Some Problems using Cisco Configuration Professional For 891 Router

softimpera · ‎08-06-2012

Hello,

For the moment we have a router Lynksys RV042 , and we want to change it with an Router Cisco 891 .

I have configured our new router Cisco 891 using Cisco configuration Professional because I am not an cisco expert:

I have configured : DHCP, DNS, NAT, Firewall (I have selected : Advanced , Low Security) . (Please look in the attachments) .

I have tested the new router and :

- Internet is working

- We can send Emails, Receive Emails from Outlook

- Our Web sites cand be accessed from the outside .

- File Share is working

We have 2 problems

1. Can't Access from inside the network : our public ips configured in the NAT : **.***.**.150 .

When we try : ping **.***.**.150 , we receive : Request Timed Out .

When we try ping 192.168.1.2 , everything it's ok.

When we try ping from outside of the network , everything it's ok.

Can somebody help me ?

PS : I want to mention that : if I put back the old router I can access our public IPs.

2. When I send Emails to yahoo and access View Full Header I receive : dkim=temperror (key retrieval failed)

------------------------------------------------------------------

Received-SPF: pass (domain of ********.com

designates **.***.**.150 as permitted sender)

Authentication-Results: mta1036.mail.ac4.yahoo.com from=********.com; domainkeys=pass (ok); from=********.com; dkim=temperror (key retrieval failed)

Received: from 127.0.0.1 (EHLO mail.********.com ) (**.***.**.150)

by mta1036.mail.ac4.yahoo.com with SMTP; Sat, 04 Aug 2012 01:48:53 -0700

DomainKey-Signature: a=rsa-sha1; c=simple; q=dns; d=********..com ; s=applications;

------------------------------------------------------------------

I think our Email Server (Smarter Email) is using the ip Adress: 127.0.0.1 (Please look in the attachement) and this ip is restricted from the firewall (ccp in zone to out zone : Drop : 127.0.0.0/0.255.255.255) (generated by Advanced firewall > Low Security) .

How can I set that to work ? Can I delete that row ?

Thank's

Ramraj Sivagnanam Sivajanam · ‎08-16-2012

Hi Bro

Why do you need to PING the Static NAT Public IP from the LAN? Can you put a simple network diagram here, so that everyone else can assist you? and state what are you trying to achieve.

If Linksys can do this, so can Cisco :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

cadet alain · ‎08-17-2012

Hi,

No a 891 router can't do NAT hairpinning so it won't work, there are some workarounds like using FQDN or using NAT on a stick( but I've never configured this one and I heard it can be more trouble than what it tries to solve).

Regards.

Alain

Don't forget to rate helpful posts.

softimpera · ‎08-17-2012

I need this because in the web site configurations for example for the database connection is an public ip (This help remote users and local users to work on the same source code) .

But We can live without this for the moment .

Ramraj Sivagnanam Sivajanam · ‎08-17-2012

Hi Bro

You could refer to this URL for further details http://blog.instruosolutions.com/2012/01/07/dns-doctoring-technique-on-cisco-routers/

Warm regards,
Ramraj Sivagnanam Sivajanam

softimpera · ‎08-17-2012

Thank's for the answer .

Now I have another problems:

After configuration : NAT, IP, DHCP, IPS, Firewall, in the production enviroment The 891 Router works very slow .

1. (Example 1 Test Download ) When I try to download 1 file from the internet (~100 Mb) : for the moment it shows the download rate : 2 Mb/s , then 1Mb/s , then 600 Kb/s and then stops the download. It is possible ?

2. (Example 1 Test Upload) Then I have uploaded a file.zip on our server (**.***.**.150) (~ 30 Mb) in the public wwwroot . Then I try to download this file from another place over internet and it's the same problem .

3. There are no problems Inside the network for the transfer (120 Mbs) . (there is an Switch Cisco Gigabit )

If I put back the RV042 , everything it's ok the download is : ~ 2 Mb/s and in 1-2 minute the download is finished.

Our internet provider bandwith is up to : 15 Mb/s .

I want to mention that I can access web site like : Google, Yahoo without problems . The problems begins when I try to downlod some files over internet over 3 - 5 Mb .

In the middle of the day the bandwith we need is ~ 7 Mb/s updload (there are web servers Email, DSN, Web) and maximm 1 Mb /sec Download .

I looked in the Cisco Configuration Professional and: the Bandwith is : 3 - 5 % , Processor: 30 - 40 %, Memory : 40 - 50 % .

Any Ideas ?

softimpera · ‎08-17-2012

I made more tests and I want to ask : is there an IPS rule that fragment the download ? because : when I hit again retry download : the download starts , then the browser download 5 - 10 Mb and then stops .

Seems like the trafic is fragmented in pieces of maximum 10 mb for example .

It's very strange .

softimpera · ‎08-17-2012

Here is my configuration

Building configuration...

Current configuration : 11684 bytes

!

