PPTP out & in, Cisco 881
Hello,
I've searched a few forums and tried to use some of suggestions (and that's why the config is so big and probably messed up ;-)
The network is very simple: (Computers behind NAT + Windows 2008 Server with PPTP -> Cisco 881 -> DSL) and (near) everything works perfectly.
It is not posible to connect from outside to W2008 PPTP (stops at "connecting..."), what is even more interesting you can not connect from inside to any of PPTP servers located on the Internet (this stops at "veryfying user name & password")
Please check the configuration, and thanks in advance!
Greetings,
Adrian
config
ip dhcp excluded-address 192.168.100.1 192.168.100.29
ip dhcp excluded-address 192.168.100.100 192.168.100.254
ip dhcp pool Logmar
import all
network 192.168.100.0 255.255.255.0
dns-server 194.204.159.1 192.204.152.34
default-router 192.168.100.1
ip cef
no ip bootp server
ip domain name logmar
ip name-server 194.204.159.1
ip name-server 194.204.152.34
ip port-map user-rserial port tcp 33600 list 3 description rserial
ip inspect tcp reassembly queue length 1024
no ipv6 cef
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any VOIP
match protocol sip-tls
match protocol sip
match protocol pptp
match class-map SDM_GRE
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any pptp
match protocol pptp
match class-map SDM_GRE
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_TELNET
match access-group name SDM_TELNET
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match class-map SDM_GRE
match protocol pptp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-cls--1
match class-map VOIP
match access-group name VOIP
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any pptp-traffic
match access-group name pptp
match access-group name SDM_GRE
match access-group name pptp-out
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map global-policy
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class type inspect pptp-traffic
pass
class type inspect SDM_GRE
pass
class class-default
pass
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect pptp-traffic
pass
class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--1
class type inspect sdm-cls--1
pass
class type inspect pptp-traffic
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect pptp-traffic
pass
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 83.0.201.122 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
ip local pool SDM_POOL_3 192.168.100.200 192.168.100.210
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool logmar 192.168.100.1 192.168.100.254 netmask 255.255.255.0
ip nat inside source list 4 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.100.100 1723 interface FastEthernet4 1723
ip nat inside source list pptp-out interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 83.0.201.121 permanent
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=0
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended VOIP
remark CCP_ACL Category=128
permit ip any host 192.168.100.100
ip access-list extended pptp
remark CCP_ACL Category=1
permit gre any any
permit tcp any host 192.168.100.100 eq 1723
permit ip any host 192.168.100.100
ip access-list extended pptp-out
remark CCP_ACL Category=2
permit tcp any any eq 1723
permit gre any any
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 3 remark CCP_ACL Category=1
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 192.168.100.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=0
no cdp run
I've deleted all (well at least part concerning PPTP access ;-) configuration and written it from scratch...
Heh, I do not understand WHY configuring Cisco is such a pain while doing same thing in ALL other routers is easier, far more predictable, and not at all less secure
Below is ACL & policy-map-related part of my config - hope this helps.
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any cpp-cls-inside
match protocol pptp
match class-map SDM_GRE
match access-group name SDM_GRE
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match class-map SDM_GRE
match protocol pptp
match protocol skinny
match protocol sip
match protocol sip-tls
match access-group name SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map global-policy
policy-map type inspect ccp-inspect
class type inspect SDM_GRE
pass
class type inspect ccp-invalid-src
drop log
class type inspect ccp-insp-traffic
inspect
class class-default
pass
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-inside
class type inspect SDM_GRE
pass
class type inspect cpp-cls-inside
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security cp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-inside
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 83.0.201.122 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
ip local pool SDM_POOL_3 192.168.100.200 192.168.100.210
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool logmar 192.168.100.1 192.168.100.254 netmask 255.255.255.0
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.100.100 1723 interface FastEthernet4 1723
ip route 0.0.0.0 0.0.0.0 83.0.201.121 permanent
ip access-list extended SDM_GRE
remark CCP_ACL Category=0
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
logging trap debugging
logging 192.168.100.100
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit any
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
no cdp run
Similar Messages
-
Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.
I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
endWhy do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ? -
Need help with cisco 881 configuration.
