Hi all,
I have recently purchased a Cisco 857W router and seem to be having difficulty setting it up. For ease I installed the SDM to give me the quickest route to what I thought would be a working config, although this has not turned out to be the case.
The router disallows access to login based website such as Ebay
I was hoping that if I was to post a sanitised copy of the config (items in chevrons have been sanitised), that someone might be able to have a look and offer some suggestions as to how I might go about tracking this problem down and resolving it.
! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 ! aaa new-model ! ! aaa group server radius rad_eap ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization ipmobile default group rad_pmip aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common ! resource policy ! clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip subnet-zero no ip source-route no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.1 192.168.0.9 ip dhcp excluded-address 192.168.0.201 192.168.0.254 ! ip dhcp pool sdm-pool1 import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.254 domain-name dns-server ! ! ip cef ip inspect log drop-pkt ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 https ip inspect name DEFAULT100 dns ip flow-cache timeout active 1 ip tcp synwait-time 10 no ip bootp server ip domain name ip name-server ip name-server ip ssh time-out 60 ip ssh authentication-retries 2 ! appfw policy-name DEFAULT100 application im msn service default action allow alarm service text-chat action allow alarm server permit name messenger.hotmail.com server permit name gateway.messenger.hotmail.com server permit name webmessenger.msn.com ! ! crypto pki trustpoint TP-self-signed-1202544901 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1202544901 revocation-check none rsakeypair TP-self-signed-1202544901 ! crypto pki trustpoint tti revocation-check crl rsakeypair tti ! ! crypto pki certificate chain TP-self-signed-1202544901 certificate self-signed 01 quit crypto pki certificate chain tti username privilege 15 secret 5 ! ! ! bridge irb ! ! interface Null0 no ip unreachables ! interface ATM0 bandwidth 448 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description ISP$FW_OUTSIDE$$ES_WAN$ no ip redirects no ip unreachables no ip proxy-arp pvc 0/38 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 description LAN Port 1 no cdp enable ! interface FastEthernet1 description LAN Port 2 no cdp enable ! interface FastEthernet2 description LAN Port 3 no cdp enable ! interface FastEthernet3 description LAN Port 4 no cdp enable ! interface Dot11Radio0 description WLAN Port 1 bandwidth 54000 no ip address ip route-cache flow ! broadcast-key change 3600 membership-termination capability-change ! ! encryption key 1 size 40bit 7 transmit-key encryption mode ciphers tkip wep40 ! ssid authentication open guest-mode infrastructure-ssid optional wpa-psk ascii 7 ! speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 channel 2442 station-role root no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ no ip address bridge-group 1 ! interface Dialer0 description $FW_OUTSIDE$ ip address ip access-group 103 in no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip inspect DEFAULT100 out ip flow ingress ip flow egress ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname ppp chap password 7 ! interface BVI1 description $ES_LAN$$FW_INSIDE$ ip address 192.168.0.254 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip flow-export source FastEthernet0 ip flow-export version 5 ip flow-export destination 192.168.0.3 9996 ip flow-top-talkers top 10 sort-by bytes ! ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static tcp 192.168.0.2 21 interface dialer0 21 ip nat inside source static tcp 192.168.0.2 25 interface dialer0 25 ip nat inside source static tcp 192.168.0.2 80 interface dialer0 80 ip nat inside source static tcp 192.168.0.2 110 interface dialer0 110 ip nat inside source static tcp 192.168.0.2 119 interface dialer0 119 ip nat inside source static tcp 192.168.0.2 143 interface dialer0 143 ip nat inside source static tcp 192.168.0.2 443 interface dialer0 443 ip nat inside source static tcp 192.168.0.2 444 interface dialer0 444 ip nat inside source static tcp 192.168.0.2 993 interface dialer0 993 ip nat inside source static tcp 192.168.0.2 995 interface dialer0 995 ip nat inside source static tcp 192.168.0.2 1723 interface dialer0 1723 ip nat inside source static tcp 192.168.0.3 3389 interface dialer0 3389 ip nat inside source static tcp 192.168.0.2 4125 interface dialer0 4125 ip nat inside source static tcp 192.168.0.3 6436 interface dialer0 6436 ip nat inside source static udp 192.168.0.3 6436 interface dialer0 6436 ! logging trap debugging access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.0.0 0.0.0.255 access-list 2 deny any access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip 81.141.1.0 0.0.0.