! Last configuration change at 15:49:55 PCTime Fri Aug 17 2012 by admin

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname hsdf3ra

!

boot-start-marker

boot system flash:/c890-universalk9-mz.152-4.M1.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $3$gadds3asdfasdfa435345dfg1OGtVM060DY/

!

no aaa new-model

clock timezone PCTime -8 0

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-41548103

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-41548103

revocation-check none

rsakeypair TP-self-signed-41548103

!

crypto pki certificate chain TP-self-signed-41548103

certificate self-signed 01

3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 E4F34959 34313534 1D130101 301E170D 31323038 30373136 33373332

5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53

2D53656C E4F34959 676E6564 2D436572 74696669 63617465 2D343135 34383130

3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100DB8B

4231D71B C54A58A7 65481793 E2D38810 7AAD2221 12B350FA A5E65185 7697598E

15A8D708 13D27B05 A0030201 8F92C8FD 72ED6F3E 6AA12B6A 0D287F40 29A32CA2

006242C4 D118C7FB 8DE4703D 97F8A28D 1AE85FF1 2C5571DD 3F3904E2 95501C43

DAA5214A 84A74DD7 1507E056 AD68EA40 DB8FA15B 89B8EF72 584689D9 83350203

010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603 551D1104

1C301A82 18686F73 74696D70 6572612E 686F7374 696D7065 72612E72 6F301F06

03551D23 04183016 80142ADF 5DC3F92C 4793A0EB 00678B7A 18D5EE6E 6A13301D

0603551D 0E041604 142ADF5D C3F92C47 93A0EB00 678B7A18 D5EE6E6A 13300D06

092A8648 86F70D01 01040500 03818100 27BD56DD 58244337 5C1E329D 3DFE4196

DB9382DE D257ED68 C54951C0 03743736 E4F34959 3B362BCC E1460A85 EE084720

BE5E284E 32E50561 7DE44D6E 8F199843 3082024C 1CF7DCF8 D283881E EDCF839A

2F1E65ED F68AE6B2 7CE41DC8 27BD56DD BDB8D9C7 6E5C823E 5C95A143 E4F34959

5505F994 91FE05B7 50891BE0 F39754A3

quit

no ip source-route

!

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool ccp-pool1

import all

network 192.168.1.0 255.255.255.0

dns-server xx.xx.xx.1 xx.xx.xx.1

default-router 192.168.1.1

!

ip dhcp pool work1

host 192.168.1.4 255.255.255.0

client-identifier 0148.ac5f.9708.df

!

ip dhcp pool s25

host 192.168.1.15 255.255.255.0

client-identifier 01568.7gh4.bgf5.71

!

ip dhcp pool Hods01

host 192.168.1.2 255.255.255.0

client-identifier 0rt4.a672.8569.3f

!

ip dhcp pool s2

host 192.168.1.11 255.255.255.0

client-identifier 0560.17c4.a236.e1

!

no ip bootp server

ip domain name dsfg.com

ip name-server xx.xx.xx.xx

ip ips config location flash:/IPS retries 1

ip ips notify SDEE

ip ips name sdm_ips_rule

!

ip ips signature-category

category all

retired true

category ios_ips basic

retired false

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid CISCO891-K9 sn F451d12fghSX

!

username admin privilege 15 secret 5 sdfasdf

username admin2 privilege 15 secret 5 asdsdf

!

redundancy

!

crypto key pubkey-chain rsa

named-key realm-cisco.pub

key-string

30234122 BFF668E9 2A864886 F70D0101 50437722 82010F00 3082010A 02820101

00C19E93 A856724A D6CC7A24 1D130101 206BE3A2 06FBA13F 6F12CB5B 4E441F16

17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128

B199ABCB D34ED0F9 08567DC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E

5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35

FE3F0C87 89BCB7BB 994AE74C 08567DC1 1D130101 85EAF974 6D9CC8E3 F0B08B85

50437722 FFBE85B9 5E4189FF CC567CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36

006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9567CCBB 551F78D2 892356AE

2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 C657CB6E 1D130101

F3067501 0001

quit

!

ip tcp synwait-time 10

no ip ftp passive

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-all sdm-nat--4

match access-group 104

class-map type inspect match-all sdm-nat--1

match access-group 101

class-map type inspect match-all sdm-nat--2

match access-group 102

class-map type inspect match-all sdm-nat--3

match access-group 103

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-all ccp-cls-ccp-inspect-1

match access-group name N100at

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

match protocol ms-sql

match protocol ms-sql-m

match protocol sqlsrv

match protocol sqlserv

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

!

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat--1

inspect

class type inspect sdm-nat--3

inspect

class type inspect sdm-nat--2

inspect

class type inspect sdm-nat--4

inspect

class class-default

drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-cls-ccp-inspect-1

inspect

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect ccp-permit

class class-default

drop

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

description $ES_WAN$$FW_OUTSIDE$

ip address xx.xx.xx.157 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip ips sdm_ips_rule in

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

!

interface GigabitEthernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip forward-protocol nd

!

ip nat inside source list 1 interface FastEthernet8 overload

ip nat inside source static 192.168.1.11 xx.xx.xx.146

ip nat inside source static 192.168.1.12 xx.xx.xx.147

ip nat inside source static 192.168.1.4 xx.xx.xx.148

ip nat inside source static 192.168.1.2 xx.xx.xx.150

ip route 0.0.0.0 0.0.0.0 FastEthernet8

!

ip access-list extended N100at

remark CCP_ACL Category=128

permit ip host 127.0.0.1 any

ip access-list extended Nat100

remark CCP_ACL Category=128

permit ip any host xx.xx.xx.150

permit ip any host xx.xx.xx.148

!

ip sla auto discovery

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip xx.xx.xx.128 0.0.0.127 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 192.168.1.2

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.1.4

access-list 103 remark CCP_ACL Category=0

access-list 103 permit ip any host 192.168.1.11

access-list 104 remark CCP_ACL Category=0

access-list 104 permit ip any host 192.168.1.12

no cdp run

!

control-plane

!

mgcp profile default

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line 1

modem InOut

speed 115200

flowcontrol hardware

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler interval 500

!

end