Hi, I have cisco 881 wireless router, and I need to configure this as a switch, I have dhcp server in network 192.168.12.254, and I need that cisco wifi and lan clients get IP addresses from existing dhcp server.
I connect wire from network (with dhcp server) to FastEthernet0, create vlan interface (192.168.12.10 255.255.255.0), described vlan on other FastEthernet interfaces, so LAN clients get IP addresses from my dhcp server without problems, but how to do the same with wifi clients?Follow this support doc because you need to trunk the AP to the router and specify the vlan the wireelss clients will be on.
https://supportforums.cisco.com/docs/DOC-16145
Here is a doc that guides you through multiple vlans/subnets on access points:
https://supportforums.cisco.com/docs/DOC-14496
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Hi, I need to provide a router to connect Internet circuit and run IPsec to MPLS network. Circuit is 10Mbps.
What is the max a Cisco 881 can handle if running IPsec?
Also, if you are aware of any branch router (1941) which allows connection to future 4G LTE please let me know.Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
The attachment notes 25 Mbps for an 800 series, but that would be unidirectional and w/o IPSec. -
P2P Blocking is disabled in cisco 881 W router
Hi
We are facing an issue with the communication between wireless clients in same subnet .These users are not able to ping each other in cisco 881 W wireless router.
But we can do in this router to disable this P2P blocking.Well I would use a static on the AP, but if you depending on IOS dhcp to be reliable, then maybe you need to setup a Mac reservation for the AP. It would be after to just set a static on the AP. Since you know your environment will grow, it might be better that you start setting them to static. IOS dhcp isn't 100% reliable as you have already experienced.
Sent from Cisco Technical Support iPad App -
Hello
I'm having some trouble configuring a cisco 881. I'm building a lab where I connect 2 cisco 881 through the fe4 interface (Wan port), and then connect to each router a PC, at interface fe0 (Lan port). The idea was to establish connection and implementing a static route between the 2 routers.
As a default the 881 has dhcp enabled on VLAN1 (10.10.10.0/24). So I set the pc's to get Ip's automatically. On Router A, I changed the dhcp pool so that I had a different network (11.10.10.0/24). So I have PC1 (11.10.10.2) connected to Router A on interface fa0. Router A connects to Router B through the fe4 interfaces (WAN ports). And PC2 (10.10.10.0/24) connects to Router B on fa0 interface.
I assigned an ip address to fe4 on Router A (192.168.10.1/24) and an ip address to fe4 on Router B (192.168.10.2/24).
At last I configured the static routes on both routers.
On Router A : ip route 10.10.10.0 255.255.255.0 192.168.10.2
On Router B : ip route 11.10.10.0 255.255.255.0 192.168.10.1
With everything configured I tested the connections.
PC 1 to its gateway: successful
PC 1 to 192.168.10.2: successful
PC1 to the gateway of PC2(10.10.10.1/24): successful
PC 1 to PC 2: failed
PC 2 to its gateway: successful
PC 2 to 192.168.10.1: successful
PC2 to the gateway of PC1(11.10.10.1/24): successful
PC 1 to PC 2: failed
Well this is the scenario. I really don’t understand the problem. I thing I did everything right, but I simply don’t get the result. Is there an error with my configuration or is this simply not doable?
Thanks a lot.Have you checked that the firewalls are turned off? If you can ping the far side, that tells me you have a default gateway configured on the workstation and that the far side router has a route back to you. The only thing left would be firewalls need to be turned off on the workstations.
HTH,
John
*** Please rate all useful posts *** -
Hi All,
I set up enable password as well as telnet password on cisco 881-k9.
with the same password :kadd2013
no username confugured
when i saved the config , i was unable to login again using the same password i configuredDid it just ask for password? Could have you gotten white space in the password? Try to enter the password with a space after it. Either that or a typo. Did you have caps lock enabled?
Daniel Dib
CCIE #37149
Please rate helpful posts. -
Hi,
I am configuring staic L2TPv3 on Cisco 881. According to the feature navigator it is supported and I can configure without any problem. The L2TPv3 session seems to be UP but apparently there is no data I can send accross this L2TPv3 tunnel.
Anyone can give suggestion ?
thanks in advance.Please post on WAN, Routing and Switching community.
