Announcement

Collapse
No announcement yet.

Cisco 877W Connecting to Internet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 877W Connecting to Internet

    I have purchased a Cisco 877W as a Draytek replacement and I am having problems.

    I have configured it to connect to my PPPoA ISP OK and the network test in SDM reports that the connection is OK. (only after inserting the DNS servers hidden away in additional tasks).

    The default route is setup and VLANs configured.

    I can ping my WAN IP but get 25% on the ISP gateway address. I think the default MTU for Cisco is 1400 which is a little low. I don't think that is the problem.

    Here is my running config. ((the firewal stuff has been removed due to size restrictions))

    I would appreciate any help with this problem.

    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname 9RTR01
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 $1$SXS/$glJdBQhXTUIX1u4vAA6vt.
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    ip subnet-zero
    no ip source-route
    ip cef
    !
    !
    ip inspect log drop-pkt
    ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
    ip inspect name SDM_MEDIUM cuseeme
    ip inspect name SDM_MEDIUM dns
    ip inspect name SDM_MEDIUM ftp
    ip inspect name SDM_MEDIUM h323
    ip inspect name SDM_MEDIUM https
    ip inspect name SDM_MEDIUM icmp
    ip inspect name SDM_MEDIUM imap reset
    ip inspect name SDM_MEDIUM pop3 reset
    ip inspect name SDM_MEDIUM netshow
    ip inspect name SDM_MEDIUM rcmd
    ip inspect name SDM_MEDIUM realaudio
    ip inspect name SDM_MEDIUM rtsp
    ip inspect name SDM_MEDIUM esmtp
    ip inspect name SDM_MEDIUM sqlnet
    ip inspect name SDM_MEDIUM streamworks
    ip inspect name SDM_MEDIUM tftp
    ip inspect name SDM_MEDIUM tcp
    ip inspect name SDM_MEDIUM udp
    ip inspect name SDM_MEDIUM vdolive
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name winit.local
    ip name-server 212.104.130.9
    ip name-server 212.104.130.65
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !

    !
    crypto pki trustpoint TP-self-signed-2685395840
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2685395840
    revocation-check none
    rsakeypair TP-self-signed-2685395840
    !
    !
    crypto pki certificate chain TP-self-signed-2685395840
    certificate self-signed 01
    3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32363835 33393538 3430301E 170D3032 30333035 31303339
    32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36383533
    39353834 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100C430 F825CF23 717AA6D3 8ED23FD1 B047A063 E58F2B5D DB48306B DD98486A
    3E9FDA6D 95B4D72F C4B50F5E 35C76EE3 5BFAA91F 1E2B2024 0C40C2E5 70FB7F3A
    2A0C17F0 127B11C4 F8EF66C5 D31B25A3 B079FA95 16AD0E88 88D45ED1 853EFE6B
    6E7AD3D2 C0753E5E 315B95C5 1DA358E8 7EB3F342 91B0C203 88E06C89 A2F8E7AD
    66B50203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
    551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
    301F0603 551D2304 18301680 14784E11 ECA9A8C7 F608AB89 25BA4E9F 3AED62D7
    5C301D06 03551D0E 04160414 784E11EC A9A8C7F6 08AB8925 BA4E9F3A ED62D75C
    300D0609 2A864886 F70D0101 04050003 81810085 B89C20D2 0D92EFCC 3E199BB5
    A6845DE7 2D299154 19416326 717130B5 9C182ED4 D3AF5D50 F8114365 38AD2CF6
    4BC8D41B EA55713A 5C8C2F25 C504B751 E64AF284 7DB8FE18 D8125186 79033A9D
    501AA66B 9118EA4D 71BD2405 59B9FE73 358C0F60 237F2CF8 D0256289 EA6EDDCB
    AAC409E7 E7C00032 2FF3A697 623D7A4D 5AB50D
    quit
    username witadmin privilege 15 secret 5 $1$DTOC$Z4ggIL8LWmpOu8hZYyE260
    !
    !
    !
    bridge irb
    !
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description $ES_WAN$$FW_OUTSIDE$
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Dot11Radio0
    no ip address
    !
    encryption vlan 1 key 1 size 40bit 7 1E1DB34A921C transmit-key
    encryption vlan 1 mode wep mandatory
    !
    ssid nine9
    vlan 1
    authentication open
    guest-mode
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    !
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no snmp trap link-status
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    no ip address
    ip tcp adjust-mss 1452
    bridge-group 1
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address **.**.**.** 255.255.255.252
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect SDM_MEDIUM out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname na******@adsl.eclipse.co.uk
    ppp chap password 7 0706314946000A0C04061903
    ppp pap sent-username na******@adsl.eclipse.co.uk password 7 08285C4B0110161E011F1E0B
    !
    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address 192.168.10.254 255.255.255.0
    ip access-group 100 in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1412
    !
    router rip
    network 192.168.10.0
    no auto-summary
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 192.168.10.1 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.10.1 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.10.1 80 interface Dialer0 80
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.10.0 0.0.0.255
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip 91.84.41.228 0.0.0.3 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit tcp any host 91.84.41.229 eq www
    access-list 101 permit tcp any host 91.84.41.229 eq smtp
    access-list 101 permit tcp any host 91.84.41.229 eq 443
    access-list 101 permit udp host 212.104.130.65 eq domain host 91.84.41.229
    access-list 101 permit udp host 212.104.130.9 eq domain host 91.84.41.229
    access-list 101 deny ip 192.168.10.0 0.0.0.255 any
    access-list 101 permit icmp any host 91.84.41.229 echo-reply
    access-list 101 permit icmp any host 91.84.41.229 time-exceeded
    access-list 101 permit icmp any host 91.84.41.229 unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    dialer-list 1 protocol ip permit
    no cdp run
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    no modem enable
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end
    Last edited by darrenst; 6th February 2007, 15:11. Reason: Wanted to add a thanks.

