Internet thru Cisco 871 - Routers

This is a discussion on Internet thru Cisco 871 - Routers ; I've tried to configure my Cisco 871 and I'm either missing something or blocking something. I first setup the router using the SDM wizards and didn't get the internet. Then, after saving that config, I wiped out all the wizard ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Internet thru Cisco 871

  1. Internet thru Cisco 871

    I've tried to configure my Cisco 871 and I'm either missing something
    or blocking something. I first setup the router using the SDM wizards
    and didn't get the internet. Then, after saving that config, I wiped
    out all the wizard zones, policy-maps, class-maps, etc. and tried
    building my own config, as a learning process, and still can't get the
    internet. I'm able to negotiate the expected static IP address on the
    Dialer0 interface but fail ping attempts when I use the "Test
    Connection" in the SDM (DNS?). I have the DSL modem setup as a bridge
    and supply the PPPoE authentication via the router (PPP light on the
    router lights up so I think this is OK)

    I'm currently just trying to get the private-internet zone pair to
    work...
    My current config: (I copied the "self" policy maps from the wizard
    config)

    !--------------------------------------------------------------------------*--
    !version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200
    logging console critical
    enable secret 5 $1$HGmN$Y5uqYVVIQ1kwoYN7U/ma70
    !
    no aaa new-model
    clock timezone EST -5
    clock summer-time EDT recurring
    !
    !
    !
    crypto pki trustpoint TP-self-signed-1683258465
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1683258465
    revocation-check none
    rsakeypair TP-self-signed-1683258465
    !
    !
    crypto pki certificate chain TP-self-signed-1683258465
    certificate self-signed 01

    quit
    no ip source-route
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.0.1 192.168.0.10
    !
    ip dhcp pool pool1
    import all
    network 192.168.0.0 255.255.255.0
    dns-server 199.166.6.2 216.183.129.9
    default-router 192.168.0.1
    !
    !
    ip port-map user-RWW port tcp 4125 description Remote Web Workplace
    ip port-map user-RMS port tcp 5270 description Rights Management
    Services
    ip port-map user-RDP port tcp 3389 description Remote Desktop
    Protocol
    no ip bootp server
    ip domain name mydomain.local
    ip name-server 199.166.6.2
    ip name-server 216.183.129.9
    !
    !
    !
    username ciscoadmin privilege 15 secret 5
    archive
    log config
    hidekeys
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    class-map type inspect match-any sbs-traffic
    match protocol smtp
    match protocol https
    match protocol user-RWW
    match protocol user-RDP
    match protocol user-RMS
    class-map type inspect match-any icmp-access
    match protocol icmp
    match protocol tcp
    match protocol udp
    class-map type inspect match-all sbs-services
    description SBS Services
    match access-group name SBS
    match class-map sbs-traffic
    class-map type inspect match-any internet-traffic
    description Basic Internet Traffic
    match protocol http
    match protocol https
    match protocol dns
    match protocol icmp
    !
    !
    policy-map type inspect internet-self-policy
    class class-default
    policy-map type inspect self-internet-policy
    class type inspect icmp-access
    inspect
    class class-default
    pass
    policy-map type inspect guest-internet-policy
    class type inspect internet-traffic
    inspect
    class class-default
    policy-map type inspect private-internet-policy
    class type inspect internet-traffic
    inspect
    class class-default
    policy-map type inspect internet-private-policy
    class type inspect sbs-services
    inspect
    class class-default
    !
    zone security private
    zone security guest
    zone security internet
    zone security dmz
    zone-pair security internet-private source internet destination
    private
    service-policy type inspect internet-private-policy
    zone-pair security private-internet source private destination
    internet
    service-policy type inspect private-internet-policy
    zone-pair security guest-internet source guest destination internet
    service-policy type inspect guest-internet-policy
    zone-pair security internet-self source internet destination self
    service-policy type inspect internet-self-policy
    zone-pair security self-internet source self destination internet
    service-policy type inspect self-internet-policy
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0
    description Internal Port
    !
    interface FastEthernet1
    description Internal Port
    !
    interface FastEthernet2
    description Guest Port
    switchport access vlan 2
    !
    interface FastEthernet3
    description DMZ Port
    switchport access vlan 3
    shutdown
    !
    interface FastEthernet4
    description Execulink aDSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    zone-member security internet
    ip route-cache flow
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client dial-pool-number 1
    !
    interface Vlan1
    description Private Network$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-
    INFO-HWIC 4ESW$
    ip address 192.168.0.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    zone-member security private
    ip route-cache flow
    ip tcp adjust-mss 1412
    !
    interface Vlan2
    description Guest Network$FW_INSIDE$
    ip address 192.168.1.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    zone-member security guest
    ip route-cache flow
    !
    interface Vlan3
    description DMZ Network
    ip address 192.168.2.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    zone-member security dmz
    ip route-cache flow
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1452
    ip nat outside
    ip virtual-reassembly
    zone-member security internet
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap callin
    ppp pap sent-username password 7
    !
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    !
    ip http server
    ip http access-class 3
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0
    1723
    ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0
    3389
    ip nat inside source static tcp 192.168.0.2 4125 interface Dialer0
    4125
    ip nat inside source static tcp 192.168.0.2 5720 interface Dialer0
    5720
    ip nat inside source list 1 interface FastEthernet4 overload
    !
    ip access-list extended SBS
    remark SBS Server
    remark SDM_ACL Category=128
    permit ip any host 192.168.0.2
    !
    logging trap debugging
    access-list 1 remark NAT ACL
    access-list 1 remark SDM_ACL Category=2
    access-list 1 remark Internal Network
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 1 remark Guest Network
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 1 remark DMZ Network
    access-list 1 permit 129.168.3.0 0.0.0.255
    access-list 2 remark HTTP ACL
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit 192.168.0.0 0.0.0.255
    access-list 2 deny any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    !
    control-plane
    !
    banner login ^CC
    You have entered $(hostname).$(domain).
    Access is for authorized users only. Disconnect IMMEDIATELY if you are
    not
    an authorized user! Please enter your username and password.^C
    !
    line con 0
    login local
    no modem enable
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    access-class 2 in
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500


