Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco 857 firewall

Posted on 2013-01-11
8
Medium Priority
?
509 Views
Last Modified: 2013-02-02
I have a spare cisco 857 in the office that i am trying to use to set up a test site to site connection, however i am having problems configuring the firewall on this router. I also have another 857 that is working as the offices main router infront of an ISA server and its working fine.

I have tried copying over the running config from the working 857 with no joy, i have even tried factory defaulting the router and starting from scratch and still getting the error message. Below i have attached the running config, verision and screenshots of the error.

I am trying to configure it using the wizard in SDM, but get same issues when creating the zones and rules manually in the SDM also.

SDM error
Show Version
Router#show version
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T14, R
ELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 18-Aug-10 02:37 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

Router uptime is 19 hours, 5 minutes
System returned to ROM by reload
System image file is "flash:c850-advsecurityk9-mz.124-15.T14.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory
.
Processor board ID FCZ1512C24Y
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
20480K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Open in new window


Running Config
Router#show config
Using 2405 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1159343166
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1159343166
 revocation-check none
 rsakeypair TP-self-signed-1159343166
!
!
crypto pki certificate chain TP-self-signed-1159343166
 certificate self-signed 01 nvram:IOS-Self-Sig#18.cer
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.201 192.168.0.254
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool basic
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 8.8.8.8
!
!
ip cef
ip name-server 8.8.8.8
!
!
!
username ***** privilege 15 password 0 *****
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap ******
 ppp chap password 0 *****
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool test 192.168.1.2 192.168.1.2 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer0 overload
ip nat outside source static tcp ***** 1723 192.168.1.2 1723 extendable
!
ip access-list extended test
 remark test
 remark SDM_ACL Category=2
 remark tet
 permit tcp any any log
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window


Code trying to run
lass-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
 exit
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
 exit
class-map type inspect match-all sdm-protocol-http
 match protocol http
 exit
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 exit
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
 exit
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  no drop
  inspect
  exit
 class class-default
  no drop
  pass
  exit
 exit
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
  exit
 class type inspect sdm-insp-traffic
  no drop
  inspect
  exit
 class type inspect sdm-protocol-http
  no drop
  inspect
  exit
 class class-default
 exit
policy-map type inspect sdm-permit
 class class-default
 exit
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
 exit
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
 exit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
 exit

Open in new window

0
Comment
Question by:CaptainGiblets
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 38767177
Can you run "show license" and provide the output?
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 38777449
there is no show lisence command on my router.

If i log in via telnet i type in show ? and it cant find license.
0
 
LVL 28

Expert Comment

by:asavener
ID: 38778259
When you log in, and you see the command prompt, does it end with a ">" or a "#"?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 6

Author Comment

by:CaptainGiblets
ID: 38778588
#

i have tried running the disable command and cant do it from there either.
0
 
LVL 28

Expert Comment

by:asavener
ID: 38779068
My 881 router allows me to do show license at that prompt.
0
 
LVL 28

Expert Comment

by:asavener
ID: 38779083
Whoops.  I'm sorry; I didn't see that you're running 12.4.
0
 
LVL 6

Accepted Solution

by:
CaptainGiblets earned 0 total points
ID: 38826427
managed to figure it out by combining 2 of my working configs.
0
 
LVL 6

Author Closing Comment

by:CaptainGiblets
ID: 38846360
working now.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question