Noob help needed!

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi guys,

I have configured my 1701 via SDM

gone through all the wizards, looked throught the help, but am now stuck.

i can test the ATM0.1 with sucess, but if i test the Fastethernet0, it fails - can not connect to DNS server.

Could some kind soul please check out my config file and tell me what i am doing wrong??

I will openly admit that i am not great at these thing (the whole firewall/NAT/routing thing just confuses me!)

here goes :


Building configuration...

Current configuration : 3605 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$zNS8$6wXefHujy20jS0ASzbDuJ/
!
username Chummers privilege 15 secret 5 $1$tUyc$oINxLR3yEL9XodxHYPJ9D/
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip domain name server1
ip name-server 212.104.130.65
ip name-server 212.104.130.9
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet0
description $ETH-SW-LAUNCH$$INTF-INFO-10/100 Ethernet$$ETH-LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address 81.168.100.241 255.255.255.252
ip access-group 101 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxxx password 0 xxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
!
!
access-list 1 remark INSIDE_IF=FastEthernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 81.168.100.240 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 212.104.130.9 eq domain host 81.168.100.241
access-list 101 permit udp host 212.104.130.65 eq domain host 81.168.100.241
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 81.168.100.241 echo-reply
access-list 101 permit icmp any host 81.168.100.241 time-exceeded
access-list 101 permit icmp any host 81.168.100.241 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
end



any help, will be of some help!!

Thanks is advance!!!

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Can you give us more information as to what the router is connected to? I notice that you have a few different ports configured, but do you need them?

More info please!

 

Hi there, thanks for the fast reply!!!

the Router is connected via BT phone line PPPoA

As to the ports, really just need email and web access http/https for the time being.. (they are what the wizard in SDM opened)

I would like to just get the basics going, so i can play and see what else i can open and close...

The first thing i am going to do <when> i get it working is to get the config file backed up, it will be no big deal if i then have to reconfigure...

I do appreciate your help..

Thanks..

 

Chummers,

The config looks to be a suitable basic setup that should work fine.

First thing check the status of your interfaces:

Router# show ip int bri

Make sure the needed interfaces are up/up. Next, ping an Internet host (e.g. your dns server) from the router console:

Router# ping 212.104.130.9

If you can't ping an Internet host (make sure it is a host that will respond to pings!) troubleshoot the connection to the isp. If you can ping an Internet host, such as your dns server, ping it with the source ip of your internal interface:

Router# ping 212.104.130.9 source f0

If can ping using your internal interface as the source address your problem is likely either cabling (pc to router use a crossover cable) or the tcp/ip config on the pc. From the pc, confirm the ip address, default gateway. Then, from the pc, ping the internal interface on the router. If that works, ping the Internet host. If that fails, post back and we can dig deeper, there are many troubleshooting tools available on the router to pinpoint the problem.

Spice Weasel

 

Right, i have been a bit busy, I have been thinking, all the messing about i have done to try to get this working may have made the problem worse, I have therefore reset to factory defaults and re-set up, the new config file is below :

Building configuration...

Current configuration : 4708 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$Xo0K$LPmOvz2nVqkHfxk4cmY5//
!
username xxxxxxx privilege 15 secret 5 $1$T5d7$puMjzAMkYTZs9PasMWOFC0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
!
ip tcp synwait-time 10
ip domain name server1
ip name-server 212.104.130.65
ip name-server 212.104.130.9
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
!
interface FastEthernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-10/100 Ethernet$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address 81.168.100.241 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 0835444B0A0C090343
ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxx
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 81.168.100.240 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 212.104.130.9 eq domain host 81.168.100.241
access-list 101 permit udp host 212.104.130.65 eq domain host 81.168.100.241
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 81.168.100.241 echo-reply
access-list 101 permit icmp any host 81.168.100.241 time-exceeded
access-list 101 permit icmp any host 81.168.100.241 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end

@ Spice_Weasel:

Checked the status of the interface - i am using Dailer0, as opposed to ISDN BRI.

Here are the results

Router#show ip int Dialer0
Dialer0 is up, line protocol is up
Internet address is 81.168.100.241/30
Broadcast address is 255.255.255.255
Address determined by configuration file
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 101
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are never sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is enabled
IP CEF switching is enabled
IP Distributed switching is disabled
IP CEF Flow Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Subint Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Outgoing inspection rule is DEFAULT100
Router#

And the Ethernet card....

