Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
0
Helpful
6
Replies

CISCO 3825 NAT help

Go to solution
albert.forester1
Level 1
Level 1

‎09-09-2017 08:54 AM - edited ‎03-05-2019 09:06 AM

I've recently aquired a cisco 3825, and I'm having a really hard time getting public wan to redirect to port 80 on a lan box running apache.. I've ran several "open port checks" online to see if the port ever came accessable via the internet. No luck.. I've tried everything I've came across, and I have absolutely no idea how to do this. I keep breaking my connectivity and it's causing my wife much grief. Any help would be greatly appreciated!

 

 

So my setup is:

 

 

1) my gateway device

2) 3825

3) switch

4) a nix box 192.168.0.4 with apache

5) lan

 

My config (as messy as it appears to be)

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!

!
boot-start-marker
boot system flash:/c3825-advsecurityk9-mz.151-4.m6.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 emergencies
logging console critical
enable secret 5 $1$wmdL$GBG97JZorRpQlV0QCJHDc1
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
!
!
!
ip cef
!
!
no ip bootp server
ip domain name ofy.net
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 192.168.0.4
ip ips config location flash: retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
  category all
   retired true
  category ios_ips advanced
   retired false
!
!
multilink bundle-name authenticated

parameter-map type urlfpolicy trend cptrendparacatdeny0
 block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type urlf-glob cplocclassurlfglobkdblock0

parameter-map type urlf-glob cpaddbnwlocparadeny1
 pattern .netflix.com


parameter-map type trend-global global-param-map
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
!
!
!
license udi pid CISCO3825 sn FCZ1250719K
archive
 log config
  hidekeys
username admin privilege 15 secret 5 $1$LyP6$XsLii2Yz/M8uTnLKrlSZJ/
!
redundancy
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub
  key-string
  quit
!
!
ip tcp selective-ack
ip tcp mss 10000
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-any SDM_BOOTPC
 match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-http-1
 match access-group 101
 match protocol http
class-map type inspect match-any SDM_DHCP_CLIENT_PT
 match class-map SDM_BOOTPC
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any sdm-cls-bootps
 match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type urlfilter match-any cpaddbnwlocclassdeny1
 match  server-domain urlf-glob cpaddbnwlocparadeny1
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
 match access-group name EVERYTHING
class-map type urlfilter trend match-any cptrendclasscatdeny0
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type urlfilter match-any cplocclasskdblock0
 match  url-keyword urlf-glob cplocclassurlfglobkdblock0
class-map type urlfilter trend match-any cptrendclassrepdeny0
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect sdm-cls-bootps
  pass
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class type inspect ccp-cls-ccp-inspect-1
  pass
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_DHCP_CLIENT_PT
  pass
 class class-default
  drop
policy-map type inspect urlfilter badsite
 class type urlfilter cpaddbnwlocclassdeny1
  reset
  log
policy-map type inspect ccp-pol-outToIn
 class type inspect CCP_PPTP
  pass
 class type inspect sdm-nat-http-1
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
buffers tune automatic
!
!
!
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description **WAN**$ETH-WAN$
 ip address dhcp client-id GigabitEthernet0/0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no ip nat outside
 ip nat enable
 ip ips sdm_ips_rule in
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface GigabitEthernet0/1
 description **LAN**$ETH-LAN$
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no ip nat inside
 ip nat enable
 ip virtual-reassembly in
 zone-member security in-zone
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface Content-Engine1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
router rip
 passive-interface GigabitEthernet0/0
 passive-interface GigabitEthernet0/1
 network 192.168.0.0
 no auto-summary
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 3
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source list INSIDE_NAT_ADDR interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.0.4 80 interface GigabitEthernet0/0 80
no ip nat inside source static tcp 192.168.0.4 80 interface GigabitEthernet0/0 80
no ip nat inside source list 4 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
ip access-list standard INSIDE_NAT_ADDR
 permit 192.168.0.1 0.255.255.255
!
ip access-list extended EVERYTHING
 remark CCP_ACL Category=128
 permit ip any any
ip access-list extended SDM_BOOTPC
 remark CCP_ACL Category=0
 permit udp any any eq bootpc
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny   any
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 deny   any
access-list 4 remark INSIDE_IF=GigabitEthernet0/1
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.0.4
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
banner login ^CCCUnauthorized access prohibited.^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to albert.forester1

‎09-09-2017 10:04 AM

Hello,

below is the sanitized configuration that should get you Internet connectivity. The Zone Based Firewall might still cause you trouble...do you really need that ?

