What's wrong with this 857W Config.

Discussion in 'Cisco' started by Chris UK, Jul 18, 2006.

  1. Chris UK

    Chris UK Guest

    Hi all,

    I have recently purchased a Cisco 857W router and seem to be having
    difficulty setting it up. For ease I installed the SDM to give me the
    quickest route to what I thought would be a working config, although
    this has not turned out to be the case.

    The router disallows access to login based website such as Ebay
    (http://my.ebay.co.uk/ws/eBayISAPI.dll?MyeBay) and MSN messenger
    (although Netstat reveals that the login.live.com responds fine and it
    only seems to fail at the handover to the messenger server on port
    1863), and it drops packets on outgoing SMTP connections that result in
    it blocking all outgoing mail from the organisation. Nothing of any
    significance is logged, I suspect it is either a NAT problem, or
    something to do with IP inspect tcp (disabling this stops all tcp based
    traffic).

    I was hoping that if I was to post a sanitised copy of the config
    (items in chevrons <...> have been sanitised), that someone might be
    able to have a look and offer some suggestions as to how I might go
    about tracking this problem down and resolving it.

    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname <router>
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 <secret password>
    !
    aaa new-model
    !
    !
    aaa group server radius rad_eap
    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    !
    aaa group server radius rad_admin
    !
    aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization ipmobile default group rad_pmip
    aaa accounting network acct_methods start-stop group rad_acct
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    ip subnet-zero
    no ip source-route
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.0.1 192.168.0.9
    ip dhcp excluded-address 192.168.0.201 192.168.0.254
    !
    ip dhcp pool sdm-pool1
    import all
    network 192.168.0.0 255.255.255.0
    default-router 192.168.0.254
    domain-name <domain name>
    dns-server <ISP Primary DNS> <ISP Secondary DNS>
    !
    !
    ip cef
    ip inspect log drop-pkt
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip inspect name DEFAULT100 https
    ip inspect name DEFAULT100 dns
    ip flow-cache timeout active 1
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name <domain.com>
    ip name-server <ISP Primary DNS>
    ip name-server <ISP Secondary DNS>
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    appfw policy-name DEFAULT100
    application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    !
    !
    crypto pki trustpoint TP-self-signed-1202544901
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1202544901
    revocation-check none
    rsakeypair TP-self-signed-1202544901
    !
    crypto pki trustpoint tti
    revocation-check crl
    rsakeypair tti
    !
    !
    crypto pki certificate chain TP-self-signed-1202544901
    certificate self-signed 01
    <Crypto Certificate>
    quit
    crypto pki certificate chain tti
    username <User> privilege 15 secret 5 <Password>
    !
    !
    !
    bridge irb
    !
    !
    interface Null0
    no ip unreachables
    !
    interface ATM0
    bandwidth 448
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description ISP$FW_OUTSIDE$$ES_WAN$
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    pvc 0/38
    pppoe-client dial-pool-number 1
    !
    !
    interface FastEthernet0
    description LAN Port 1
    no cdp enable
    !
    interface FastEthernet1
    description LAN Port 2
    no cdp enable
    !
    interface FastEthernet2
    description LAN Port 3
    no cdp enable
    !
    interface FastEthernet3
    description LAN Port 4
    no cdp enable
    !
    interface Dot11Radio0
    description WLAN Port 1
    bandwidth 54000
    no ip address
    ip route-cache flow
    !
    broadcast-key change 3600 membership-termination capability-change
    !
    !
    encryption key 1 size 40bit 7 <Key> transmit-key
    encryption mode ciphers tkip wep40
    !
    ssid <Radio>
    authentication open
    guest-mode
    infrastructure-ssid optional
    wpa-psk ascii 7 <Key>
    !
    speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0
    basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
    channel 2442
    station-role root
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    no ip address
    bridge-group 1
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address <IP Address> <Netmask>
    ip access-group 103 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1452
    ip inspect DEFAULT100 out
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname <ISP Username>
    ppp chap password 7 <ISP Password>
    !
    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address 192.168.0.254 255.255.255.0
    ip access-group 102 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip flow-export source FastEthernet0
    ip flow-export version 5
    ip flow-export destination 192.168.0.3 9996
    ip flow-top-talkers
    top 10
    sort-by bytes
    !
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 192.168.0.2 21 interface dialer0 21
    ip nat inside source static tcp 192.168.0.2 25 interface dialer0 25
    ip nat inside source static tcp 192.168.0.2 80 interface dialer0 80
    ip nat inside source static tcp 192.168.0.2 110 interface dialer0 110
    ip nat inside source static tcp 192.168.0.2 119 interface dialer0 119
    ip nat inside source static tcp 192.168.0.2 143 interface dialer0 143
    ip nat inside source static tcp 192.168.0.2 443 interface dialer0 443
    ip nat inside source static tcp 192.168.0.2 444 interface dialer0 444