Router#show ip int Fastethernet0
FastEthernet0 is up, line protocol is up
Internet address is 192.168.0.1/24
Broadcast address is 255.255.255.255
Address determined by configuration file
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 100
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are never sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is enabled
IP CEF switching is enabled
IP CEF Flow Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Subint Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Router#


Here is the results of the DNS server ping...

C:\Documents and Settings\Neil>ping 212.104.130.65

Pinging 212.104.130.65 with 32 bytes of data:

Reply from 212.104.130.65: bytes=32 time=24ms TTL=61
Reply from 212.104.130.65: bytes=32 time=22ms TTL=61
Reply from 212.104.130.65: bytes=32 time=22ms TTL=61
Reply from 212.104.130.65: bytes=32 time=23ms TTL=61

Ping statistics for 212.104.130.65:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 22ms, Maximum = 24ms, Average = 22ms


And the ping from internal interface ...

Router#ping 212.104.130.65 source f0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.104.130.65, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms
Router#

I can now ping the lan side of the router ...

C:\Documents and Settings\Neil>ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes=32 time=1ms TTL=255
Reply from 192.168.0.1: bytes=32 time=1ms TTL=255
Reply from 192.168.0.1: bytes=32 time=1ms TTL=255
Reply from 192.168.0.1: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms


and the WAN IP ...

C:\Documents and Settings\Neil>ping 81.168.100.241

Pinging 81.168.100.241 with 32 bytes of data:

Reply from 81.168.100.241: bytes=32 time=1ms TTL=255
Reply from 81.168.100.241: bytes=32 time=1ms TTL=255
Reply from 81.168.100.241: bytes=32 time=1ms TTL=255
Reply from 81.168.100.241: bytes=32 time=1ms TTL=255

Ping statistics for 81.168.100.241:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms

I hope you guys can make sense of this!! I feel like I am so close to getting this working, if i can ping the DNS and WAN IP

But still can not get any web pages...


any more ideas?, I thank you for all your help so far!!

Cheers...

 

Chummers,

Since you can ping Internet hosts the problem is likely with dns. On the pc run ipconfig /all and make sure you have a valid dns server specified. If it is, use nslookup from the command prompt to check that domain names are being properly resolved into ip addresses, eg:

C:\Program Files\Support Tools>nslookup
Default Server: pfp01.nowhere.com
Address: 172.20.1.30

> dogs.com
Server: pfp01.nowhere.com
Address: 172.20.1.30

Name: dogs.com
Address: 129.33.85.162

> exit

C:\Program Files\Support Tools>


If name resolution is working, and you can ping Internet hosts, then check that http traffic is not being blocked by acl's/firewall. From your config, above, it is clear that there is nothing blocking http. If you want to confirm that, remove the acl and IOS firewall from the config.

Router# no ip access-group 101 in
Router# no ip inspect DEFAULT100 out

Check your IE settings to make sure there are no incorrect entries (eg proxy server configured, etc.)

You can also test port 80 using telnet from the pc, for example:

C:\Program Files\Support Tools>telnet 129.33.85.162 80

Above will telnet to port 80 on Internet host (in this case, the webserver for dogs.com)

If successful, you will see a blank screen, type "exit" to cancel the telnet session and you'll see some http code, such as:


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>301 Moved P
ermanently</TITLE>
</HEAD><BODY>
<H1>Moved Permanently</H1>
The document has moved
<A HREF="http://www.petsmart.com/ps/main.jsp">here</A>.<P>
</BODY></HTML>


Connection to host lost.

C:\Program Files\Support Tools>

This will prove that port 80 is being passed through the router. If you still cannot browse websites I'd say check the pc. If there is no apparent configuration problem on the pc then it is time to roll up our sleeves and dig deeper with show and debugs on the router to see how the traffic is being handled.

Spice Weasel

 

Chummers,

What routing protocol are you using? Looks like you're not using one at all due to an absence of a "router [routing protocol]" block.

 

Give me GREAT please to announce that it is all working!!!

Many thanks to all who have replied and helped me in my "Void in knowlege"

I have saved the config file in three sepeate places, so i never have to go through it again.

Not even sure what solved it, i did re-enter the dns settings in network connections - on the pc that is and just worked, tried the nslookup and that did not work, so entered dns settings again and just sparked into life! - (must have got the wrong dns ip )

Once again, thanks for all who helped, especially Spice_Weasel - you have been an absolute star!!

 

Good to hear it is working, glad to be of assisstance


Spice Weasel