1. Home
  2. Cisco Systems
  3. What's wrong with this 857W Config.

What's wrong with this 857W Config.

Hi all,

I have recently purchased a Cisco 857W router and seem to be having difficulty setting it up. For ease I installed the SDM to give me the quickest route to what I thought would be a working config, although this has not turned out to be the case.

The router disallows access to login based website such as Ebay

formatting link
and MSN messenger (although Netstat reveals that the login.live.com responds fine and it only seems to fail at the handover to the messenger server on port

1863), and it drops packets on outgoing SMTP connections that result in it blocking all outgoing mail from the organisation. Nothing of any significance is logged, I suspect it is either a NAT problem, or something to do with IP inspect tcp (disabling this stops all tcp based traffic).

I was hoping that if I was to post a sanitised copy of the config (items in chevrons have been sanitised), that someone might be able to have a look and offer some suggestions as to how I might go about tracking this problem down and resolving it.

! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 ! aaa new-model ! ! aaa group server radius rad_eap ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization ipmobile default group rad_pmip aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common ! resource policy ! clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip subnet-zero no ip source-route no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.1 192.168.0.9 ip dhcp excluded-address 192.168.0.201 192.168.0.254 ! ip dhcp pool sdm-pool1 import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.254 domain-name dns-server ! ! ip cef ip inspect log drop-pkt ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 https ip inspect name DEFAULT100 dns ip flow-cache timeout active 1 ip tcp synwait-time 10 no ip bootp server ip domain name ip name-server ip name-server ip ssh time-out 60 ip ssh authentication-retries 2 ! appfw policy-name DEFAULT100 application im msn service default action allow alarm service text-chat action allow alarm server permit name messenger.hotmail.com server permit name gateway.messenger.hotmail.com server permit name webmessenger.msn.com ! ! crypto pki trustpoint TP-self-signed-1202544901 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1202544901 revocation-check none rsakeypair TP-self-signed-1202544901 ! crypto pki trustpoint tti revocation-check crl rsakeypair tti ! ! crypto pki certificate chain TP-self-signed-1202544901 certificate self-signed 01 quit crypto pki certificate chain tti username privilege 15 secret 5 ! ! ! bridge irb ! ! interface Null0 no ip unreachables ! interface ATM0 bandwidth 448 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description ISP$FW_OUTSIDE$$ES_WAN$ no ip redirects no ip unreachables no ip proxy-arp pvc 0/38 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 description LAN Port 1 no cdp enable ! interface FastEthernet1 description LAN Port 2 no cdp enable ! interface FastEthernet2 description LAN Port 3 no cdp enable ! interface FastEthernet3 description LAN Port 4 no cdp enable ! interface Dot11Radio0 description WLAN Port 1 bandwidth 54000 no ip address ip route-cache flow ! broadcast-key change 3600 membership-termination capability-change ! ! encryption key 1 size 40bit 7 transmit-key encryption mode ciphers tkip wep40 ! ssid authentication open guest-mode infrastructure-ssid optional wpa-psk ascii 7 ! speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 channel 2442 station-role root no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ no ip address bridge-group 1 ! interface Dialer0 description $FW_OUTSIDE$ ip address ip access-group 103 in no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip inspect DEFAULT100 out ip flow ingress ip flow egress ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname ppp chap password 7 ! interface BVI1 description $ES_LAN$$FW_INSIDE$ ip address 192.168.0.254 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip flow-export source FastEthernet0 ip flow-export version 5 ip flow-export destination 192.168.0.3 9996 ip flow-top-talkers top 10 sort-by bytes ! ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static tcp 192.168.0.2 21 interface dialer0 21 ip nat inside source static tcp 192.168.0.2 25 interface dialer0 25 ip nat inside source static tcp 192.168.0.2 80 interface dialer0 80 ip nat inside source static tcp 192.168.0.2 110 interface dialer0 110 ip nat inside source static tcp 192.168.0.2 119 interface dialer0 119 ip nat inside source static tcp 192.168.0.2 143 interface dialer0 143 ip nat inside source static tcp 192.168.0.2 443 interface dialer0 443 ip nat inside source static tcp 192.168.0.2 444 interface dialer0 444 ip nat inside source static tcp 192.168.0.2 993 interface dialer0 993 ip nat inside source static tcp 192.168.0.2 995 interface dialer0 995 ip nat inside source static tcp 192.168.0.2 1723 interface dialer0 1723 ip nat inside source static tcp 192.168.0.3 3389 interface dialer0 3389 ip nat inside source static tcp 192.168.0.2 4125 interface dialer0 4125 ip nat inside source static tcp 192.168.0.3 6436 interface dialer0 6436 ip nat inside source static udp 192.168.0.3 6436 interface dialer0 6436 ! logging trap debugging access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.0.0 0.0.0.255 access-list 2 deny any access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip 81.141.1.0 0.0.0.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip 192.168.0.0 0.0.0.255 any access-list 101 permit icmp any host 81.141.1.65 echo-reply access-list 101 permit icmp any host 81.141.1.65 time-exceeded access-list 101 permit icmp any host 81.141.1.65 unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 remark auto generated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip 0.0.0.3 any log access-list 102 deny ip host 255.255.255.255 any log access-list 102 deny ip 127.0.0.0 0.255.255.255 any log access-list 102 permit ip any any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 remark Auto generated by SDM for NTP (123)

