Cisco 877W ADSL Setup

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi!

Don't know if you still have this websites problem, but if so - go to firewall settings in SDM - application security and change 'HTTP non-compliant traffic' to pass.


Hope it helps,

Kamil

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Many thanks for the reply - the problem is connectivity on a wireless LAN between laptop and printer, and yes it's still a problem...I'd like to ditch the USB cable but can't at the moment!

Anyway if you have any ideas, already had the setting you suggested above, then please let me know as I've exhausted the limits of my router and networking understanding. Plus don't want to spend hours on the phone to 'techies', Lexmark only offer phone support, who don't know any more than me!

thanks
Simon

 

After folks on this forum helped with sorting out a VPN on my old offices' 857 router I'm hoping there'll be advice for the 877 I'm trying to set up at my new office.
The router does connect and get an IP address from TalkTalk, and it does give out dhcp address on the wired LAN, but I can't ping anything on the Internet either from my computer or from the router itself.
I've looked at making sure things are NATed, I've looked to see there is a route out, I've made sure a dns is specified in the dhcp pool (I want the router to do all the dns lookups for the network), I've checked to see that there's a source-list, the firewall rules appear to let traffic in and out, but I just get get web pages up.
The config from my previous 857 just doesn't seem to help either. And that's before I've started on sorting the office to office vpn, and the wireless side of things.
I'd be very grateful of some help from someone in the know.
Config follows:

Current configuration : 6858 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WRS
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxx
!
no aaa new-model
!
dot11 ssid 16WLAN
vlan 2
authentication open
wpa-psk ascii 0 W0rldreg
!
ip cef
!
ip dhcp use vrf connected
ip dhcp excluded-address 192.168.201.1 192.168.201.10
ip dhcp excluded-address 192.168.201.41 192.168.201.254
!
ip dhcp pool FoxholesDHCP
import all
network 192.168.201.0 255.255.255.0
default-router 192.168.201.254
dns-server 192.168.201.254
!
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 10
no ip bootp server
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall smtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall rtsp
ip inspect name firewall pptp
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-1153459165
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1153459165
revocation-check none
rsakeypair TP-self-signed-1153459165
!
crypto pki certificate chain TP-self-signed-1153459165
certificate self-signed 01
3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313533 34353931 3635301E 170D3032 30333031 30303136
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31353334
35393136 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A43C 7186634A CCDFC9D5 8A3ECBA8 777488DB 2D580BB0 EBDB0457 F7C55D17
0EBBA13B 45178244 14EC3090 E8063D45 5638421B EE6D3FAB 9A6FB80D 0CE45C7B
2C7249CE C870CC04 CDFA31E4 4DC2FE72 6E268EF2 1A5879EE 645BAABD 90DC1101
D0E34F41 71DCC5B9 3CF850F4 3C073F28 6ECC02E1 914B75B3 58510C8A CE7932EE
51B70203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603
551D1104 07300582 03575253 301F0603 551D2304 18301680 14935CE5 6C663E1B
FF6437A0 6E1D3AEE 07CED8E8 CF301D06 03551D0E 04160414 935CE56C 663E1BFF
6437A06E 1D3AEE07 CED8E8CF 300D0609 2A864886 F70D0101 04050003 81810025
38ADF0BA 36D0A656 E5FA7F21 75CBE4E7 F0EC54DE F000E317 E067866B E096A32E
D1EF392C 207DF688 CB7B3DC8 B6255551 6DBB3B98 BA1AED85 D1B95DFB 763E98ED
F933D1A1 40973DF9 CCEFC276 FD0603F9 0ACD1DA2 2ADB5E90 144154FC D0B23ADD
6BF94074 8B4EDD50 83F60B61 CC33BFDC 7E40F64F 6D4EA651 CCAF0DCF D81EEE
quit
!
username WRS privilege 15 secret 5 xxx
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
ssid 16WLAN
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
no cdp enable
!
interface Dot11Radio0.2
encapsulation dot1Q 2
ip address 192.168.202.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.201.254 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip mtu 1432
ip nat outside
ip inspect firewall out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 0 xxx
ppp pap sent-username [email protected] password 0 xxx
ppp ipcp dns request
ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.201.0
access-list 9 remark Where management can be done from
access-list 9 permit 192.168.201.0 0.0.0.255
access-list 9 permit 192.168.250.0 0.0.0.255
access-list 9 permit 82.28.109.0 0.0.0.255
access-list 9 permit 212.158.45.0 0.0.0.255
access-list 9 permit 87.194.146.0 0.0.0.255
access-list 9 permit 90.195.55.0 0.0.0.255
access-list 9 permit 95.195.55.0 0.0.0.255
access-list 23 remark For http management with SDM
access-list 23 permit 192.168.201.0 0.0.0.255
access-list 23 permit 192.168.250.0 0.0.0.255
access-list 23 deny any
access-list 100 remark SDM_ACL
access-list 101 remark Traffic allowed to enter router from Internet
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp host 87.194.146.83 any
access-list 101 permit tcp host 212.158.45.90 any
access-list 101 permit tcp host 90.195.55.129 any
access-list 101 permit tcp host 95.195.55.26 any
access-list 102 remark Traffic allowed to enter router from ethernet
access-list 102 permit ip 192.168.201.0 0.0.0.255 any
access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 102 permit ip any host 192.168.201.254
access-list 102 permit udp host 192.168.201.254 eq domain any
access-list 102 permit ip any host 255.255.255.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner motd ^CC Authorised a^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 9 in
password W0rld
login
transport input telnet ssh
!
scheduler max-task-time 5000
end

Thank you. Nathan.

 

not looked atthe config, but firstly, can you ping t'internet from the router?

do anextended ping to ensure source interface is the public int.