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip 192.168.0.0 0.0.0.255 any access-list 101 permit icmp any host 81.141.1.65 echo-reply access-list 101 permit icmp any host 81.141.1.65 time-exceeded access-list 101 permit icmp any host 81.141.1.65 unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 remark auto generated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip 0.0.0.3 any log access-list 102 deny ip host 255.255.255.255 any log access-list 102 deny ip 127.0.0.0 0.255.255.255 any log access-list 102 permit ip any any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 remark Auto generated by SDM for NTP (123)
81.168.77.149 access-list 103 permit udp host 81.168.77.149 eq ntp host eq ntp access-list 103 remark Auto generated by SDM for NTP (123) 194.35.252.7 access-list 103 permit udp host 194.35.252.7 eq ntp host eq ntp access-list 103 remark Permit primary ISP DNS communication access-list 103 permit udp host 212.104.130.65 eq domain host access-list 103 remark Permit secondary ISP DNS communication access-list 103 permit udp host 212.104.130.9 eq domain host access-list 103 remark Deny fake class A local network access-list 103 deny ip 10.0.0.0 0.255.255.255 any log access-list 103 remark Deny fake class B local network access-list 103 deny ip 172.16.0.0 0.15.255.255 any log access-list 103 remark Deny fake class C local network access-list 103 deny ip 192.168.0.0 0.0.255.255 any log access-list 103 remark Deny fake local loopback access-list 103 deny ip 127.0.0.0 0.255.255.255 any log access-list 103 remark Deny fake multicast address access-list 103 deny ip host 255.255.255.255 any log access-list 103 remark Deny fake multicast address access-list 103 deny ip host 0.0.0.0 any log access-list 103 remark Permit WAN interface pings access-list 103 permit icmp any host echo-reply access-list 103 remark Permit WAN interface pings access-list 103 permit icmp any host time-exceeded access-list 103 remark Permit WAN interface pings access-list 103 permit icmp any host unreachable access-list 103 remark Permit FTP access-list 103 permit tcp any host eq ftp access-list 103 remark Permit SMTP access-list 103 permit tcp any host eq smtp access-list 103 remark Permit WWW access-list 103 permit tcp any host eq www access-list 103 remark Permit POP3 access-list 103 permit tcp any host eq pop3 access-list 103 remark Permit NNTP access-list 103 permit tcp any host eq nntp access-list 103 remark Permit IMAP4 access-list 103 permit tcp any host eq 143 access-list 103 remark Permit HTTPS access-list 103 permit tcp any host eq 443 access-list 103 remark Permit WSS HTTPS access-list 103 permit tcp any host eq 444 access-list 103 remark Permit IMAP4-SSL access-list 103 permit tcp any host eq 993 access-list 103 remark Permit POP3-SSL access-list 103 permit tcp any host eq 995 access-list 103 remark Permit Microsoft VPN access-list 103 permit tcp any host eq 1723 access-list 103 remark Permit MSN Messenger (Msgs) access-list 103 permit tcp any host eq 1863 access-list 103 remark Permit Terminal Services access-list 103 permit tcp any host eq 3389 access-list 103 remark Permit RWW access-list 103 permit tcp any host eq 4125 access-list 103 remark Permit Shareaza TCP access-list 103 permit tcp any host eq 6436 access-list 103 remark Permit Shareaza UDP access-list 103 permit udp any host eq 6436 access-list 103 remark Permit MSN Messenger (Files) access-list 103 permit tcp any host range 6891 6900 access-list 103 remark Permit Microsoft Messenger access-list 103 permit udp any host 82.153.233.141 eq 6901 access-list 103 remark Generic IP Deny Rule access-list 103 deny ip any any log access-list 104 remark VTY Access-class list access-list 104 remark SDM_ACL Category=1 access-list 104 permit ip 192.168.0.0 0.0.0.255 any access-list 104 deny ip any any dialer-list 1 protocol ip permit snmp-server ifindex persist no cdp run radius-server attribute 32 include-in-access-req format %h radius-server vsa send accounting ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 104 in privilege level 15 transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp server 81.168.77.149 source ATM0 prefer ntp server 194.35.252.7 source ATM0 endMany thanks in advance for your kind assistance.
Kind regards, Chris.