81.168.77.149 access-list 103 permit udp host 81.168.77.149 eq ntp host eq ntp access-list 103 remark Auto generated by SDM for NTP (123) 194.35.252.7 access-list 103 permit udp host 194.35.252.7 eq ntp host eq ntp access-list 103 remark Permit primary ISP DNS communication access-list 103 permit udp host 212.104.130.65 eq domain host access-list 103 remark Permit secondary ISP DNS communication access-list 103 permit udp host 212.104.130.9 eq domain host access-list 103 remark Deny fake class A local network access-list 103 deny ip 10.0.0.0 0.255.255.255 any log access-list 103 remark Deny fake class B local network access-list 103 deny ip 172.16.0.0 0.15.255.255 any log access-list 103 remark Deny fake class C local network access-list 103 deny ip 192.168.0.0 0.0.255.255 any log access-list 103 remark Deny fake local loopback access-list 103 deny ip 127.0.0.0 0.255.255.255 any log access-list 103 remark Deny fake multicast address access-list 103 deny ip host 255.255.255.255 any log access-list 103 remark Deny fake multicast address access-list 103 deny ip host 0.0.0.0 any log access-list 103 remark Permit WAN interface pings access-list 103 permit icmp any host echo-reply access-list 103 remark Permit WAN interface pings access-list 103 permit icmp any host time-exceeded access-list 103 remark Permit WAN interface pings access-list 103 permit icmp any host unreachable access-list 103 remark Permit FTP access-list 103 permit tcp any host eq ftp access-list 103 remark Permit SMTP access-list 103 permit tcp any host eq smtp access-list 103 remark Permit WWW access-list 103 permit tcp any host eq www access-list 103 remark Permit POP3 access-list 103 permit tcp any host eq pop3 access-list 103 remark Permit NNTP access-list 103 permit tcp any host eq nntp access-list 103 remark Permit IMAP4 access-list 103 permit tcp any host eq 143 access-list 103 remark Permit HTTPS access-list 103 permit tcp any host eq 443 access-list 103 remark Permit WSS HTTPS access-list 103 permit tcp any host eq 444 access-list 103 remark Permit IMAP4-SSL access-list 103 permit tcp any host eq 993 access-list 103 remark Permit POP3-SSL access-list 103 permit tcp any host eq 995 access-list 103 remark Permit Microsoft VPN access-list 103 permit tcp any host eq 1723 access-list 103 remark Permit MSN Messenger (Msgs) access-list 103 permit tcp any host eq 1863 access-list 103 remark Permit Terminal Services access-list 103 permit tcp any host eq 3389 access-list 103 remark Permit RWW access-list 103 permit tcp any host eq 4125 access-list 103 remark Permit Shareaza TCP access-list 103 permit tcp any host eq 6436 access-list 103 remark Permit Shareaza UDP access-list 103 permit udp any host eq 6436 access-list 103 remark Permit MSN Messenger (Files) access-list 103 permit tcp any host range 6891 6900 access-list 103 remark Permit Microsoft Messenger access-list 103 permit udp any host 82.153.233.141 eq 6901 access-list 103 remark Generic IP Deny Rule access-list 103 deny ip any any log access-list 104 remark VTY Access-class list access-list 104 remark SDM_ACL Category=1 access-list 104 permit ip 192.168.0.0 0.0.0.255 any access-list 104 deny ip any any dialer-list 1 protocol ip permit snmp-server ifindex persist no cdp run radius-server attribute 32 include-in-access-req format %h radius-server vsa send accounting ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 104 in privilege level 15 transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp server 81.168.77.149 source ATM0 prefer ntp server 194.35.252.7 source ATM0 end

Many thanks in advance for your kind assistance.

Kind regards, Chris.

Reply to
Chris UK
Loading thread data ...

Examine the inspect closely. Look up what inspect https actually means. I don't know. I do recall that inspect http blocked all java code which was a surprise to me.

You have inspect esmtp, do you need inspect smtp too?

If you take out for example inspect esmtp the stateful firewall will still allow the return traffic via the inspect tcp statement but you will lose the special investigtion of the (e)smtp commands.

I guess that it will bust into life if you take out the two inspects mentioned and you can then worry about putting them back later.

conf t logg buff 64000 ! or more, check memory logg buff deb no logg console service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone end

deb ip inspect

undeb all sh logg

are your friends.

You can also term mon but I always use a second session to be ready to undeb all.

If the router is remote consider "reload 20" before debugging.

Read the debug guidelines regarding the possible impact on the system. Use ACLs for debugging whre applicable.

Reply to
anybody43

Hi Chris,

You may wish to investigate the Cisco 857 Config Wizard:

formatting link
Sincerely,

Brad Reese BradReese.Com - Global Cisco Systems Pre-Sales Support

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 AIM: R2MGrant BradReese.Com - Cisco Technical Forums
formatting link

Reply to
www.BradReese.Com

Hi guys,

There are moments in your life that you wish you could just crawl into a hole and stay there - I've figured the issues, DNS, packet dropping, etc. I was obviously having an off day when I initially configured the router - and I had set it you PPPoE (as my previous ISP was), however the current one requires PPPoA. A hardware reset and some quick reconfiguring later it all works tickety-boo.

I was thrown this as I would have through the wrong encapsulation would have resulted in no traffic. I would suspect that the difficulty in tracking down the lost packets would have been due to the DSLAM dumping them?

Many thanks for all your assistance in this - if its any consolation I've learned a great deal about the 857W.

I'd still be interested in any hardening tips you guys would have - the config is essentially the same as above (apart from PPPoA).

Regards, Chris.

snipped-for-privacy@hotmail.com wrote:

Reply to
Chris UK

What a neat little link...very useful for anybody with any 85x or 871x router.

Reply to
gray.wizard

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.