip nat inside source static udp 192.168.16.6 2075 interface Dialer0 2075
ip nat inside source static tcp 192.168.16.9 80 interface Dialer0 888
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_IP
 remark SDM_ACL Category=1
 permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 remark Demon ADSL Out Rule
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.16.0 0.0.0.255 log
access-list 2 permit 192.168.17.0 0.0.0.255 log
access-list 2 deny   any
access-list 23 remark Telnet and SSH Rule I THINK
access-list 23 remark SDM_ACL Category=17
access-list 23 permit 192.168.16.0 0.0.0.255 log
access-list 23 deny   any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.16.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.16.2
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.16.6
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.16.6
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.16.6
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.16.6
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 192.168.16.9
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
!
!
control-plane
!
banner login ^CPlease log out, only AVS IT department permitted to log in.

^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end

Thanks
0
Comment
Question by:xrmichael
  • 14
  • 6
  • 5
25 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26166223
Hi,

you have to ad the following rule:

 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
0
 

Author Comment

by:xrmichael
ID: 26166283
Is this best done via SDM if so is it in the Out zone to self, also am i opening up any undue risk is the most secure way to do it, Ciso is not my thing  and as the company i work for has already got rid of the other IT guy i dont want to get blaseted if i mess anything up.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26166588
ynd you must to add higher metric route for second connection
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:xrmichael
ID: 26166686
I have altered the metric but still havent manged to sort the firewall alteration mentioned above to permit the DHCP
0
 

Author Comment

by:xrmichael
ID: 26166796
Also inthe syslog i am getting a Looping Packet Detected and Dropped message, that looks like its something to do with the problem, it originating ip is the DHCP Server of the cable modem
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26166811
could you show me the log?
did you putted the acl that I recommended?
0
 

Author Comment

by:xrmichael
ID: 26166847
Sorry i havent figured out what location to ad the acl the log reads

Looping Packet Detected And Dropped src= external ip dst=192.168.15.1 "cable modem" hl=20, tl=330 prot=17 sport=68 dport=67 in=FE0 nexthop = external ip
0
 

Author Comment

by:xrmichael
ID: 26169056
I have removed SDM and installed CCP, recreated the firewall but still have the same problem, i have managed to add the acl above but i does not seem to work, can some one please help i really need to sort this.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26169074
the acl is ,matching?

sh access-list
0
 

Author Comment

by:xrmichael
ID: 26169114
I will repost the config in a moment, to recap cisco is not really my thing so i am flying blind and stuggeling to implement what you suggested but i think i have it in the right place
0
 

Author Comment

by:xrmichael
ID: 26169808
This is the cunning config now, i still cannot get the bootpc boopt pc to work. And dhcp still wont work on FE0

service timestamps log datetime msec localtime show-timezone

service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 10000
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.16.1 192.168.16.99
ip dhcp excluded-address 192.168.16.111 192.168.16.254
!
ip dhcp pool sdm-pool1
   network 192.168.16.0 255.255.255.0
   domain-name
   dns-server 192.168.16.2 158.152.1.58
   default-router 192.168.16.1
!
!
ip cef
no ip bootp server
ip domain name
ip name-server
ip name-server
ip name-server
ip port-map user-protocol--2 port udp 1025 description CCTV
ip port-map user-protocol--3 port udp 2074 description CCTV
ip port-map user-protocol--1 port tcp 81 description CCTV
ip port-map user-protocol--4 port udp 2075 description CCTV
ip ips config location flash:/IPS retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
  category all
   retired true
  category ios_ips advanced
   retired false
!
ip ddns update method sdm_ddns2
 HTTP
  add http://
  remove http://
!
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type regex sdm-regex-nonascii
 pattern [^\x00-\x80]

!
!
license
archive
 log config
  hidekeys
username
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
   F3020301 0001
  quit
!
!
crypto ikev2 diagnose error 50
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
class-map type inspect match-any SDM_BOOTPC
 match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-smtp-2
 match access-group 103
 match protocol smtp
class-map type inspect match-any SDM_BOOTPC0
 match access-group name SDM_BOOTPC0
class-map type inspect match-any SDM_DHCP_CLIENT_PT
 match class-map SDM_BOOTPC0
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 101
 match protocol smtp
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-2
 match access-group 104
 match protocol https
class-map type inspect match-all sdm-nat-https-1
 match access-group 102
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-smtp-2
  inspect
 class type inspect sdm-nat-https-2
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect CCP-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect ccp-permit
 class type inspect SDM_DHCP_CLIENT_PT
  pass
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 mtu 1500
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
 dsl operating-mode adsl2
!
interface ATM0.1 point-to-point
 description
 mtu 1500
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation hdlc
 shutdown
!
interface FastEthernet0
 description
 ip dhcp client update dns server none
 ip ddns update hostname
 ip ddns update
 ip address dhcp client-id FastEthernet0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip ips sdm_ips_rule in
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
!
interface FastEthernet1
 description Lan Connection
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface Vlan1
 description Internal Network$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
 ip address 192.168.16.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip ips sdm_ips_rule in
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname
 ppp chap password
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.16.2 443 interface Dialer0 443
ip nat inside source list 5 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_BOOTPC
 remark CCP_ACL Category=0
 permit udp any eq bootps any eq bootpc
ip access-list extended SDM_BOOTPC0
 remark CCP_ACL Category=0
 permit udp any eq bootps any eq bootpc
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
!
logging trap debugging
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.16.0 0.0.0.255 log
access-list 2 permit 192.168.17.0 0.0.0.255 log
access-list 2 deny   any
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 192.168.16.0 0.0.0.255
access-list 5 remark CCP_ACL Category=2
access-list 5 permit 192.168.16.0 0.0.0.255
access-list 23 remark Telnet and SSH Rule I THINK
access-list 23 remark SDM_ACL Category=17
access-list 23 permit 192.168.16.0 0.0.0.255 log
access-list 23 deny   any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.16.2
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.16.2
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.16.2
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.16.2
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CPlease log out

^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
ntp server 192.168.16.2 prefer source FastEthernet1
end

0
 
LVL 5

Expert Comment

by:mr_dirt
ID: 26205613
Which version of IOS is your 1801 running?  A few specific versions of IOS had issues with some of the config that CCP is applying.