    ip nat inside source static tcp 192.168.0.2 993 interface dialer0 993
    ip nat inside source static tcp 192.168.0.2 995 interface dialer0 995
    ip nat inside source static tcp 192.168.0.2 1723 interface dialer0 1723
    ip nat inside source static tcp 192.168.0.3 3389 interface dialer0 3389
    ip nat inside source static tcp 192.168.0.2 4125 interface dialer0 4125
    ip nat inside source static tcp 192.168.0.3 6436 interface dialer0 6436
    ip nat inside source static udp 192.168.0.3 6436 interface dialer0 6436
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 2 remark HTTP Access-class list
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit 192.168.0.0 0.0.0.255
    access-list 2 deny any
    access-list 100 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip 81.141.1.0 0.0.0.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 deny ip 192.168.0.0 0.0.0.255 any
    access-list 101 permit icmp any host 81.141.1.65 echo-reply
    access-list 101 permit icmp any host 81.141.1.65 time-exceeded
    access-list 101 permit icmp any host 81.141.1.65 unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    access-list 102 remark auto generated by SDM firewall configuration
    access-list 102 remark SDM_ACL Category=1
    access-list 102 deny ip <MY WAN IP Block> 0.0.0.3 any log
    access-list 102 deny ip host 255.255.255.255 any log
    access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 102 permit ip any any
    access-list 103 remark auto generated by SDM firewall configuration
    access-list 103 remark SDM_ACL Category=1
    access-list 103 remark Auto generated by SDM for NTP (123)
    81.168.77.149
    access-list 103 permit udp host 81.168.77.149 eq ntp host <IP Address>
    eq ntp
    access-list 103 remark Auto generated by SDM for NTP (123) 194.35.252.7
    access-list 103 permit udp host 194.35.252.7 eq ntp host <IP Address>
    eq ntp
    access-list 103 remark Permit primary ISP DNS communication
    access-list 103 permit udp host 212.104.130.65 eq domain host <IP
    Address>
    access-list 103 remark Permit secondary ISP DNS communication
    access-list 103 permit udp host 212.104.130.9 eq domain host <IP
    Address>
    access-list 103 remark Deny fake class A local network
    access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 103 remark Deny fake class B local network
    access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
    access-list 103 remark Deny fake class C local network
    access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
    access-list 103 remark Deny fake local loopback
    access-list 103 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 103 remark Deny fake multicast address
    access-list 103 deny ip host 255.255.255.255 any log
    access-list 103 remark Deny fake multicast address
    access-list 103 deny ip host 0.0.0.0 any log
    access-list 103 remark Permit WAN interface pings
    access-list 103 permit icmp any host <IP Address> echo-reply
    access-list 103 remark Permit WAN interface pings
    access-list 103 permit icmp any host <IP Address> time-exceeded
    access-list 103 remark Permit WAN interface pings
    access-list 103 permit icmp any host <IP Address> unreachable
    access-list 103 remark Permit FTP
    access-list 103 permit tcp any host <IP Address> eq ftp
    access-list 103 remark Permit SMTP
    access-list 103 permit tcp any host <IP Address> eq smtp
    access-list 103 remark Permit WWW
    access-list 103 permit tcp any host <IP Address> eq www
    access-list 103 remark Permit POP3
    access-list 103 permit tcp any host <IP Address> eq pop3
    access-list 103 remark Permit NNTP
    access-list 103 permit tcp any host <IP Address> eq nntp
    access-list 103 remark Permit IMAP4
    access-list 103 permit tcp any host <IP Address> eq 143
    access-list 103 remark Permit HTTPS
    access-list 103 permit tcp any host <IP Address> eq 443
    access-list 103 remark Permit WSS HTTPS
    access-list 103 permit tcp any host <IP Address> eq 444
    access-list 103 remark Permit IMAP4-SSL
    access-list 103 permit tcp any host <IP Address> eq 993
    access-list 103 remark Permit POP3-SSL
    access-list 103 permit tcp any host <IP Address> eq 995
    access-list 103 remark Permit Microsoft VPN
    access-list 103 permit tcp any host <IP Address> eq 1723
    access-list 103 remark Permit MSN Messenger (Msgs)
    access-list 103 permit tcp any host <IP Address> eq 1863
    access-list 103 remark Permit Terminal Services
    access-list 103 permit tcp any host <IP Address> eq 3389
    access-list 103 remark Permit RWW
    access-list 103 permit tcp any host <IP Address> eq 4125
    access-list 103 remark Permit Shareaza TCP
    access-list 103 permit tcp any host <IP Address> eq 6436
    access-list 103 remark Permit Shareaza UDP
    access-list 103 permit udp any host <IP Address> eq 6436
    access-list 103 remark Permit MSN Messenger (Files)
    access-list 103 permit tcp any host <IP Address> range 6891 6900
    access-list 103 remark Permit Microsoft Messenger
    access-list 103 permit udp any host 82.153.233.141 eq 6901
    access-list 103 remark Generic IP Deny Rule
    access-list 103 deny ip any any log
    access-list 104 remark VTY Access-class list
    access-list 104 remark SDM_ACL Category=1
    access-list 104 permit ip 192.168.0.0 0.0.0.255 any
    access-list 104 deny ip any any
    dialer-list 1 protocol ip permit
    snmp-server ifindex persist
    no cdp run
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    no modem enable
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    access-class 104 in
    privilege level 15
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp server 81.168.77.149 source ATM0 prefer
    ntp server 194.35.252.7 source ATM0
    end