  • #2
    Re: Cisco 877W Connecting to Internet

    Hi Darrenst,

    I ran across this info that might apply to your issue:
    quoted from the following website:
    http://www.oreillynet.com/pub/a/netw...ps.html?page=2

    The first common access-list problem I have seen is not allowing some ICMP (Internet Control Message Protocol) traffic through a gateway firewall.

    For example, you just configured an access-list on your DSL link for your home router. All of the sudden, when you send big transmissions like a large email attachment, you find your connections timing out or closing unexpectedly. Unsure, you take the access-list off and the problem goes away. When you put the access-list back on, the problem reappears. You ask yourself what happened as you review the access-list. Well, the problem is as simple as not permitting ICMP through your list.

    As I say in Cisco IOS in a Nutshell, people often think of ICMP as the hacker's tool. But in reality, it plays a very important role. In the problem I just described, it sounds like an MTU (Maximum Transmission Unit) or source-quench problem, which means the ICMP information isn't getting through the access-list. Either way, add the following commands to your access-list and your problems might go away:


    ! allow pings into the network
    access-list 110 permit icmp any any echo
    ! allow ping responses
    access-list 110 permit icmp any any echo-reply
    ! allow ICMP source-quench
    access-list 110 permit icmp any any source-quench
    ! allow path MTU discovery
    access-list 110 permit icmp any any packet-too-big
    ! allow time-exceeded, which is useful for traceroute
    access-list 110 permit icmp any any time-exceeded
    ! deny all other ICMP packets
    access-list 110 deny icmp any any
    I am not saying that this is the problem but it sounded like it might be work looking at.
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment


    • #3
      Re: Cisco 877W Connecting to Internet

      Thanks David. I'll have a crack at that and let you know.

      Comment


      • #4
        Re: Cisco 877W Connecting to Internet

        That is quite interesting. The article explains that you have to open the firewall up so that external DNS servers can be reached.

        It suggests these commands:

        access-list 110 permit udp host 172.16.1.1 eq domain any gt 1023
        access-list 110 permit udp host 172.30.1.1 eq domain any gt 1023

        Looking at my running config I do have these lines within:

        access-list 101 permit udp host 212.104.130.65 eq domain host 91.84.41.229
        access-list 101 permit udp host 212.104.130.9 eq domain host 91.84.41.229

        but from looking at SDM it looks like its only for traffic coming in.

