Cisco 887 ADSL Router

RonnieLowe · ‎11-24-2010

I have just purchased an 887 ADSL Router to replace my ageing Netgear and have never setup one of the before. I have a small amount of experience with a PIX-501 firewall.

I followed the start up wizard and entered all the details as I understand them from my ISP. I have a static IP but I set the WAN address type as IP Negotiated as I do not know the IP address and on my old modem I had it set to DHCP and it worked ok.

My provider told me I was conencted but I could not browse. And using the built in interface to ping it timed out and got no responses.

Where should I be looking to rectify this issue?

spremkumar · ‎11-25-2010

Hi Ronnie

If possible use hypterterm and log onto the router using the console port, issue show run to capture the running config. Once you are done pos the show run here so that it can be checked for any config issues.

In addition to the above you can make sure whether you are getting any ip on the wan interface when your router is connected using show ip interface brief command,you need to make use of console/hyperterm to do this.

regds

RonnieLowe · ‎11-25-2010

Please see code attached. However now my Internet is working but my NAT settings are not working as they should. Ports 8456, 80, 443 and 25 are available on all machines and port 5721 is not available at all even the machines configured to be open on.

What am I doing wrong?

spremkumar · ‎11-25-2010

Hi

Whenever you post your config do mask the public ip/passwords etc.

When you try to access the hosts on port 5721 are you able to see any NAT translation on the NAT table?

You can verify the same using show ip nat translation command, also you can check the logs for any possible errors using show logs command.

NAT statements which i see in the config file are very similar and i dont see any reason if other statements are functionining well.

regds

RonnieLowe · ‎11-25-2010

I have an idea, my NAT settings are below:

443, 80, 25, and 8456 all work but 3389, 5060 and 5721 do not.

What does the line "ip nat inside source list 1 interface Dialer0 overload" accomplish? Because this seems to be causing the problem.

ip nat inside source static tcp 192.168.1.4 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.7 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.4 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.12 8456 interface Dialer0 8456
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.3 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.7 5721 interface Dialer0 5721
ip route 0.0.0.0 0.0.0.0 Dialer0

spremkumar · ‎11-25-2010

Hi

NAT overload is something related to the outgoing traffic from the rest of your network hosts/devices. its required otherwise you wont be able to get out to the internet world.

regds

cadet alain · ‎11-25-2010

Hi,

ip nat inside source list 1 interface Dialer0 overload

this permits inside hosts addresses to be natted to the ip address of your WAN so this is what enables you to initiate connections from your LAN

to the outside.

Can you surf the web? only some static NAT mappings aren't working ?

Can you connect with console cable or telnet from inside to the router?

Don't forget to rate helpful posts.

RonnieLowe · ‎11-25-2010

I discovered it was needed when I deleted the line. Reset the router to default settings now I'm back to no Internet access. How do I get Internet back, config below and my NAT working:

cctrouter01#show running-config
Building configuration...

Current configuration : 7659 bytes
!
! Last configuration change at 21:38:14 PCTime Thu Nov 25 2010 by cct
! NVRAM config last updated at 21:26:54 PCTime Thu Nov 25 2010 by cisco
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cctrouter01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$WQ.u$cyKufcQZ0iiJMeezqHs8p/
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-241047421
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-241047421
revocation-check none
rsakeypair TP-self-signed-241047421
!
!
crypto pki certificate chain TP-self-signed-241047421
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343130 34373432 31301E17 0D313031 31323531 31323134
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3234 31303437
34323130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C20113F9 B87A578D D057ACB5 8CE4F7F4 565CDD10 1D75F92F F38A361E 8AB38541
BD9B4E09 FE963016 CB6CB9DF 3F141B23 17CB45E0 02A29ECB F90D221C 1FF28B54
14E0BA33 82FC186C 9BAF75C1 9BF95772 76096423 A96A74DA 8C10A228 F0A9BB09
F23ED346 979044B7 C636923F E21C3E2D 7BF81051 B5E144CB 4C73C353 E458F7F5
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 168014EC EF93BCB0 1AE37D31 99C808F4 3D02E203 159B1F30
1D060355 1D0E0416 0414ECEF 93BCB01A E37D3199 C808F43D 02E20315 9B1F300D
06092A86 4886F70D 01010405 00038181 0050E96A C3BAE4A0 3CF74159 6824BB8E
C29F4DB5 21FF291D 6D74538E D2AB5238 F0A3B662 E634D177 7AFF91F9 1269CA47
1D373F9A 02E33B98 8EFED4B8 8B42F58D 3B6766EE A2283048 70189CEF E7398583
E92A8D3F 6D4F6CAF 8A875403 8673220F A40893AE 077CCB84 6FD77EE9 C579A6BF
59EE509F 732E4401 01DE55B9 1C96A7D4 2A
quit
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server 203.12.160.35
ip name-server 203.12.160.36
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FHK142879H9
!
!
username cct privilege 15 secret 5 $1$d3QK$bITDaHHuxYeKjZOtrk26M.
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 27.32.146.114 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname cctbgo
ppp chap password 7 111D09024640585851
ppp pap sent-username cctbgo password 7 09585E0E485744465E
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 27.32.146.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

cadet alain · ‎11-25-2010

Hi,

This is your current running?