Either way, I have marked the important parts in bold:

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
boot-start-marker
boot system flash:/c3825-advsecurityk9-mz.151-4.m6.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 emergencies
logging console critical
enable secret 5 $1$wmdL$GBG97JZorRpQlV0QCJHDc1
!
aaa new-model
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
!
ip cef
!
no ip bootp server
ip domain name ofy.net
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 192.168.0.4
ip ips config location flash: retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
multilink bundle-name authenticated

parameter-map type urlfpolicy trend cptrendparacatdeny0
block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type urlf-glob cplocclassurlfglobkdblock0

parameter-map type urlf-glob cpaddbnwlocparadeny1
pattern .netflix.com


parameter-map type trend-global global-param-map
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
!
!
license udi pid CISCO3825 sn FCZ1250719K
archive
log config
hidekeys
username admin privilege 15 secret 5 $1$LyP6$XsLii2Yz/M8uTnLKrlSZJ/
!
redundancy
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
quit
!
!
ip tcp selective-ack
ip tcp mss 10000
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type urlfilter match-any cpaddbnwlocclassdeny1
match server-domain urlf-glob cpaddbnwlocparadeny1
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
match access-group name EVERYTHING
class-map type urlfilter trend match-any cptrendclasscatdeny0
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type urlfilter match-any cplocclasskdblock0
match url-keyword urlf-glob cplocclassurlfglobkdblock0
class-map type urlfilter trend match-any cptrendclassrepdeny0
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-cls-ccp-inspect-1
pass
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect urlfilter badsite
class type urlfilter cpaddbnwlocclassdeny1
reset
log
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-http-1
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
buffers tune automatic
!
interterface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description **WAN**$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
description **LAN**$ETH-LAN$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface Content-Engine1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
router rip
passive-interface GigabitEthernet0/0
passive-interface GigabitEthernet0/1
network 192.168.0.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http access-class 3
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.4 80 interface GigabitEthernet0/0 80
ip nat inside source list 4 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended EVERYTHING
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 deny any
access-list 4 remark INSIDE_IF=GigabitEthernet0/1
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.0.4
no cdp run
!
control-plane
!
banner login ^CCCUnauthorized access prohibited.^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
end

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Georg Pauwen
VIP
VIP

‎09-09-2017 09:52 AM

Hello,

before delving into your configuration: what is the gateway device ? Is that another modem/router between the 3825 and the Internet ?

0 Helpful

Go to solution
albert.forester1
Level 1
Level 1
In response to Georg Pauwen

‎09-09-2017 09:54 AM

It's a xFinity eMTA bridged directly to the 3825

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to albert.forester1

‎09-09-2017 10:04 AM

Hello,

below is the sanitized configuration that should get you Internet connectivity. The Zone Based Firewall might still cause you trouble...do you really need that ?

Either way, I have marked the important parts in bold:

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
boot-start-marker
boot system flash:/c3825-advsecurityk9-mz.151-4.m6.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 emergencies
logging console critical
enable secret 5 $1$wmdL$GBG97JZorRpQlV0QCJHDc1
!
aaa new-model
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
!
ip cef
!
no ip bootp server
ip domain name ofy.net
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 192.168.0.4
ip ips config location flash: retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
multilink bundle-name authenticated

parameter-map type urlfpolicy trend cptrendparacatdeny0
block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type urlf-glob cplocclassurlfglobkdblock0