Shelley. -
Cisco 881 Zone Firewall issues
I'm having issues with an 881 that I have configured as a zone based firewall.
I have allowed HTTP(s) and DNS on the DMZ but my user is saying he cannot access the internet.
On the corporate side the user complains that some websites fail, such as Linked in.
I have been using CCP to configure the device. What am I doing wrong?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 11:49:00 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 22210 bytes
! Last configuration change at 15:30:21 UTC Tue Mar 12 2013 by SpecIS
! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname -Rt
boot-start-marker
boot-end-marker
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
enable password 7
aaa new-model
aaa authentication login local_auth local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3066996233
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3066996233
revocation-check none
rsakeypair TP-self-signed-3066996233
crypto pki certificate chain TP-self-signed-3066996233
certificate self-signed 01
quit
no ip source-route
no ip gratuitous-arps
ip dhcp excluded-address 10.0.2.2
ip dhcp excluded-address 10.0.2.1
ip dhcp pool Trusted
import all
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
domain-name spectra.local
dns-server 10.0.2.2 10.0.1.6
option 150 ip 10.1.1.10 10.1.1.20
ip dhcp pool Guest
import all
network 192.168.112.0 255.255.255.0
default-router 192.168.112.1
dns-server 4.2.2.2 4.2.2.3
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server 10.0.2.2
ip name-server 4.2.2.2
login block-for 5 attempts 3 within 2
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
parameter-map type inspect global
log dropped-packets enable
log summary flows 256 time-interval 30
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
license udi pid CISCO881-SEC-K9 sn FCZ1703C01Y
archive
log config
logging enable
username S privilege 15 secret 4
username ed privilege 15 password 7
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any TFTP
match protocol tftp
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 105
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all ccp-cls-ccp-permit-outside-in-1
match access-group name Any-From-HO
class-map type inspect match-any Skinny
match protocol skinny
class-map type inspect match-all ccp-cls-ccp-permit-outside-in-2
match class-map Skinny
match access-group name Hostcom-Skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any Pings
match protocol icmp
class-map type inspect match-any Ping-
match class-map Pings
class-map type inspect match-all ccp-cls-ccp-inspect-2
match class-map Ping-
match access-group name Ping-
class-map type inspect match-any DNS
match protocol dns
class-map type inspect match-all ccp-cls-ccp-inspect-3
match class-map DNS
match access-group name Any-any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
match access-group name Any/Any
class-map type inspect match-any https
match protocol https
class-map type inspect match-all ccp-cls-ccp-inspect-4
match class-map https
match access-group name any-any
class-map type inspect match-any UDP
match protocol udp
match protocol tcp
class-map type inspect match-all ccp-cls-ccp-inspect-5
match class-map UDP
match access-group name InsideOut
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-cls-ccp-permit-2
match class-map Pings
match access-group name RespondtoSomePings
class-map type inspect match-any RemoteMgt
match protocol ssh
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map RemoteMgt
match access-group name Spectra-RemoteMgt
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match protocol http
match protocol dns
match protocol https
class-map type inspect match-any WebBrowsing
match protocol http
match protocol https
class-map type inspect match-any DNS2
match protocol dns
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map WebBrowsing
match access-group name DMZ-Out
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map DNS2
match access-group name DMZtoAny
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-cls-ccp-inspect-2
inspect
class type inspect ccp-cls-ccp-inspect-1
inspect
class type inspect ccp-cls-ccp-inspect-5
pass log
class type inspect TFTP
inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-cls-ccp-inspect-4
inspect
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-smtp
inspect
class type inspect ccp-cls-ccp-inspect-3
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop log
policy-map type inspect ccp-permit-outside-in
class type inspect ccp-cls-ccp-permit-outside-in-2
inspect
class type inspect ccp-cls-ccp-permit-outside-in-1
pass
class class-default
drop log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-app-nonascii
log
reset
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect ccp-cls-ccp-permit-2
inspect
class type inspect ccp-cls-ccp-permit-1