        What is the diiference between:

        eq domain any gt 1023
        and
        eq domain host 91.84.41.229

        Thanks

        Comment


        • #5
          Re: Cisco 877W Connecting to Internet

          Hi Darrenst

          The difference between these two is:
          eq domain any gt 1023
          and
          eq domain host 91.84.41.229
          The first one is allowing traffic from ANY host with port numbers > 1023.
          With the second, you are only allowing the certain host, period.

          I am curious about the ICMP entries in the ACL. ICMP is used for much more than just "pinging". It is used to negotiate the MTU. That MTU negotiation may be what is failing, in your case.

          Just some thoughts...

          Thanks,
          David Davis - Petri Forums Moderator & Video Training Author
          Train Signal - The Global Leader in IT Video Training
          TrainSignalTraining.com - Free IT Training Products
          Personal Websites: HappyRouter.com & VMwareVideos.com

          Comment


          • #6
            Re: Cisco 877W Connecting to Internet

            Excuse my ignorance but if the MTU was wrong surly I would get some traffic through and at least TRACERT would work.

            The default MTU for these Ciscos is 1400 but I know Eclipse (My ISP) have suggested 1478.

            Is it easy to change the MTU in SDM? or is it a CLI moment? Havn't used CLI since my CCNA days many moons ago and have forgotten it all.

            I am sure that a wrong MTU would cause dropouts but not stop all access. I may be wrong.

            Also is the DNS IP port remapped to port 1023?

            Thanks for your thoughts anyway.

            Comment


            • #7
              Re: Cisco 877W Connecting to Internet

              Hi Darren,

              I don't really know about how to change the MTU in SDM as I just don't use it. However, in the CLI, it is very easy. Here is how you do it:

              Router#conf t
              Enter configuration commands, one per line. End with CNTL/Z.
              Router(config)#int s0/0
              Router(config-if)#mtu ?
              <64-17940> MTU size in bytes

              Router(config-if)#mtu
              Router(config-if)#mtu 1478
              You are right that an incorrect MTU would probably only cause slow traffic or lost traffic - not no traffic. Perhaps I misread, I thought that you were getting 25% of pings through so I thought that you had packet loss but still had some communications. If I misread, I am sorry.

              Usually, when you do an ACL with something like "gt 1023" you are saying that you don't know what port the packet will come on but it will be 1023 or greater. I think the specific "host" entry in your ACL for DNS is better than the "any gt 1023".

              The icmp & dns may have nothing to do with your problem. If not, we can focus back on the original question and configuration.

              Anyone else out there have any suggetions for darren?

              Thanks,
              David Davis - Petri Forums Moderator & Video Training Author
              Train Signal - The Global Leader in IT Video Training
              TrainSignalTraining.com - Free IT Training Products
              Personal Websites: HappyRouter.com & VMwareVideos.com

              Comment


              • #8
                Re: Cisco 877W Connecting to Internet

                Hi David,

                In running through your suggestions I actually solved the problem and I am sorry to say the fault was me.

                The problem was I had two routers connected to my network and I would change DHCP to use the new (Cisco) route while I was setting up and testing.

                All was good and dandy except I forgot to change the static IP of the Default Gatway on the server so quite rightly no internet traffic was getting through.

                Thanks for the help. I guess its a learning curve anyway.

                Comment


                • #9
                  Re: Cisco 877W Connecting to Internet

                  Hi Darren,

                  Excellent, I'm glad you figured it out!

                  Many times, just talk the issues out with someone else ends up in solving the problem.

                  Thanks for your question,
                  David Davis - Petri Forums Moderator & Video Training Author
                  Train Signal - The Global Leader in IT Video Training
                  TrainSignalTraining.com - Free IT Training Products
                  Personal Websites: HappyRouter.com & VMwareVideos.com

                  Comment


                  • #10
                    Re: Cisco 877W Connecting to Internet

                    Posting back with the solution to your problem is really appreciated. Reputation points added for that. Thanks.
                    1 1 was a racehorse.
                    2 2 was 1 2.
                    1 1 1 1 race 1 day,
                    2 2 1 1 2

                    Comment

                    Working...
                    X