Cisco 876 - Configuration for internet access urgently needed

jan_riepe · ‎06-03-2015

Hi everyone,

I have to configure a (very) old device - Cisco model 876 - to adapt the latest changes in our local network.

The C876 was configured and provided with passwords the last time 7 years ago. These old passwords are lost and I had to fully reset the router.

Unfortunately I am a beginner with respect to Cisco-Routers and after several days without a successfull access to the internet from local network I decided to post my request here. I would be grateful for any help. It is an easy task for an advanced Cisco-user, I assume.

I will describe the situation:

* Cisco 876 router *
- Access to the device is possible via console cabel, SDM or Cisco Configuration Assistant
- VLAN1 owns the IP 192.168.1.1, subnet is 255.255.255.0

* Internet *
- internet is available from another Router THOMSON. The C876 shall be connected via LAN with THOMSON and thus with the internet
- the complete local network shall access the internet via C876 connected to THOMSON
- THOMSON runs a gateway under IP XYZ.ABC.DEF.1, subnet 255.255.255.248
- VLAN1 shall be protected from outside attacks by a firewall

* Optional, but also important *
- a portforwarding at C876 shall be setup for 3 ports for a VoIP-device inside the local network with IP 192.168.1.25
- if possible, the VoIP-device shall be accessible from the internet directly. A global IP XYZ.ABC.DEF.5 provided from the ISP is available at THOMSON. At the moment I cannot imagine a solution with the described setup. Do you know a possible approach?

So far I have configured a VLAN2 at C876 with IP XYZ.ABC.DEF.2, subnet 255.255.255.248 and connected THOMSON there. May be this was a bad approach already? All further activities to provide internet access to the local network by this approach failed unfortunately.

I would really appreciate your support. Time is pressing a little.

Ideally you could provide a configuration-file which I can upload on the C876. But any hints are also absolutely fine!

Thanks for your support.

Best regards

Jan

Kelvin Willacey · ‎06-04-2015

Post your existing configuration.

jan_riepe · ‎06-05-2015

Dear KWillacey_2,

thanks for your reply. With a little delay the configuration follows with this entry (I have deleted unrelevant information such as yahoo-server-data etc.).

Looking forward to your suggestions

Jan

Current configuration : 9581 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router_cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret
enable password
!
no aaa new-model
!
resource policy
!
ip cef
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!

parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]

isdn switch-type basic-1tr6
!
crypto pki trustpoint TP-self-signed-3229079632
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3229079632
revocation-check none
rsakeypair TP-self-signed-3229079632
!
!
crypto pki certificate chain TP-self-signed-3229079632
certificate self-signed 01
30820244 ...
... F3767456
quit
username admin privilege 15 password 0
!
!
class-map type inspect smtp match-any sdm-app-smtp
match data-length gt 5000000
class-map type inspect http match-any sdm-app-nonascii
match req-resp header regex sdm-regex-nonascii
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any sdm-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-protocol-smtp
match protocol smtp
class-map type inspect match-all sdm-protocol-imap
match protocol imap
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-app-nonascii
log
reset
class class-default
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
reset
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
class type inspect sdm-protocol-smtp
inspect
service-policy smtp sdm-action-smtp
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-im
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn switch-type basic-1tr6
isdn point-to-point-setup
no cdp enable
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
switchport access vlan 2
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
shutdown
no cdp enable
!
interface FastEthernet3
shutdown
no cdp enable
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan2
description $FW_OUTSIDE$
ip address XYZ.ABC.DEF.5 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 2 interface Vlan2 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip XYZ.ABC.DEF.0 0.0.0.7 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password
login local
transport input telnet ssh
!
scheduler max-task-time 5000
no process cpu extended
no process cpu autoprofile hog
end

Kelvin Willacey · ‎06-15-2015

The NAT configuration looks fine but I don't see a default route to the Internet. Was this omitted from the configuration? I don't have much knowledge about zone based firewalls but you can remove the configuration from the interfaces and see if that helps.