    !
    webvpn cef
    end


  2. Re: Internet thru Cisco 871


    I suggest you post this information and request on the Cisco Router
    Forum on

    www.tek-tips.com

    There are a lot of experts that there may help you with a set-up script
    or to help debug the current set-up.



    RymCo wrote:
    > I've tried to configure my Cisco 871 and I'm either missing something
    > or blocking something. I first setup the router using the SDM wizards
    > and didn't get the internet. Then, after saving that config, I wiped
    > out all the wizard zones, policy-maps, class-maps, etc. and tried
    > building my own config, as a learning process, and still can't get the
    > internet. I'm able to negotiate the expected static IP address on the
    > Dialer0 interface but fail ping attempts when I use the "Test
    > Connection" in the SDM (DNS?). I have the DSL modem setup as a bridge
    > and supply the PPPoE authentication via the router (PPP light on the
    > router lights up so I think this is OK)
    >
    > I'm currently just trying to get the private-internet zone pair to
    > work...
    > My current config: (I copied the "self" policy maps from the wizard
    > config)
    >
    > !--------------------------------------------------------------------------*--
    > !version 12.4
    > no service pad
    > service tcp-keepalives-in
    > service tcp-keepalives-out
    > service timestamps debug datetime msec localtime show-timezone
    > service timestamps log datetime msec localtime show-timezone
    > service password-encryption
    > service sequence-numbers
    > !
    > hostname router
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > logging buffered 51200
    > logging console critical
    > enable secret 5 $1$HGmN$Y5uqYVVIQ1kwoYN7U/ma70
    > !
    > no aaa new-model
    > clock timezone EST -5
    > clock summer-time EDT recurring
    > !
    > !
    > !
    > crypto pki trustpoint TP-self-signed-1683258465
    > enrollment selfsigned
    > subject-name cn=IOS-Self-Signed-Certificate-1683258465
    > revocation-check none
    > rsakeypair TP-self-signed-1683258465
    > !
    > !
    > crypto pki certificate chain TP-self-signed-1683258465
    > certificate self-signed 01
    >
    > quit
    > no ip source-route
    > ip cef
    > no ip dhcp use vrf connected
    > ip dhcp excluded-address 192.168.0.1 192.168.0.10
    > !
    > ip dhcp pool pool1
    > import all
    > network 192.168.0.0 255.255.255.0
    > dns-server 199.166.6.2 216.183.129.9
    > default-router 192.168.0.1
    > !
    > !
    > ip port-map user-RWW port tcp 4125 description Remote Web Workplace
    > ip port-map user-RMS port tcp 5270 description Rights Management
    > Services
    > ip port-map user-RDP port tcp 3389 description Remote Desktop
    > Protocol
    > no ip bootp server
    > ip domain name mydomain.local
    > ip name-server 199.166.6.2
    > ip name-server 216.183.129.9
    > !
    > !
    > !
    > username ciscoadmin privilege 15 secret 5
    > archive
    > log config
    > hidekeys
    > !
    > !
    > ip tcp synwait-time 10
    > ip ssh time-out 60
    > ip ssh authentication-retries 2
    > !
    > class-map type inspect match-any sbs-traffic
    > match protocol smtp
    > match protocol https
    > match protocol user-RWW
    > match protocol user-RDP
    > match protocol user-RMS
    > class-map type inspect match-any icmp-access
    > match protocol icmp
    > match protocol tcp
    > match protocol udp
    > class-map type inspect match-all sbs-services
    > description SBS Services
    > match access-group name SBS
    > match class-map sbs-traffic
    > class-map type inspect match-any internet-traffic
    > description Basic Internet Traffic
    > match protocol http
    > match protocol https
    > match protocol dns
    > match protocol icmp
    > !
    > !
    > policy-map type inspect internet-self-policy
    > class class-default
    > policy-map type inspect self-internet-policy
    > class type inspect icmp-access
    > inspect
    > class class-default
    > pass
    > policy-map type inspect guest-internet-policy
    > class type inspect internet-traffic
    > inspect
    > class class-default
    > policy-map type inspect private-internet-policy
    > class type inspect internet-traffic
    > inspect
    > class class-default
    > policy-map type inspect internet-private-policy
    > class type inspect sbs-services
    > inspect
    > class class-default
    > !
    > zone security private
    > zone security guest
    > zone security internet
    > zone security dmz
    > zone-pair security internet-private source internet destination
    > private
    > service-policy type inspect internet-private-policy
    > zone-pair security private-internet source private destination
    > internet
    > service-policy type inspect private-internet-policy
    > zone-pair security guest-internet source guest destination internet
    > service-policy type inspect guest-internet-policy
    > zone-pair security internet-self source internet destination self
    > service-policy type inspect internet-self-policy
    > zone-pair security self-internet source self destination internet
    > service-policy type inspect self-internet-policy
    > !
    > !
    > !
    > interface Null0
    > no ip unreachables
    > !
    > interface FastEthernet0
    > description Internal Port
    > !
    > interface FastEthernet1
    > description Internal Port
    > !
    > interface FastEthernet2
    > description Guest Port
    > switchport access vlan 2
    > !
    > interface FastEthernet3
    > description DMZ Port
    > switchport access vlan 3
    > shutdown
    > !
    > interface FastEthernet4
    > description Execulink aDSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
    > no ip address
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat outside
    > ip virtual-reassembly
    > zone-member security internet
    > ip route-cache flow
    > duplex auto
    > speed auto
    > pppoe enable group global
    > pppoe-client dial-pool-number 1
    > !
    > interface Vlan1
    > description Private Network$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-
    > INFO-HWIC 4ESW$
    > ip address 192.168.0.1 255.255.255.0
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat inside
    > ip virtual-reassembly
    > zone-member security private
    > ip route-cache flow
    > ip tcp adjust-mss 1412
    > !
    > interface Vlan2
    > description Guest Network$FW_INSIDE$
    > ip address 192.168.1.1 255.255.255.0
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat inside
    > ip virtual-reassembly
    > zone-member security guest
    > ip route-cache flow
    > !
    > interface Vlan3
    > description DMZ Network
    > ip address 192.168.2.1 255.255.255.0
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat inside
    > ip virtual-reassembly
    > zone-member security dmz
    > ip route-cache flow
    > !
    > interface Dialer0
    > description $FW_OUTSIDE$
    > ip address negotiated
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip mtu 1452
    > ip nat outside
    > ip virtual-reassembly
    > zone-member security internet
    > encapsulation ppp
    > ip route-cache flow
    > dialer pool 1
    > dialer-group 1
    > no cdp enable
    > ppp authentication pap callin
    > ppp pap sent-username password 7
    > !
    > ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    > !
    > ip http server
    > ip http access-class 3
    > ip http authentication local
    > ip http secure-server
    > ip http timeout-policy idle 60 life 86400 requests 10000
    > ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
    > ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
    > ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0
    > 1723
    > ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0
    > 3389
    > ip nat inside source static tcp 192.168.0.2 4125 interface Dialer0
    > 4125
    > ip nat inside source static tcp 192.168.0.2 5720 interface Dialer0
    > 5720
    > ip nat inside source list 1 interface FastEthernet4 overload
    > !
    > ip access-list extended SBS
    > remark SBS Server
    > remark SDM_ACL Category=128
    > permit ip any host 192.168.0.2
    > !
    > logging trap debugging
    > access-list 1 remark NAT ACL
    > access-list 1 remark SDM_ACL Category=2
    > access-list 1 remark Internal Network
    > access-list 1 permit 192.168.0.0 0.0.0.255
    > access-list 1 remark Guest Network
    > access-list 1 permit 192.168.1.0 0.0.0.255
    > access-list 1 remark DMZ Network
    > access-list 1 permit 129.168.3.0 0.0.0.255
    > access-list 2 remark HTTP ACL
    > access-list 2 remark SDM_ACL Category=1
    > access-list 2 permit 192.168.0.0 0.0.0.255
    > access-list 2 deny any
    > dialer-list 1 protocol ip permit
    > no cdp run
    > !
    > !
    > !
    > control-plane
    > !
    > banner login ^CC
    > You have entered $(hostname).$(domain).
    > Access is for authorized users only. Disconnect IMMEDIATELY if you are
    > not
    > an authorized user! Please enter your username and password.^C
    > !
    > line con 0
    > login local
    > no modem enable
    > transport output telnet
    > line aux 0
    > login local
    > transport output telnet
    > line vty 0 4
    > access-class 2 in
    > privilege level 15
    > login local
    > transport input telnet ssh
    > !
    > scheduler max-task-time 5000
    > scheduler allocate 4000 1000
    > scheduler interval 500
    >
    >
    > !
    > webvpn cef
    > end
    >