parameter-map type urlf-glob cpaddbnwlocparadeny1
pattern .netflix.com


parameter-map type trend-global global-param-map
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
!
!
license udi pid CISCO3825 sn FCZ1250719K
archive
log config
hidekeys
username admin privilege 15 secret 5 $1$LyP6$XsLii2Yz/M8uTnLKrlSZJ/
!
redundancy
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
quit
!
!
ip tcp selective-ack
ip tcp mss 10000
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type urlfilter match-any cpaddbnwlocclassdeny1
match server-domain urlf-glob cpaddbnwlocparadeny1
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
match access-group name EVERYTHING
class-map type urlfilter trend match-any cptrendclasscatdeny0
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type urlfilter match-any cplocclasskdblock0
match url-keyword urlf-glob cplocclassurlfglobkdblock0
class-map type urlfilter trend match-any cptrendclassrepdeny0
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-cls-ccp-inspect-1
pass
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect urlfilter badsite
class type urlfilter cpaddbnwlocclassdeny1
reset
log
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-http-1
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
buffers tune automatic
!
interterface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description **WAN**$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
description **LAN**$ETH-LAN$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface Content-Engine1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
router rip
passive-interface GigabitEthernet0/0
passive-interface GigabitEthernet0/1
network 192.168.0.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http access-class 3
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.4 80 interface GigabitEthernet0/0 80
ip nat inside source list 4 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended EVERYTHING
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 deny any
access-list 4 remark INSIDE_IF=GigabitEthernet0/1
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.0.4
no cdp run
!
control-plane
!
banner login ^CCCUnauthorized access prohibited.^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
end

0 Helpful

Go to solution
albert.forester1
Level 1
Level 1
In response to Georg Pauwen

‎09-09-2017 10:14 AM

I'd prefer to see this configuration as it would be in someone that inherently knows what should, and shouldn't be there. I'm not overly concerned about a firewall. I really do appreciate it :-)

0 Helpful

Go to solution
albert.forester1
Level 1
Level 1
In response to Georg Pauwen

‎09-09-2017 10:32 AM

Well, I took your advice and removed the firewall..

 

What's ironic here is -- my connectivity has improved, I have some-what less latency, and port 80 is open. Man, you guys rock

 

My new configuration:

 

 

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ORION
!
boot-start-marker
boot system flash:/c3825-advsecurityk9-mz.151-4.m6.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 emergencies
logging console critical
enable secret 5 $1$wmdL$GBG97JZorRpQlV0QCJHDc1
!
aaa new-model
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
!
ip cef
!
no ip bootp server
ip domain name ofy.net
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 192.168.0.4
!
license udi pid CISCO3825 sn FCZ1250719K
archive
 log config
  hidekeys
username admin privilege 15 secret 5 $1$LyP6$XsLii2Yz/M8uTnLKrlSZJ/
!
redundancy
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub
  key-string
  quit
!
ip tcp selective-ack
ip tcp mss 10000
ip tcp synwait-time 10
no ip ftp passive
!
buffers tune automatic
!
interface GigabitEthernet0/0
 description **WAN**$ETH-WAN$
 ip address dhcp client-id GigabitEthernet0/0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip ips sdm_ips_rule in
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface GigabitEthernet0/1
 description **LAN**$ETH-LAN$
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
router rip
 passive-interface GigabitEthernet0/0
 passive-interface GigabitEthernet0/1
 network 192.168.0.0
 no auto-summary
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 3
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.4 80 interface GigabitEthernet0/0 80
ip nat inside source list 4 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny   any
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 deny   any
access-list 4 remark INSIDE_IF=GigabitEthernet0/1
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 192.168.0.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CCCCUnauthorized access prohibited.^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to albert.forester1

‎09-09-2017 12:23 PM

Hello,

actually there are a few more things in your configuration that might not be necessary. Do you need RIP to connect to something on your internal network ?

What is the Internet speed you get from your provider ? Since you say you experience latency (and assuming you don't have a 1000Mbit connection), a simple traffic shaping policy might help. Can you post the output of 'show interfaces GigabitEthernet0/0' , to see if there is congestion on the interface ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card