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-1
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
inspect
class class-default
drop
zone security in-zone
zone security out-zone
zone security dmz-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-permit-outside-in
zone-pair security Spec-zp-dmz-out source dmz-zone destination out-zone
service-policy type inspect ccp-permit-dmzservice
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key Y address x.x.x.x
crypto isakmp key o1 address x.x.x.x
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP-AES256-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set security-association lifetime kilobytes 128000
set security-association lifetime seconds 28800
set transform-set ESP-AES256-SHA
match address 102
interface FastEthernet0
description B
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet1
description Docker
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet2
description Phone
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet3
description Guest
switchport access vlan 3
no ip address
spanning-tree portfast
interface FastEthernet4
description External $FW_OUTSIDE$
bandwidth inherit
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 104
duplex auto
speed auto
pppoe-client dial-pool-number 1
hold-queue 224 in
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
shutdown
interface Vlan2
description Trusted Network$FW_INSIDE$
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1440
interface Vlan3
description Guest Network$FW_DMZ$
ip address 192.168.112.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callout
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
no cdp enable
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security out-zone
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map SDM_CMAP_1
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip access-list standard SSH-Management
permit x.x.x.x log
permit 10.0.2.0 0.0.0.255 log
permit 10.0.1.0 0.0.0.255 log
ip access-list extended Any-From-HO
remark CCP_ACL Category=128
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended Any-any
remark CCP_ACL Category=128
permit ip any any
ip access-list extended Any/Any
remark CCP_ACL Category=128
permit ip host 10.0.2.0 host 10.0.1.0
ip access-list extended DMZ-Out
remark CCP_ACL Category=128
permit ip 192.168.112.0 0.0.0.255 any
ip access-list extended DMZtoAny
remark CCP_ACL Category=128
permit ip 192.168.112.0 0.0.0.255 any
ip access-list extended Hostcom-Skinny
remark CCP_ACL Category=128
permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended InsideOut
remark CCP_ACL Category=128
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended Ping-Hostcom
remark CCP_ACL Category=128
permit ip host 10.0.2.2 any
ip access-list extended RespondtoSomePings
remark CCP_ACL Category=128
permit ip 10.0.1.0 0.0.0.255 any
permit ip host x.x.x.x any
permit ip host 37.0.96.2 any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended RemoteMgt
remark CCP_ACL Category=128
permit ip host x.x.x.x any
permit ip 10.0.1.0 0.0.0.255 any
ip access-list extended any-any
remark CCP_ACL Category=128
permit ip any any
logging trap debugging
logging facility local2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 192.168.112.0 0.0.0.255
access-list 23 remark HTTPS Access
access-list 23 permit 10.0.2.1
access-list 23 permit x.x.x.x
access-list 23 permit 10.0.2.0 0.0.0.255
access-list 23 permit 10.0.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.112.0 0.0.0.255 any
access-list 101 permit ip 10.0.2.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit udp any any eq bootpc
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host x.x.x.x any
access-list 105 permit ip host x.x.x.x any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP permit 1
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Authorised Access Only
If your not supposed to be here. Close the connection
^C
banner motd ^C
Access Is Restricted To Personel ONLY^C
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
access-class SSH-Management in
privilege level 15
logging synchronous
login authentication local_auth
transport input telnet ssh
scheduler interval 500
endHello Martin,
Please apply the following changes and let us know:
ip access-list extend DMZtoAny
1 permit udp 192.168.12.0 0.0.0.255 any eq 53
no permit ip 192.168.112.0 0.0.0.255 any
Ip access-list extended DMZ-Out
1 permit tcp 192.168.12.0 0.0.0.255 any eq 80
2 permit tcp 192.168.12.0 0.0.0.255 any eq 443
no permit ip 192.168.112.0 0.0.0.255 any
Change that, try and if it does not work post the configuration with the changes applied,
Regards,
Remember to rate all of the helfpul posts, that is as important as a thanks
Julio -
Hi All,
I am trying to forward incoming external traffic from the internet on ports 25 and 433 to internal IP 10.10.10.29, but it's not working, any ideas what I've done wrong?