Were you completely removing the firewall to get the FA 0 interface to pick up an address, or did you merely remove the zone assignment from the FA 0 interface, then put it back after DHCP completed?

0
 

Author Comment

by:xrmichael
ID: 26210845
The latest Enterprise IP Services released just before Xmas, I removed the whole firewall config and the interface picksup an IP after a few seconds.  I allso tried SDM before CCP and had the same problem.
0
 
LVL 5

Expert Comment

by:mr_dirt
ID: 26211670
There were several versions released before Christmas.  12.4(24)T4?  15.0(1)M1? 15.1(1)XB?

Are you comfortable making changes on the Command-Line Interface, if I provide the specific commands you need?  It can be a real challenge to describe the changes that you'd need to make in CCP.

There are terms in the firewall configuration that *should* be allowing the dhcp client (bootpc) to receive replies from the dhcp server (bootps).  I'm not sure why it's not working, but this seems somehow familiar.  I'll look back over my notes.  In the meantime, can you please post your present config, if it's changed from that you posted above on 4 JAN?  
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26211749
please add this rule for fa0/0 zone security:


 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
0
 
LVL 5

Expert Comment

by:mr_dirt
ID: 26211906
ikalmar, you haven't provided sufficient detail for xrmichael to implement your suggestion.  However, that's a moot point, because your suggestion is already accommodated in the firewall.

As I said, there are terms in the firewall configuration that *should* be allowing the dhcp client (bootpc) to receive replies from the dhcp server (bootps).  Furthermore, the outbound bootp client requests are handled by the "pass" action on class class-default of the self -> out-zone policy.
0
 

Author Comment

by:xrmichael
ID: 26213483
I will grab the current config now and post it, I have no problem using CLI to add in your changes.
0
 

Author Comment

by:xrmichael
ID: 26213863
The config is the same as it was on the 4th, is you let me know the commands i can do the alteration the IOS is C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)XB, RELEASE SOFTWARE (fc1)
0
 
LVL 5

Expert Comment

by:mr_dirt
ID: 26243666
Please give me a little time.  I'll reproduce a similar configuration and have a look at this.
0
 

Author Comment

by:xrmichael
ID: 26259916
Will the amended config you generate get broken if i open it in CCP ?, as i have to use CCP to open up ports then shut tem again this need me to run the firewall wizard.
0
 
LVL 5

Accepted Solution

by:
mr_dirt earned 2000 total points
ID: 26298684
Sorry for the delay getting this to you.  It took some time to re-create your issue, and even longer to sort it out.  There is some extra stuff in your config, and I took a few extra steps to simplify the config just a little.

Here are the CLI commands that will fix this DHCP-client problem and reduce some complexity for a working config.  This should maintain the same security as you have now:

config t
ip access-list extended SDM_BOOTPS
permit udp any eq bootpc any eq bootps
!
class-map type inspect match-any SDM_BOOTPS
match access-group name SDM_BOOTPS
!
policy-map type inspect ccp-permit-icmpreply
no class type inspect ccp-icmp-access
class type inspect SDM_BOOTPS
pass
class type inspect ccp-cls-icmp-access
inspect
!
policy-map type inspect ccp-permit
no class type inspect SDM_DHCP_CLIENT_PT
class type inspect SDM_BOOTPC
pass

Whew.  Seems like a lot of work for a fairly simple problem, although there was extra steps in there to clean up some xtra config and avoid some problems that have cropped up in the past.  You can remove some cruft in the config with this:

no class-map type inspect match-any SDM_BOOTPC0
no ip access-list extended SDM_BOOTPC0
no class-map type inspect match-any SDM_DHCP_CLIENT_PT
no class-map type inspect match-all ccp-icmp-access


As far as using the secondary (FA 0) connection when the DSL goes down, there's a doc on cisco.com that describes that, or we can go through it here, if you prefer:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00809454c7.shtml

The config shouldn't get wrecked when you open it in CCP.  On the contrary, CCP should be able to deal with it perfectly fine.
0
 

Author Comment

by:xrmichael
ID: 26301344
i will give it ago today and report back.
0
 

Author Closing Comment

by:xrmichael
ID: 31672131
Thank you Fist Rate, sorted my problem well worth 5000 points
0
 

Author Comment

by:xrmichael
ID: 26432901
Mr Dirt i am stuggeling to follow the Cisco guide you linked me too the DHCP is now sorted but i cannot ge the FE0 to act as a fail over, can we go over it here or shall i post another ?
0
 
LVL 5

Expert Comment

by:mr_dirt
ID: 26450583
You might wish to post a new question to attract more people to provide an answer.  If you'd prefer not to, I can address it here as I get an opportunity.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question