1. Home
  2. Cisco Systems
  3. Internet thru Cisco 871

Internet thru Cisco 871

I've tried to configure my first Cisco and I'm either missing something or blocking something. I first setup the router using the SDM wizards and didn't get the internet. Then, after saving that config, I wiped it out and tried building my own config, as a learning process, and still can't get the internet. I'm able to negotiate the expected static IP address on the Dialer0 interface but fail ping attempts when I use the "Test Connection" in the SDM (DNS?). I have the DSL modem setup as a bridge and supply the PPPoE authentication via the router (PPP light on the router lights up so I think this is OK)

I'm currently just trying to get the private-internet zone pair to work... My current config: (I copied the "self" policy maps from the wizard config)

!---------------------------------------------------------------------------- !version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname router ! boot-start-marker boot-end-marker ! logging buffered 51200 logging console critical enable secret 5 $1$HGmN$Y5uqYVVIQ1kwoYN7U/ma70 ! no aaa new-model clock timezone EST -5 clock summer-time EDT recurring ! ! ! crypto pki trustpoint TP-self-signed-1683258465 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1683258465 revocation-check none rsakeypair TP-self-signed-1683258465 ! ! crypto pki certificate chain TP-self-signed-1683258465 certificate self-signed 01 3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101

04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31363833 32353834 3635301E 170D3032 30333031 30303035 34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36383332 35383436 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100CEAC 8AED8926 C1B42D2F 52CAE17F 3CCBB44F 332A1758 350D1BC6 7F62E7FF ADBE8030 B86FC569 CFDAB91D 985D5563 666FEF46 95C94B78 202F9BAC 90FF2038 5465E0E1 DC67B421 058FE27C 82A05650 C896E6B1 FF715403 BD4DDD6B BDAB089C ABBEA1DB 7FE30518 4E4B61B8 CDC7115C 179D77A9 B6DE48E1 7B93639A 23A162E0 B59F0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06 03551D11 04253023 8221636F 7572746C 616E642E 74726163 6B6C6573 73766568 69636C65 732E6C6F 63616C30 1F060355 1D230418 30168014 BCD02D35 3355FD2F AA09850E 0CC1D1AC 3B02ED02 301D0603 551D0E04 160414BC D02D3533 55FD2FAA 09850E0C C1D1AC3B 02ED0230 0D06092A 864886F7 0D010104 05000381 8100659A 8B245DE9 6573D58E 61501754 8C51DCBA 4102D3D7 BFE60170 5CE59959 0DEE5B77 06081BEB 8E546F7B 602E5731 7F22BD28 347CE5DE 6AFD6EC3 A8567177 40241474 6CFBF920 64CC1C66 CB48B5E4 5284CCB5 FEAD2703 7E09B46D 9CDE523C 0CDC316B 716D2B44 85EB3A6A 12DFCDA4 8C90F03A DCA6E663 A052BD17 C1462D5D B6DD quit no ip source-route ip cef no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.1 192.168.0.10 ! ip dhcp pool pool1 import all network 192.168.0.0 255.255.255.0 dns-server 199.166.6.2 216.183.129.9 default-router 192.168.0.1 ! ! ip port-map user-RWW port tcp 4125 description Remote Web Workplace ip port-map user-RMS port tcp 5270 description Rights Management Services ip port-map user-RDP port tcp 3389 description Remote Desktop Protocol no ip bootp server ip domain name mydomain.local ip name-server 199.166.6.2 ip name-server 216.183.129.9 ! ! ! username ciscoadmin privilege 15 secret 5 $1$IrLo $VYZWZcaBAjnfRj8zmjQX11 archive log config hidekeys ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map type inspect match-any sbs-traffic match protocol smtp match protocol https match protocol user-RWW match protocol user-RDP match protocol user-RMS class-map type inspect match-any icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all sbs-services description SBS Services match access-group name SBS match class-map sbs-traffic class-map type inspect match-any internet-traffic description Basic Internet Traffic match protocol http match protocol https match protocol dns match protocol icmp ! ! policy-map type inspect internet-self-policy class class-default policy-map type inspect self-internet-policy class type inspect icmp-access inspect class class-default pass policy-map type inspect guest-internet-policy class type inspect internet-traffic inspect class class-default policy-map type inspect private-internet-policy class type inspect internet-traffic inspect class class-default policy-map type inspect internet-private-policy class type inspect sbs-services inspect class class-default ! zone security private zone security guest zone security internet zone security dmz zone-pair security internet-private source internet destination private service-policy type inspect internet-private-policy zone-pair security private-internet source private destination internet service-policy type inspect private-internet-policy zone-pair security guest-internet source guest destination internet service-policy type inspect guest-internet-policy zone-pair security internet-self source internet destination self service-policy type inspect internet-self-policy zone-pair security self-internet source self destination internet service-policy type inspect self-internet-policy ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0 description Internal Port ! interface FastEthernet1 description Internal Port ! interface FastEthernet2 description Guest Port switchport access vlan 2 ! interface FastEthernet3 description DMZ Port switchport access vlan 3 shutdown ! interface FastEthernet4 description Execulink aDSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly zone-member security internet ip route-cache flow duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Vlan1 description Private Network$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF- INFO-HWIC 4ESW$ ip address 192.168.0.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security private ip route-cache flow ip tcp adjust-mss 1412 ! interface Vlan2 description Guest Network$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security guest ip route-cache flow ! interface Vlan3 description DMZ Network ip address 192.168.2.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security dmz ip route-cache flow ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip virtual-reassembly zone-member security internet encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username snipped-for-privacy@execulink.com password 7 131112011F5D5679 ! ip route 0.0.0.0 0.0.0.0 Dialer0 permanent ! ip http server ip http access-class 3 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25 ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443 ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0 1723 ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389 ip nat inside source static tcp 192.168.0.2 4125 interface Dialer0 4125 ip nat inside source static tcp 192.168.0.2 5720 interface Dialer0 5720 ip nat inside source list 1 interface FastEthernet4 overload ! ip access-list extended SBS remark SBS Server remark SDM_ACL Category=128 permit ip any host 192.168.0.2 ! logging trap debugging access-list 1 remark NAT ACL access-list 1 remark SDM_ACL Category=2 access-list 1 remark Internal Network access-list 1 permit 192.168.0.0 0.0.0.255 access-list 1 remark Guest Network access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 remark DMZ Network access-list 1 permit 129.168.3.0 0.0.0.255 access-list 2 remark HTTP ACL access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.0.0 0.0.0.255 access-list 2 deny any dialer-list 1 protocol ip permit no cdp run ! ! ! control-plane ! banner login ^CC You have entered $(hostname).$(domain). Access is for authorized users only. Disconnect IMMEDIATELY if you are not an authorized user! Please enter your username and password.^C ! line con 0 login local no modem enable transport output telnet line aux 0 login local transport output telnet line vty 0 4 access-class 2 in privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500

! webvpn cef end

Reply to
RymCo
Loading thread data ...

If you are still have this issue, then reduce the configuration to the bare minimum to get the the Internet connection working first.

Make sure you can ping from the router to some Intneret address.

Then add in NAT with no access listsand make sure you can ping the same address from the inside network Then build up the rest of the config one step at a time ensuring that after each config step that you still have Internet connectivity.

Use the CLI interface and forget about SDM

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.