I've replaced some of the config with "x"'s
Config:
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Router
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 xxxx
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone PCTime 10 0
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-704284261
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-704284261
revocation-check none
rsakeypair TP-self-signed-704284261
crypto pki certificate chain TP-self-signed-704284261
certificate self-signed 01
xxx
quit
no ip source-route
ip cef
no ip bootp server
ip domain name
ip name-server 10.10.10.31
ip port-map user-Intranet port tcp 8080 list 3 description Intranet
ip port-map user-5610 port tcp 5610 description 5610
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 ldap
no ipv6 cef
license udi pid CISCO881-K9 sn FGL164227LM
username admin privilege 15 secret 5 xx
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group xxx.remote
key xxx
dns 10.10.10.1 10.10.10.4
wins 10.10.10.1 10.10.10.4
domain xxx.local
pool SDM_POOL_1
acl 102
split-dns xxx.local
max-users 10
netmask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 3600
set transform-set ESP-3DES-MD5
reverse-route
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description WAN Interface$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address 125.7.x.x 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip inspect DEFAULT100 in
ip inspect DEFAULT100 out
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map SDM_CMAP_1
interface Vlan1
description Internal Interface$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.3 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip inspect DEFAULT100 in
ip inspect DEFAULT100 out
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 10.10.20.100 10.10.20.120
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source static tcp 10.10.10.29 25 interface FastEthernet4 25
ip nat inside source static tcp 10.10.10.29 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 125.7.x.x
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.10.10.51
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.10.10.5
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 10.10.10.31 eq domain any
access-list 100 remark SEP Cloud 1
access-list 100 permit ip any host 67.134.208.160
access-list 100 permit udp host 10.10.10.4 eq domain any
access-list 100 remark MYOB File Confirmation
access-list 100 permit ip any host 203.34.100.26
access-list 100 remark Ansarada Dataroom
access-list 100 permit ip any host 125.7.67.133
access-list 100 remark ClassSuper
access-list 100 permit tcp any host 125.7.68.130 eq 443
access-list 100 remark Mercury Connective
access-list 100 permit tcp any host 150.207.147.152 eq 2099
access-list 100 remark AE Tax Lodgement 2
access-list 100 permit tcp any any eq 7586
access-list 100 remark AE Tax Lodgement
access-list 100 permit tcp any any eq 10000
access-list 100 remark Corporate Compliance
access-list 100 permit tcp any any eq 5610
access-list 100 remark GRE
access-list 100 permit gre any any
access-list 100 remark PPTP
access-list 100 permit tcp any any eq 1723
access-list 100 remark RDP
access-list 100 permit tcp any any eq 3389
access-list 100 remark Remote VMs
access-list 100 permit tcp any eq 3389 10.10.20.0 0.0.0.255
access-list 100 remark GetBusi to HTTP
access-list 100 permit tcp host 10.10.10.18 any eq www
access-list 100 remark GetBusi FILTERING
access-list 100 permit tcp host 10.10.10.18 any eq 3436
access-list 100 remark GetBusi NTP
access-list 100 permit tcp host 10.10.10.18 any eq 123
access-list 100 remark GetBusi RSYNC
access-list 100 permit tcp host 10.10.10.18 any eq 873
access-list 100 remark GetBusi DNS
access-list 100 permit tcp host 10.10.10.18 any eq domain
access-list 100 remark GetBusi SSH
access-list 100 permit tcp host 10.10.10.18 any eq 22
access-list 100 remark GetBusi FTP
access-list 100 permit tcp host 10.10.10.18 any eq ftp
access-list 100 remark GetBusi SSL
access-list 100 permit tcp host 10.10.10.18 any eq 443
access-list 100 remark Icarus
access-list 100 permit ip host 10.10.10.99 any
access-list 100 remark BlackHawk
access-list 100 permit ip host 10.10.10.28 any
access-list 100 remark Bane
access-list 100 permit ip host 10.10.10.24 any
access-list 100 remark Buffy
access-list 100 permit ip host 10.10.10.31 any
access-list 100 remark Skype TV Cam FTR
access-list 100 permit ip host 10.10.10.173 any
access-list 100 remark Pyro
access-list 100 permit ip host 10.10.10.26 any
access-list 100 remark TV in FTR
access-list 100 permit ip host 10.10.10.32 any
access-list 100 remark Quorra
access-list 100 permit ip host 10.10.10.29 any
access-list 100 remark Gambit
access-list 100 permit ip host 10.10.10.12 any
access-list 100 remark THOR
access-list 100 permit ip host 10.10.10.21 any
access-list 100 remark QBO Remote VM
access-list 100 permit ip host 10.10.10.47 any
access-list 100 remark VIZ
access-list 100 permit ip host 10.10.10.5 any
access-list 100 remark vCenter
access-list 100 permit ip host 10.10.10.25 10.10.20.0 0.0.0.255
access-list 100 remark WISE
access-list 100 permit ip host 10.10.10.4 any
access-list 100 remark Email - Lotus Domino
access-list 100 permit ip host 10.10.10.1 any
access-list 100 remark TQ's PC1
access-list 100 permit ip host 10.10.10.124 any
access-list 100 remark Thrace
access-list 100 permit ip host 10.10.10.22 any
access-list 100 remark TQ's PC2
access-list 100 permit ip host 10.10.10.97 any
access-list 100 remark TQ's PC2 UDP
access-list 100 permit udp host 10.10.10.97 any
access-list 100 deny ip 203.47.157.0 0.0.0.255 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 remark Block Port 25
access-list 100 deny tcp any eq smtp any eq smtp log
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 remark Auto generated by CCP for NTP (123) 212.12.50.232
access-list 101 permit udp host 212.12.50.232 eq ntp host 125.7.x.x eq ntp
access-list 101 permit ahp any host 125.7.x.x
access-list 101 permit esp any host 125.7.x.x
access-list 101 permit udp any host 125.7.x.x eq isakmp
access-list 101 permit udp any host 125.7.x.x eq non500-isakmp