  3. Re: Internet thru Cisco 871

    Thanks Cal... will do that. Wasn't sure where to go...

    On Oct 10, 6:17 pm, Cal Vanize wrote:
    > I suggest you post this information and request on the Cisco Router
    > Forum on
    >
    > www.tek-tips.com
    >
    > There are a lot of experts that there may help you with a set-up script
    > or to help debug the current set-up.
    >



  4. Re: Internet thru Cisco 871

    RymCo wrote:

    > I've tried to configure my Cisco 871 and I'm either missing something
    > or blocking something. I first setup the router using the SDM wizards
    > and didn't get the internet. Then, after saving that config, I wiped
    > out all the wizard zones, policy-maps, class-maps, etc. and tried
    > building my own config, as a learning process, and still can't get the
    > internet. I'm able to negotiate the expected static IP address on the
    > Dialer0 interface but fail ping attempts when I use the "Test
    > Connection" in the SDM (DNS?). I have the DSL modem setup as a bridge
    > and supply the PPPoE authentication via the router (PPP light on the
    > router lights up so I think this is OK)
    >
    > I'm currently just trying to get the private-internet zone pair to
    > work...
    > My current config: (I copied the "self" policy maps from the wizard
    > config)
    >
    > !--------------------------------------------------------------------------*--
    > !version 12.4
    > no service pad
    > service tcp-keepalives-in
    > service tcp-keepalives-out
    > service timestamps debug datetime msec localtime show-timezone
    > service timestamps log datetime msec localtime show-timezone
    > service password-encryption
    > service sequence-numbers
    > !
    > hostname router
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > logging buffered 51200
    > logging console critical
    > enable secret 5 $1$HGmN$Y5uqYVVIQ1kwoYN7U/ma70
    > !
    > no aaa new-model
    > clock timezone EST -5
    > clock summer-time EDT recurring
    > !
    > !
    > !
    > crypto pki trustpoint TP-self-signed-1683258465
    > enrollment selfsigned
    > subject-name cn=IOS-Self-Signed-Certificate-1683258465
    > revocation-check none
    > rsakeypair TP-self-signed-1683258465
    > !
    > !
    > crypto pki certificate chain TP-self-signed-1683258465
    > certificate self-signed 01
    >
    > quit
    > no ip source-route
    > ip cef
    > no ip dhcp use vrf connected
    > ip dhcp excluded-address 192.168.0.1 192.168.0.10
    > !
    > ip dhcp pool pool1
    > import all
    > network 192.168.0.0 255.255.255.0
    > dns-server 199.166.6.2 216.183.129.9
    > default-router 192.168.0.1
    > !
    > !
    > ip port-map user-RWW port tcp 4125 description Remote Web Workplace
    > ip port-map user-RMS port tcp 5270 description Rights Management
    > Services
    > ip port-map user-RDP port tcp 3389 description Remote Desktop
    > Protocol
    > no ip bootp server
    > ip domain name mydomain.local
    > ip name-server 199.166.6.2
    > ip name-server 216.183.129.9
    > !
    > !
    > !
    > username ciscoadmin privilege 15 secret 5
    > archive
    > log config
    > hidekeys
    > !
    > !
    > ip tcp synwait-time 10
    > ip ssh time-out 60
    > ip ssh authentication-retries 2
    > !
    > class-map type inspect match-any sbs-traffic
    > match protocol smtp
    > match protocol https
    > match protocol user-RWW
    > match protocol user-RDP
    > match protocol user-RMS
    > class-map type inspect match-any icmp-access
    > match protocol icmp
    > match protocol tcp
    > match protocol udp
    > class-map type inspect match-all sbs-services
    > description SBS Services
    > match access-group name SBS
    > match class-map sbs-traffic
    > class-map type inspect match-any internet-traffic
    > description Basic Internet Traffic
    > match protocol http
    > match protocol https
    > match protocol dns
    > match protocol icmp
    > !
    > !
    > policy-map type inspect internet-self-policy
    > class class-default
    > policy-map type inspect self-internet-policy
    > class type inspect icmp-access
    > inspect
    > class class-default
    > pass
    > policy-map type inspect guest-internet-policy
    > class type inspect internet-traffic
    > inspect
    > class class-default
    > policy-map type inspect private-internet-policy
    > class type inspect internet-traffic
    > inspect
    > class class-default
    > policy-map type inspect internet-private-policy
    > class type inspect sbs-services
    > inspect
    > class class-default
    > !
    > zone security private
    > zone security guest
    > zone security internet
    > zone security dmz
    > zone-pair security internet-private source internet destination
    > private
    > service-policy type inspect internet-private-policy