    Many thanks in advance for your kind assistance.

    Kind regards,
    Chris.
     
    Chris UK, Jul 18, 2006
    #1
    1. Advertisements

  2. Chris UK

    anybody43 Guest

    Examine the inspect closely. Look up what
    inspect https actually means. I don't know.
    I do recall that inspect http blocked all java code
    which was a surprise to me.

    You have inspect esmtp, do you need inspect smtp too?

    If you take out for example inspect esmtp the
    stateful firewall will still allow the return traffic
    via the inspect tcp statement but you will lose the special
    investigtion of the (e)smtp commands.

    I guess that it will bust into life if you take out the two
    inspects mentioned and you can then worry about
    putting them back later.

    conf t
    logg buff 64000 ! or more, check memory
    logg buff deb
    no logg console
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    end

    deb ip inspect

    undeb all
    sh logg

    are your friends.


    You can also term mon but I always use a second session
    to be ready to undeb all.

    If the router is remote consider "reload 20"
    before debugging.

    Read the debug guidelines regarding the possible impact on the system.
    Use ACLs for debugging whre applicable.
     
    anybody43, Jul 18, 2006
    #2
    1. Advertisements

  3. www.BradReese.Com, Jul 19, 2006
    #3
  4. Chris UK

    Chris UK Guest

    Hi guys,

    There are moments in your life that you wish you could just crawl into
    a hole and stay there - I've figured the issues, DNS, packet dropping,
    etc. I was obviously having an off day when I initially configured the
    router - and I had set it you PPPoE (as my previous ISP was), however
    the current one requires PPPoA. A hardware reset and some quick
    reconfiguring later it all works tickety-boo.

    I was thrown this as I would have through the wrong encapsulation would
    have resulted in no traffic. I would suspect that the difficulty in
    tracking down the lost packets would have been due to the DSLAM dumping
    them?

    Many thanks for all your assistance in this - if its any consolation
    I've learned a great deal about the 857W.

    I'd still be interested in any hardening tips you guys would have - the
    config is essentially the same as above (apart from PPPoA).

    Regards,
    Chris.
     
    Chris UK, Jul 19, 2006
    #4
  5. Chris UK

    gray.wizard Guest

    gray.wizard, Jul 21, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.