access-list 101 permit ip host 10.10.20.100 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.101 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.102 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.103 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.104 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.105 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.106 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.107 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.108 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.109 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.110 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.111 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.112 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.113 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.114 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.115 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.116 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.117 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.118 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.119 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.120 10.10.10.0 0.0.0.255
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 deny udp any any eq 603
access-list 101 deny tcp any any eq 603
access-list 101 permit tcp any any eq smtp
access-list 101 remark Secure Inbound HTTPS
access-list 101 permit tcp any any eq 443
access-list 101 remark Allow remote ISW access to router
access-list 101 permit tcp 203.33.128.0 0.0.0.255 any
access-list 101 remark PPTP access to completekitchensolutions
access-list 101 permit gre host 202.170.194.141 any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.100
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.101
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.102
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.103
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.104
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.105
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.106
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.107
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.108
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.109
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.110
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.111
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.112
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.113
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.114
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.115
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.116
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.117
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.118
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.119
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.120
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 104 remark SDM_ACL Category=2
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.100
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.101
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.102
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.103
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.104
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.105
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.106
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.107
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.108
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.109
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.110
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.111
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.112
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.113
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.114
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.115
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.116
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.117
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.118
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.119
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.120
access-list 104 permit ip 10.10.10.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
route-map SDM_RMAP_2 permit 1
match ip address 104
snmp-server community public RO
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000 4000 1000
scheduler interval 500
ntp server 212.12.50.232 source FastEthernet4
endI decided it might be easier to factory restore, setup, enter the NAT setting and setup the firewall using the wizard, but still it is not working.
Updated config: (some info replaced with "xx")
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 4 xx
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-84280098
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-84280098
revocation-check none
rsakeypair TP-self-signed-84280098
crypto pki certificate chain TP-self-signed-84280098
certificate self-signed 01
xx
quit
ip source-route
ip cef
ip name-server 8.8.8.8
no ipv6 cef
license udi pid CISCO881-K9 sn FGL164227LM
username admin privilege 15 secret 4
xx
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-https-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address 125.7.xx.xx 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.29 443 interface FastEthernet4 443
ip route 0.0.0.0 0.0.0.0 125.7.xx.xx
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 125.7.xx.xx 0.0.0.3 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.10.29
line con 0
exec-timeout 5 30
password xx
login
line aux 0
line vty 0 4
privilege level 15
password xx
login local
transport input telnet ssh
end -
PPTP VPDN and Cisco Client errors
Hello there, i have configured a cisco 1841 router as a vpn server for microsoft pptp client access. When connecting outside my local lan it hangs at verifying username and password then gives me error 619 message "remote computer did not respond so port was closed". I am however able to connect on my local lan. I also have Cisco's VPN client configured on the router which works fine and able to receive emails in microsoft outlook but cannot send any emails. The emails just sit in the outbox till i connect to my local lan.Anyone who has experienced a similar problem? I have tried all the configs in the the forum and problem still persists. Any solutions?? Thanks
Try these links:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml
http://www.cisco.com/en/US/tech/tk827/tk369/tech_configuration_examples_list.html -
Any script to let me find out which Cisco switches have RSA key less than 800 bit?