    > zone-pair security private-internet source private destination
    > internet
    > service-policy type inspect private-internet-policy
    > zone-pair security guest-internet source guest destination internet
    > service-policy type inspect guest-internet-policy
    > zone-pair security internet-self source internet destination self
    > service-policy type inspect internet-self-policy
    > zone-pair security self-internet source self destination internet
    > service-policy type inspect self-internet-policy
    > !
    > !
    > !
    > interface Null0
    > no ip unreachables
    > !
    > interface FastEthernet0
    > description Internal Port
    > !
    > interface FastEthernet1
    > description Internal Port
    > !
    > interface FastEthernet2
    > description Guest Port
    > switchport access vlan 2
    > !
    > interface FastEthernet3
    > description DMZ Port
    > switchport access vlan 3
    > shutdown
    > !
    > interface FastEthernet4
    > description Execulink aDSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
    > no ip address
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat outside
    > ip virtual-reassembly
    > zone-member security internet
    > ip route-cache flow
    > duplex auto
    > speed auto
    > pppoe enable group global
    > pppoe-client dial-pool-number 1
    > !
    > interface Vlan1
    > description Private Network$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-
    > INFO-HWIC 4ESW$
    > ip address 192.168.0.1 255.255.255.0
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat inside
    > ip virtual-reassembly
    > zone-member security private
    > ip route-cache flow
    > ip tcp adjust-mss 1412
    > !
    > interface Vlan2
    > description Guest Network$FW_INSIDE$
    > ip address 192.168.1.1 255.255.255.0
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat inside
    > ip virtual-reassembly
    > zone-member security guest
    > ip route-cache flow
    > !
    > interface Vlan3
    > description DMZ Network
    > ip address 192.168.2.1 255.255.255.0
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat inside
    > ip virtual-reassembly
    > zone-member security dmz
    > ip route-cache flow
    > !
    > interface Dialer0
    > description $FW_OUTSIDE$
    > ip address negotiated
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip mtu 1452
    > ip nat outside
    > ip virtual-reassembly
    > zone-member security internet
    > encapsulation ppp
    > ip route-cache flow
    > dialer pool 1
    > dialer-group 1
    > no cdp enable
    > ppp authentication pap callin
    > ppp pap sent-username password 7
    > !
    > ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    > !
    > ip http server
    > ip http access-class 3
    > ip http authentication local
    > ip http secure-server
    > ip http timeout-policy idle 60 life 86400 requests 10000
    > ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
    > ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
    > ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0
    > 1723
    > ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0
    > 3389
    > ip nat inside source static tcp 192.168.0.2 4125 interface Dialer0
    > 4125
    > ip nat inside source static tcp 192.168.0.2 5720 interface Dialer0
    > 5720
    > ip nat inside source list 1 interface FastEthernet4 overload
    > !
    > ip access-list extended SBS
    > remark SBS Server
    > remark SDM_ACL Category=128
    > permit ip any host 192.168.0.2
    > !
    > logging trap debugging
    > access-list 1 remark NAT ACL
    > access-list 1 remark SDM_ACL Category=2
    > access-list 1 remark Internal Network
    > access-list 1 permit 192.168.0.0 0.0.0.255
    > access-list 1 remark Guest Network
    > access-list 1 permit 192.168.1.0 0.0.0.255
    > access-list 1 remark DMZ Network
    > access-list 1 permit 129.168.3.0 0.0.0.255
    > access-list 2 remark HTTP ACL
    > access-list 2 remark SDM_ACL Category=1
    > access-list 2 permit 192.168.0.0 0.0.0.255
    > access-list 2 deny any
    > dialer-list 1 protocol ip permit
    > no cdp run
    > !
    > !
    > !
    > control-plane
    > !
    > banner login ^CC
    > You have entered $(hostname).$(domain).
    > Access is for authorized users only. Disconnect IMMEDIATELY if you are
    > not
    > an authorized user! Please enter your username and password.^C
    > !
    > line con 0
    > login local
    > no modem enable
    > transport output telnet
    > line aux 0
    > login local
    > transport output telnet
    > line vty 0 4
    > access-class 2 in
    > privilege level 15
    > login local
    > transport input telnet ssh
    > !
    > scheduler max-task-time 5000
    > scheduler allocate 4000 1000
    > scheduler interval 500
    >
    >
    > !
    > webvpn cef
    > end
    >

