Solved

Cisco 857 firewall

Posted on 2013-01-11
8
488 Views
Last Modified: 2013-02-02
I have a spare cisco 857 in the office that i am trying to use to set up a test site to site connection, however i am having problems configuring the firewall on this router. I also have another 857 that is working as the offices main router infront of an ISA server and its working fine.

I have tried copying over the running config from the working 857 with no joy, i have even tried factory defaulting the router and starting from scratch and still getting the error message. Below i have attached the running config, verision and screenshots of the error.

I am trying to configure it using the wizard in SDM, but get same issues when creating the zones and rules manually in the SDM also.

SDM error
Show Version
Router#show version
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T14, R
ELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 18-Aug-10 02:37 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

Router uptime is 19 hours, 5 minutes
System returned to ROM by reload
System image file is "flash:c850-advsecurityk9-mz.124-15.T14.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory
.
Processor board ID FCZ1512C24Y
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
20480K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Open in new window


Running Config
Router#show config
Using 2405 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1159343166
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1159343166
 revocation-check none
 rsakeypair TP-self-signed-1159343166
!
!
crypto pki certificate chain TP-self-signed-1159343166
 certificate self-signed 01 nvram:IOS-Self-Sig#18.cer
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.201 192.168.0.254
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool basic
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 8.8.8.8
!
!
ip cef
ip name-server 8.8.8.8
!
!
!
username ***** privilege 15 password 0 *****
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap ******
 ppp chap password 0 *****
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool test 192.168.1.2 192.168.1.2 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer0 overload
ip nat outside source static tcp ***** 1723 192.168.1.2 1723 extendable
!
ip access-list extended test
 remark test
 remark SDM_ACL Category=2
 remark tet
 permit tcp any any log
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window


Code trying to run
lass-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
 exit
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
 exit
class-map type inspect match-all sdm-protocol-http
 match protocol http
 exit
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 exit
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
 exit
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  no drop
  inspect
  exit
 class class-default
  no drop
  pass
  exit
 exit
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
  exit
 class type inspect sdm-insp-traffic
  no drop
  inspect
  exit
 class type inspect sdm-protocol-http
  no drop
  inspect
  exit
 class class-default
 exit
policy-map type inspect sdm-permit
 class class-default
 exit
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
 exit
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
 exit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
 exit

Open in new window

0
Comment
Question by:CaptainGiblets
  • 4
  • 4
8 Comments
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Can you run "show license" and provide the output?
0
 
LVL 6

Author Comment

by:CaptainGiblets
Comment Utility
there is no show lisence command on my router.

If i log in via telnet i type in show ? and it cant find license.
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
When you log in, and you see the command prompt, does it end with a ">" or a "#"?
0
 
LVL 6

Author Comment

by:CaptainGiblets
Comment Utility
#

i have tried running the disable command and cant do it from there either.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 28

Expert Comment

by:asavener
Comment Utility
My 881 router allows me to do show license at that prompt.
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Whoops.  I'm sorry; I didn't see that you're running 12.4.
0
 
LVL 6

Accepted Solution

by:
CaptainGiblets earned 0 total points
Comment Utility
managed to figure it out by combining 2 of my working configs.
0
 
LVL 6

Author Closing Comment

by:CaptainGiblets
Comment Utility
working now.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now