Hi,
Imagine I have 500 Cisco switches (2950, 3750, 4507), IOS 12.3 but some may have different IOS level.
I know that some of these switches got 'cry key gen rsa' key size = 512.
I need to have key size = 800 bit.
We do not have Cisco Works in place. Someone in my organization tells me that I would need all these switches at 800 bit otherwise CiscoWorks can't login to it. Does that make sense? I am not sure if I understand that correctly.
Question:
If it is true that CiscoWorks can't access such switches and let me change that setting automatically, do you know any script which I could use to let me run against a list of IP addresses and query the switches to find out where RSA key is 800 bits? If it is not 800 bit, I would like to log a message so that I could go manually to the switch to re-execute 'cry key gen rsa' and do 800 bit instead.IOS 12.3 doesn't run on any of these switches.
LMS can login to switches with an RSA modulus of 512 bits. It will just use SSHv1 instead of v2. I do not know of any pre-built scripts to change the modulus size; however, it would be relatively trivial to do with expect. You could deploy one command to avoid the interactivity:
crypto key generate rsa gen mod 800 -
Can a Cisco 881 router create an L2TP/IPsec tunnel via NAT to Windows 2008?
Hi
Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:
Client -> 881 -> NAT -> internet -> Windows 2008 RRAS
The tunnel goes form the 881 to the Windows server (not from the client...).
Thanks
RolandHi Federico
Thanks for your help! Much appreciated.
In my case this should be transparent to the client - I would like not to initiate the connection from the client.
Does that makes sense? I am considering L2TP because Windows 2008 R2 doesn't support IPSec tunnels through NAT (2008 R2 being the responder and the Cisco router the initiator of the IPSec connection).
Regards
Roland -
Inter-vlan routing on CIsco 881 router ?
Hello, I have configured my 881 to perform inter-VLAN routing i.e. I am using ports 0-2 as tagged switch ports (with PC's plugged in and addressed on their relevant subnets) and port 3 as a trunk feeding in to port 4 as a router on stick configuration.
For some reason I am unable to ping between subnets. It seems the trunk is failing ?
Could someone please take a look and help me out. It must be something basic. This is driving me crazy.
p.s. I have entered 'switchport trunk encapsulation dot1q' on port 3 (the trunk) however it is not showing up.
Thank you kindly for any help.
Building configuration...
Current configuration : 1564 bytes
! Last configuration change at 22:45:55 UTC Wed Apr 29 2015
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
ip flow-cache timeout active 1
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FGL171824DY
interface FastEthernet0
switchport access vlan 10
no ip address
interface FastEthernet1
switchport access vlan 10
no ip address
interface FastEthernet2
switchport access vlan 2
no ip address
interface FastEthernet3
switchport trunk native vlan 15
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet4
no ip address
ip flow ingress
ip flow egress
duplex auto
speed auto
interface FastEthernet4.1
encapsulation dot1Q 15 native
ip address 192.168.15.1 255.255.255.0
interface FastEthernet4.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
interface FastEthernet4.10
encapsulation dot1Q 10
ip address XXX.XXX.XXX.XXX 255.255.255.252 <== altered to block public ip address details
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip default-gateway XXX.XXX.XXX.XXX <== altered to block public ip address details
ip forward-protocol nd
no ip http server
no ip http secure-server
ip flow-export source FastEthernet4
ip flow-export version 5 origin-as
ip flow-export destination 192.168.247.232 9996
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX <== altered to block public ip address details
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input all
endAre you able to provide a diagram please? Having trouble understanding what you are trying to do.