    First off, you FastEthernet must be set to NAT inside. I see that you
    have it set to NAT Outside - that will never work. The fastethernet is
    the port that connects to your inside (home) network. Then make sure
    that you have Ethernet0 (or whatever you happen to call your DSL card)
    set to NAT outside. By the way, don't do the manual configuration, it
    can only lead to trouble. Make sure you read the error messages when
    you test each interface set up and you will find that the connection
    problem is related to the error message given when the interface test
    fails.

    Finally, check you router's Configuration register by doing a, show
    version, from the enabled prompt#. The last line in the display will
    show you the configuration register. For example, I set my
    configuration register to be 0x0101 and it shows up in the "show
    version" command as "Configuration register is 0x101. If you are using
    another configuration register, be sure to look up what those numbers
    mean. In some cases, the configuration register prohibit an inside
    interface from connecting to an outside interface!

    DatrhOdor

  5. Re: Internet thru Cisco 871

    On Oct 15, 12:34 am, DarthOdor wrote:
    > RymCo wrote:
    > > I've tried to configure my Cisco 871 and I'm either missing something
    > > or blocking something. I first setup the router using the SDM wizards
    > > and didn't get the internet. Then, after saving that config, I wiped
    > > out all the wizard zones, policy-maps, class-maps, etc. and tried
    > > building my own config, as a learning process, and still can't get the
    > > internet. I'm able to negotiate the expected static IP address on the
    > > Dialer0 interface but fail ping attempts when I use the "Test
    > > Connection" in the SDM (DNS?). I have the DSL modem setup as a bridge
    > > and supply the PPPoE authentication via the router (PPP light on the
    > > router lights up so I think this is OK)

    >
    > > I'm currently just trying to get the private-internet zone pair to
    > > work...
    > > My current config: (I copied the "self" policy maps from the wizard
    > > config)

