Cisco 881 setup

joe@carmonnetwork.com · ‎12-29-2017

Good evening all,

I am presently working with an old Cisco 881 router. I have reset it to factory and begun the initial configuration. All interfaces are receiving/sending DHCP. However, I can not seem to get traffic out of the router. I have the default route set to FastEthernet4 where my internet connection is.

Guidance would be very helpful at this point.

Georg Pauwen · ‎12-30-2017

Hello,

here is a basic sample configuration. If you don't get it to work, post what you have so far, and we can fill in the necessary bits and pieces:

ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool LAN
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip cef
!
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
!
no ipv6 cef
!
ip tcp synwait-time 10
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN
ip address dhcp
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex full
speed 100
!
interface Vlan1
description LAN
ip address 192.168.100.1 255.255.255.0
ip nat inside
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
!
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
!
access-list 1 permit 192.168.100.0 0.0.0.255

Richard Burts · ‎01-01-2018

The original poster has not provided much detail for us to work with. So it is difficult for us to give good advice. The example provided by Georg is an excellent place to start. If that does not enable the original poster to solve the issue then the original poster needs to provide detail of how the 881 is configured. In my experience there are two issues that frequently are involved when the issue is described that traffic will not go from the router to outside. These are not correctly configured default route or not correctly configured NAT. So I suggest that the original poster pay particular attention to those parts of the config provided by Georg.

HTH

Rick

HTH

Rick

joe@carmonnetwork.com · ‎01-02-2018

Once I figure out how to pull the configuration from the old winXP box connected to the router I will get it posted. For some reason I have been unable to connect to it with anything except that machine. I'm pretty sure the firmware needs an update pretty badly as well. I will review the setting provided and see where my configuration differs.

joe@carmonnetwork.com · ‎01-17-2018

Here is my current config.

It looks like I need to get NAT configured and FE4 configured as outside. See anything else?

creston#show running-config
Building configuration...

Current configuration : 7351 bytes
!
! Last configuration change at 03:02:28 UTC Thu Jan 18 2018 by joe
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname creston
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
!
no aaa new-model
!
!
!
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1590039077
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1590039077
revocation-check none
rsakeypair TP-self-signed-1590039077
!
!
crypto pki certificate chain TP-self-signed-1590039077
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353930 30333930 3737301E 170D3137 31323238 31303434
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35393030
33393037 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810093A1 561DD1D8 B2C8AC41 96BCBCC1 EF5621CE 9CDC97DB B543FE64 12FBD7A1
20F9C7E4 6DA7E722 C58701AB C46C447C 97F3AEA7 146778C5 C75B2E1D 1B073030
485FA3D6 F9864D82 EAE546D9 D6DC72BA CAE4A7E7 F1CF542C A3898653 00B0BEFE
D01DFF60 1FAFE1CE E1D58DC7 3478FBC0 6A75DBF8 7DF700AD AA2B66B7 58C96640
75470203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14367CE7 6A5F2159 0B9EB04D DD225A21 087D1000
E3301D06 03551D0E 04160414 367CE76A 5F21590B 9EB04DDD 225A2108 7D1000E3
300D0609 2A864886 F70D0101 04050003 81810064 20EC7D6D A93C00DF 0632B720
3F1E6432 E800668D 49CD6A2E AE1370E0 1AA6C553 91FD17F5 9A997B4B 6F29F23E
0635BB2A C41B0CA8 71FDE7F0 B81BDA12 18179912 041DBD79 F40CCEE0 CDD26C1A
60783F58 BB294C34 4F879B4E 7CAE5E39 DDF2420A BCC9CD76 E0E92CF6 61485609
62D75FB8 CB682E99 96C0252A 73900009 6AC7F7
        quit
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.7 10.10.10.254
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   dns-server 75.75.75.75
   lease 0 2
!
ip dhcp pool ccp-pool1
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
!
!
ip cef
ip domain name grhousing.org
ip name-server 75.75.75.75
ip name-server 75.75.76.76
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FTX1510031T
!
!
username joe privilege 15 secret 5 $1$/TtG$81p.1/60Y7tn74gR71p7T/
!
!
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$$ES_WAN$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security out-zone
duplex auto
speed auto
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
zone-member security in-zone
ip tcp adjust-mss 1452
!
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip route 0.0.0.0 0.0.0.0 Vlan1
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
logging trap debugging
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run

!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

Georg Pauwen · ‎01-17-2018

Hello,

I have simplified your configuration, the below should get you Internet connectivity. Once you have that, we can add (if necessary) the zone based firewall back:

Important/essential parts are marked in bold:

Current configuration : 7351 bytes
!
! Last configuration change at 03:02:28 UTC Thu Jan 18 2018 by joe
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname creston
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
!
no aaa new-model
!
!
!
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1590039077
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1590039077
revocation-check none
rsakeypair TP-self-signed-1590039077
!
!
crypto pki certificate chain TP-self-signed-1590039077
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353930 30333930 3737301E 170D3137 31323238 31303434
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35393030
33393037 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810093A1 561DD1D8 B2C8AC41 96BCBCC1 EF5621CE 9CDC97DB B543FE64 12FBD7A1
20F9C7E4 6DA7E722 C58701AB C46C447C 97F3AEA7 146778C5 C75B2E1D 1B073030
485FA3D6 F9864D82 EAE546D9 D6DC72BA CAE4A7E7 F1CF542C A3898653 00B0BEFE
D01DFF60 1FAFE1CE E1D58DC7 3478FBC0 6A75DBF8 7DF700AD AA2B66B7 58C96640
75470203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14367CE7 6A5F2159 0B9EB04D DD225A21 087D1000
E3301D06 03551D0E 04160414 367CE76A 5F21590B 9EB04DDD 225A2108 7D1000E3
300D0609 2A864886 F70D0101 04050003 81810064 20EC7D6D A93C00DF 0632B720
3F1E6432 E800668D 49CD6A2E AE1370E0 1AA6C553 91FD17F5 9A997B4B 6F29F23E
0635BB2A C41B0CA8 71FDE7F0 B81BDA12 18179912 041DBD79 F40CCEE0 CDD26C1A
60783F58 BB294C34 4F879B4E 7CAE5E39 DDF2420A BCC9CD76 E0E92CF6 61485609
62D75FB8 CB682E99 96C0252A 73900009 6AC7F7
quit
ip source-route
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.8.4
lease 0 2
!
ip cef
ip domain name grhousing.org
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FTX1510031T
!
username joe privilege 15 secret 5 $1$/TtG$81p.1/60Y7tn74gR71p7T/
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$$ES_WAN$
ip address dhcp
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
!
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 permit 10.10.10.0 0.0.0.255

access'list 23 permit 10.10.10.0 0.0.0.7
!
no cdp run
!
control-plane