 

Taking a wild shot in the dark, I'm guessing the answer is "no".

 

Explicitly allow ICMP traffic from the Internet and see if that fixes it.

 

taking a wild shot in the dark....i'm guessing the source IP of his pings from the router previously would have been from the LAN interface rather than public....

 

That's why I didn't quote that part of your reply, dude. But I did quote the part where you asked if he could ping the Internet from the router; he had already established that he could not.

 

Thanks for replies so far, I'll get ICMP explicitly allowed later on today, but do I need to allow it in both acl's that are applied to vlan1 and Dialer0?

 

Allow it wherever you think you might need it. Ping uses ICMP. If ICMP is blocked, pings won't go through. As a start, I would initially put it on the ACL that applies to the public router interface, so when you try to ping from the router, you'll be able to do so.

 

BosonMichael, you were right with the explicit allow for ICMP, I put the rule into the Dialer0 acl (101) and ping worked right away.
I can now ping anything on the Internet from the router CLI, both by IP and name
I can ping my own computer from the router (and should think so too!)
A friend can ping my router from his house.
I can get dns resolution on my computer when I ping by name - e.g. hotmail.com is resolved to 64.4.20.174
But I get no responses and still can't browse web pages.
It 'must' be acl related, but I lack to gumption with Cisco to spot the problem.

The acls are below, list 101 applies to the Dialer0, list 102 applies to vlan1.
I have an ip route 0.0.0.0 0.0.0.0 Dialer0 statement in the config too.
Dialer0 and ATM0 are nat outside, vlan1 is nat inside.
Any further ideas? Do I need to make the full config available for view again

access-list 1 remark The local LAN.
access-list 1 permit 192.168.201.0
access-list 9 remark Where management can be done from
access-list 9 permit 192.168.201.0 0.0.0.255
access-list 9 permit 192.168.250.0 0.0.0.255
access-list 9 permit 82.28.109.0 0.0.0.255
access-list 9 permit 212.158.45.0 0.0.0.255
access-list 9 permit 87.194.146.0 0.0.0.255
access-list 9 permit 90.195.55.0 0.0.0.255
access-list 9 permit 95.195.55.0 0.0.0.255
access-list 23 remark For http management with SDM
access-list 23 permit 192.168.201.0 0.0.0.255
access-list 23 permit 192.168.250.0 0.0.0.255
access-list 23 deny any
access-list 100 remark SDM_ACL
access-list 101 remark Traffic allowed to enter router from Internet
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp host 87.194.146.83 any
access-list 101 permit tcp host 212.158.45.90 any
access-list 101 permit tcp host 90.195.55.129 any
access-list 101 permit tcp host 95.195.55.26 any
access-list 101 permit icmp any any
access-list 102 remark Traffic allowed to enter router from ethernet
access-list 102 permit ip 192.168.201.0 0.0.0.255 any
access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 102 permit ip any host 192.168.201.254
access-list 102 permit udp host 192.168.201.254 eq domain any
access-list 102 permit ip any host 255.255.255.255
dialer-list 1 protocol ip permit
no cdp run

Thank you.

 

Your ACL 101 will be blocking all traffic other than that which you have specified as permitted in the ACL.

At the end of any ACL there is an implicit deny (not visible)

Add:

access-list 101 permit ip any any

Then see if browsing works. If it does you can work to lock it down to only established connections if you desire.

 

Hi Daniel, I looked up a bit on established connections first and added the larger lines you can see - but no joy.
Then tried the route of allowing ip connections with your suggestion, in bold - still no joy.
Time to start pulling my hair out, it's officially driving me up the wall.
I have this statement in acls, access-list 102 permit udp host 192.168.201.254 eq domain any, carried over from the 857 I once struggled with but can't remember what it means. Is this possibly causing me grief. Can't see how though as dns resolution works. Even with the non-restrictive permit ip any any line, traffic still doesn't get through, can it simply be going to the wrong place perhaps?

access-list 101 remark Traffic allowed to enter router from Internet
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp host 87.194.146.83 any
access-list 101 permit tcp host 212.158.45.90 any
access-list 101 permit tcp host 90.195.55.129 any
access-list 101 permit tcp host 95.195.55.26 any
access-list 101 permit icmp any any
access-list 101 permit tcp any 192.168.201.0 0.0.0.255 established
access-list 101 permit ip any any
access-list 102 remark Traffic allowed to enter router from ethernet
access-list 102 permit ip 192.168.201.0 0.0.0.255 any
access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 102 permit ip any host 192.168.201.254
access-list 102 permit udp host 192.168.201.254 eq domain any
access-list 102 permit ip any host 255.255.255.255
access-list 102 permit tcp 192.168.201.0 0.0.0.255 any eq www

 

What happens when you remove the access lists from the interface entirely? If that doesn't help, it's probably not an ACL issue.

 

i would do what BM has suggested, hopefully this will get you up and running and you can start tying down from there.

this line confuses me a little though:

access-list 102 permit ip any host 255.255.255.255

If you are trying to allow any IP traffic out to any host for any internal user just put

access-list 102 permit ip any any

 

Thanks Daniel, I'm not sure either, I can't recall why that's there and I can't actually reason in my head what it means or what it does. It is a line carried over from an old 857 config - but I couldn't tell what it means/does in that config either!
I can't get this router sorted as-is at the moment, despite hours of my spare time being used up in vain. So I've reset it to factory and have come across some help from IFM and am now in the process of reverse engineering that config to see what each line means and applying it to my router as necessary. I'll post back here once I have something else to post about success/failure. I just hope it's success cos I need to get this bloody thing operating.
Back soon.
Nathan.