    >
    > > !--------------------------------------------------------------------------**--
    > > !version 12.4
    > > no service pad
    > > service tcp-keepalives-in
    > > service tcp-keepalives-out
    > > service timestamps debug datetime msec localtime show-timezone
    > > service timestamps log datetime msec localtime show-timezone
    > > service password-encryption
    > > service sequence-numbers
    > > !
    > > hostname router
    > > !
    > > boot-start-marker
    > > boot-end-marker
    > > !
    > > logging buffered 51200
    > > logging console critical
    > > enable secret 5 $1$HGmN$Y5uqYVVIQ1kwoYN7U/ma70
    > > !
    > > no aaa new-model
    > > clock timezone EST -5
    > > clock summer-time EDT recurring
    > > !
    > > !
    > > !
    > > crypto pki trustpoint TP-self-signed-1683258465
    > > enrollment selfsigned
    > > subject-name cn=IOS-Self-Signed-Certificate-1683258465
    > > revocation-check none
    > > rsakeypair TP-self-signed-1683258465
    > > !
    > > !
    > > crypto pki certificate chain TP-self-signed-1683258465
    > > certificate self-signed 01
    > >
    > > quit
    > > no ip source-route
    > > ip cef
    > > no ip dhcp use vrf connected
    > > ip dhcp excluded-address 192.168.0.1 192.168.0.10
    > > !
    > > ip dhcp pool pool1
    > > import all
    > > network 192.168.0.0 255.255.255.0
    > > dns-server 199.166.6.2 216.183.129.9
    > > default-router 192.168.0.1
    > > !
    > > !
    > > ip port-map user-RWW port tcp 4125 description Remote Web Workplace
    > > ip port-map user-RMS port tcp 5270 description Rights Management
    > > Services
    > > ip port-map user-RDP port tcp 3389 description Remote Desktop
    > > Protocol
    > > no ip bootp server
    > > ip domain name mydomain.local
    > > ip name-server 199.166.6.2
    > > ip name-server 216.183.129.9
    > > !
    > > !
    > > !
    > > username ciscoadmin privilege 15 secret 5
    > > archive
    > > log config
    > > hidekeys
    > > !
    > > !
    > > ip tcp synwait-time 10
    > > ip ssh time-out 60
    > > ip ssh authentication-retries 2
    > > !
    > > class-map type inspect match-any sbs-traffic
    > > match protocol smtp
    > > match protocol https
    > > match protocol user-RWW
    > > match protocol user-RDP
    > > match protocol user-RMS
    > > class-map type inspect match-any icmp-access
    > > match protocol icmp
    > > match protocol tcp
    > > match protocol udp
    > > class-map type inspect match-all sbs-services
    > > description SBS Services
    > > match access-group name SBS
    > > match class-map sbs-traffic
    > > class-map type inspect match-any internet-traffic
    > > description Basic Internet Traffic
    > > match protocol http
    > > match protocol https
    > > match protocol dns
    > > match protocol icmp
    > > !
    > > !
    > > policy-map type inspect internet-self-policy
    > > class class-default
    > > policy-map type inspect self-internet-policy
    > > class type inspect icmp-access
    > > inspect
    > > class class-default
    > > pass
    > > policy-map type inspect guest-internet-policy
    > > class type inspect internet-traffic
    > > inspect
    > > class class-default
    > > policy-map type inspect private-internet-policy
    > > class type inspect internet-traffic
    > > inspect
    > > class class-default
    > > policy-map type inspect internet-private-policy
    > > class type inspect sbs-services
    > > inspect
    > > class class-default
    > > !
    > > zone security private
    > > zone security guest
    > > zone security internet
    > > zone security dmz
    > > zone-pair security internet-private source internet destination
    > > private
    > > service-policy type inspect internet-private-policy
    > > zone-pair security private-internet source private destination
    > > internet
    > > service-policy type inspect private-internet-policy
    > > zone-pair security guest-internet source guest destination internet
    > > service-policy type inspect guest-internet-policy
    > > zone-pair security internet-self source internet destination self
    > > service-policy type inspect internet-self-policy
    > > zone-pair security self-internet source self destination internet
    > > service-policy type inspect self-internet-policy
    > > !
    > > !
    > > !
    > > interface Null0
    > > no ip unreachables
    > > !
    > > interface FastEthernet0
    > > description Internal Port
    > > !
    > > interface FastEthernet1