-
HOME#sho run
Building configuration...
Current configuration : 5657 bytes
! Last configuration change at 10:51:11 UTC Fri May 17 2013 by admin
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname HOME
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 $1$bgx9$VrtQW3Wg182VyYhKAHLbN.
no aaa new-model
memory-size iomem 10
crypto pki trustpoint TP-self-signed-1190003239
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1190003239
revocation-check none
rsakeypair TP-self-signed-1190003239
crypto pki certificate chain TP-self-signed-1190003239
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313930 30303332 3339301E 170D3133 30353137 31303333
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31393030
30333233 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C002 80BBF151 E095E469 AA7DBB18 2A9E3CC2 4AC223F6 ABE0AF49 876C1203
65D0E246 786F174D E5B7897A 44C5755A 2571E58A 184A6C62 DD992A2A D8A24878
25A8D3C3 03F5D3C2 522EC8BB 302B0CCD 2945087A 7AF01418 D0056679 6F64DB4A
BE2D5DA1 106CD03A 83B422A2 3CCBAE88 F2413123 12269390 6949DFE0 411118E7
8F210203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
551D1104 16301482 12484F4D 452E7777 772E7961 686F6F2E 636F6D30 1F060355
1D230418 30168014 3D2D854D 1203F50D 77F4ABC5 B61CEAF6 C922F4DF 301D0603
551D0E04 1604143D 2D854D12 03F50D77 F4ABC5B6 1CEAF6C9 22F4DF30 0D06092A
864886F7 0D010104 05000381 8100B24C 48BACACE 87ADEA03 386F2045 CC89624A
4EB1AD09 062EB2A4 CF4C96CA 0B2CF001 BD2C3804 8DC47FED 6A5B5F0D 3965AC6E
4FC4682F 707E4132 8F27C083 C7FAE1BD 21D055E6 C79D5DAD 051B6321 D35DB4F2
044E6BBD DAD08B6A 6ED87C7E 08F4F7E1 4EFDFB6F 867AF6FA 84165CFC D219D56F
A82EABD4 AD9CFA24 A5088145 E571
quit
ip source-route
ip routing protocol purge interface
ip dhcp excluded-address 10.10.10.1
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
domain-name www.google.com
dns-server 192.168.1.1
lease 0 2
ip cef
ip domain name www.yahoo.com
ip name-server 84.235.6.55
ip name-server 84.235.57.230
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1516933C
username admin privilege 15 password 0 cisco
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
interface Vlan2
no ip address
ip nat inside
ip virtual-reassembly
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
banner motd ^Cuthorized ^C
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password cisco
logging synchronous
login local
transport input telnet ssh
scheduler max-task-time 5000
endHOME#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
HOME#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 192.168.1.120 YES DHCP up up
NVI0 10.10.10.1 YES unset up up
Vlan1 10.10.10.1 YES NVRAM down down
Vlan2 unassigned YES NVRAM down down
HOME#
fast ethernet is connected to my internet connection
Maybe you are looking for
-
Continuous Beeping noise on Startup and at other times
My iMac is over a year old. I have no idea what is wrong or happening here but below is what happens. I hear a continuous beeping noise from my iMac at times. I had Firefox open and when it started beeping, a little search bar opened up at the bottom
-
How to combine two dataModel in one JTable
rs = stat.executeQuery(query); model = new ResultSetTableModel(rs); <--- a class to create AbstractTable Model JTable table = new JTabel(model) will show only the data inside the model I want to append some new information How to do??
-
I urgently need to convert a word file to Pdf and cant do so. Please assist me as soon as possible to do this. Every time I try to sign in all I get is two options to upgrade which I dont want. I have attended to the account so please urgently assis
-
Session State Protection invalid Checksum errors show valid checksum
Hi, I am investigating Session Sate Prtection to let me make my appications more secure. I have created a simple Report / Form pair that allows me to open an item for edditing. I have set the Application to Session State Protection 'Enabled' and and
-
DPS - use folios completely offline
Hi, I use InDesign CS5.5 for creating folios playable on iPad via the Digital Publishing Suite, it works pretty good and the benefit system for my client is that once the folio loaded on the iPad in Content Viewer it can be viewed offline, no need in