    > > description Internal Port
    > > !
    > > interface FastEthernet2
    > > description Guest Port
    > > switchport access vlan 2
    > > !
    > > interface FastEthernet3
    > > description DMZ Port
    > > switchport access vlan 3
    > > shutdown
    > > !
    > > interface FastEthernet4
    > > description Execulink aDSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
    > > no ip address
    > > no ip redirects
    > > no ip unreachables
    > > no ip proxy-arp
    > > ip nat outside
    > > ip virtual-reassembly
    > > zone-member security internet
    > > ip route-cache flow
    > > duplex auto
    > > speed auto
    > > pppoe enable group global
    > > pppoe-client dial-pool-number 1
    > > !
    > > interface Vlan1
    > > description Private Network$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-
    > > INFO-HWIC 4ESW$
    > > ip address 192.168.0.1 255.255.255.0
    > > no ip redirects
    > > no ip unreachables
    > > no ip proxy-arp
    > > ip nat inside
    > > ip virtual-reassembly
    > > zone-member security private
    > > ip route-cache flow
    > > ip tcp adjust-mss 1412
    > > !
    > > interface Vlan2
    > > description Guest Network$FW_INSIDE$
    > > ip address 192.168.1.1 255.255.255.0
    > > no ip redirects
    > > no ip unreachables
    > > no ip proxy-arp
    > > ip nat inside
    > > ip virtual-reassembly
    > > zone-member security guest
    > > ip route-cache flow
    > > !
    > > interface Vlan3
    > > description DMZ Network
    > > ip address 192.168.2.1 255.255.255.0
    > > no ip redirects
    > > no ip unreachables
    > > no ip proxy-arp
    > > ip nat inside
    > > ip virtual-reassembly
    > > zone-member security dmz
    > > ip route-cache flow
    > > !
    > > interface Dialer0
    > > description $FW_OUTSIDE$
    > > ip address negotiated
    > > no ip redirects
    > > no ip unreachables
    > > no ip proxy-arp
    > > ip mtu 1452
    > > ip nat outside
    > > ip virtual-reassembly
    > > zone-member security internet
    > > encapsulation ppp
    > > ip route-cache flow
    > > dialer pool 1
    > > dialer-group 1
    > > no cdp enable
    > > ppp authentication pap callin
    > > ppp pap sent-username password 7
    > > !
    > > ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    > > !
    > > ip http server
    > > ip http access-class 3
    > > ip http authentication local
    > > ip http secure-server
    > > ip http timeout-policy idle 60 life 86400 requests 10000
    > > ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
    > > ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
    > > ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0
    > > 1723
    > > ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0
    > > 3389
    > > ip nat inside source static tcp 192.168.0.2 4125 interface Dialer0
    > > 4125
    > > ip nat inside source static tcp 192.168.0.2 5720 interface Dialer0
    > > 5720
    > > ip nat inside source list 1 interface FastEthernet4 overload
    > > !
    > > ip access-list extended SBS
    > > remark SBS Server
    > > remark SDM_ACL Category=128
    > > permit ip any host 192.168.0.2
    > > !
    > > logging trap debugging
    > > access-list 1 remark NAT ACL
    > > access-list 1 remark SDM_ACL Category=2
    > > access-list 1 remark Internal Network
    > > access-list 1 permit 192.168.0.0 0.0.0.255
    > > access-list 1 remark Guest Network
    > > access-list 1 permit 192.168.1.0 0.0.0.255
    > > access-list 1 remark DMZ Network
    > > access-list 1 permit 129.168.3.0 0.0.0.255
    > > access-list 2 remark HTTP ACL
    > > access-list 2 remark SDM_ACL Category=1
    > > access-list 2 permit 192.168.0.0 0.0.0.255
    > > access-list 2 deny any
    > > dialer-list 1 protocol ip permit
    > > no cdp run
    > > !
    > > !
    > > !
    > > control-plane
    > > !
    > > banner login ^CC
    > > You have entered $(hostname).$(domain).
    > > Access is for authorized users only. Disconnect IMMEDIATELY if you are
    > > not
    > > an authorized user! Please enter your username and password.^C
    > > !
    > > line con 0
    > > login local
    > > no modem enable
    > > transport output telnet
    > > line aux 0
    > > login local
    > > transport output telnet
    > > line vty 0 4
    > > access-class 2 in
    > > privilege level 15
    > > login local
    > > transport input telnet ssh
    > > !
    > > scheduler max-task-time 5000
    > > scheduler allocate 4000 1000
    > > scheduler interval 500

    >
    > > !
    > > webvpn cef
    > > end

    >
    > First off, you FastEthernet must be set to NAT inside. I see that you
    > have it set to NAT Outside - that will never work. The fastethernet is
    > the port that connects to your inside (home) network. Then make sure
    > that you have Ethernet0 (or whatever you happen to call your DSL card)
    > set to NAT outside. By the way, don't do the manual configuration, it
    > can only lead to trouble. Make sure you read the error messages when
    > you test each interface set up and you will find that the connection
    > problem is related to the error message given when the interface test
    > fails.
    >
    > Finally, check you router's Configuration register by doing a, show
    > version, from the enabled prompt#. The last line in the display will
    > show you the configuration register. For example, I set my
    > configuration register to be 0x0101 and it shows up in the "show
    > version" command as "Configuration register is 0x101. If you are using
    > another configuration register, be sure to look up what those numbers
    > mean. In some cases, the configuration register prohibit an inside
    > interface from connecting to an outside interface!
    >
    > DatrhOdor- Hide quoted text -
    >
    > - Show quoted text -


    DarthOdor,

    Thanks for the reply. I'm still having trouble with this...
    My Fe4 port IS my WAN port. Fe0-Fe3 are the internal ethernet ports.
    There isn't a DSL card in this model... I'm using the DSL modem (in
    bridge mode) my ISP supplied me which is why I bought the ethernet
    version of the router. I have taken this router all the way back to
    factory default without a firewall and still can't connect.

    show version yeilds: Configuration Register 0x2102

    Thanks again for helping me out...


  6. Re: Internet thru Cisco 871

    DarthOdor,

    Thanks for the reply. I'm still having this problem...
    My Fe4 port IS my WAN port. Fe0-Fe3 are the internal ports. There
    isn't a DSL card in this model. I'm using the DSL modem supplied to
    me by my ISP (in bridge mode). I have taken this all the way back to
    factory default without a firewall and still can't connect...

    show version yields: Configuration Register 0x2102

    Thanks again for helping me out...


+ Reply to Thread