Then now you can surf the internet? but as you have no more static NAT you can't access servers in your LAN from outside?

Regards.

Don't forget to rate helpful posts.

RonnieLowe · ‎11-25-2010

With that configuration I could do nothing. No browsing. So no NAT either.

I managed to use the Cisco Configuration Professional tool and reload my saved notepad file and here I am. Back with the NAT problem I mentioned earlier.

cadet alain · ‎11-25-2010

ok,

do a clear ip nat translation * to get rid of your dynamic PAT in the output and then do a sh ip nat translation and post it here.

put this in your config: ip inspect log drop-pkt and logging buffered 7.

do a clear log then try to communicate with the problematic host and do a show log as well as a sh ip nat translation and sh ip nat statistics

and give us the output of all these.

Regards.

Don't forget to rate helpful posts.

RonnieLowe · ‎11-25-2010

Should have said I'm a bit of a beginner. Can you please post each command line by line so I know what to do

RonnieLowe · ‎11-25-2010

Think I worked it out:

cctrouter01#sh ip nat translation

Pro Inside global Inside local Outside local Outside global

tcp 27.32.146.114:5060 192.168.1.3:5060 --- ---

tcp 27.32.146.114:25 192.168.1.4:25 --- ---

tcp 27.32.146.114:443 192.168.1.4:443 --- ---

tcp 27.32.146.114:3389 192.168.1.4:3389 --- ---

tcp 27.32.146.114:80 192.168.1.7:80 --- ---

tcp 27.32.146.114:5721 192.168.1.7:5721 120.151.100.122:23515 120.151.100.122:23515

tcp 27.32.146.114:5721 192.168.1.7:5721 125.255.127.190:59562 125.255.127.190:59562

tcp 27.32.146.114:5721 192.168.1.7:5721 203.17.42.115:3956 203.17.42.115:3956

tcp 27.32.146.114:5721 192.168.1.7:5721 203.45.78.2:14639 203.45.78.2:14639

tcp 27.32.146.114:5721 192.168.1.7:5721 --- ---

tcp 27.32.146.114:8456 192.168.1.12:8456 196.210.165.191:50843 196.210.165.191:50843

tcp 27.32.146.114:8456 192.168.1.12:8456 207.161.62.238:51567 207.161.62.238:51567

tcp 27.32.146.114:8456 192.168.1.12:8456 --- ---

udp 27.32.146.114:8456 192.168.1.12:8456 95.215.62.26:80 95.215.62.26:80

udp 27.32.146.114:58306 192.168.1.20:58306 192.168.8.141:161 192.168.8.141:161

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

cctrouter01#show log
Syslog logging: enabled (0 messages dropped, 14 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level critical, 0 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 37 messages logged, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

Trap logging: level debugging, 90 message lines logged

Log Buffer (4096 bytes):
class)-(ccp-zp-out-self:class-default)
000062: *Nov 26 00:20:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 112.206.43.217:50023 => 27.32.146.114:8456 (target:class)-(ccp-zp-out-self:class-default)
000063: *Nov 26 00:20:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 182.208.94.163:0 => 192.168.1.12:3 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000064: *Nov 26 00:20:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 96.26.137.166:47562 => 27.32.146.114:8456 (target:class)-(ccp-zp-out-self:class-default)
000065: *Nov 26 00:20:24.655 PCTime: %FW-6-DROP_PKT: Dropping icmp session 62.122.131.135:0 192.168.1.12:0 on zone-pair sdm-zp-NATOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 0
000066: *Nov 26 00:20:54.867 PCTime: %FW-6-DROP_PKT: Dropping udp session 209.89.219.88:12784 27.32.146.114:8456 on zone-pair ccp-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0
000067: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 210.23.137.90:4708 => 192.168.1.7:5721 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000068: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 219.74.109.10:0 => 192.168.1.12:3 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000069: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 91.214.128.54:0 => 192.168.1.12:3 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000070: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 203.17.42.115:3257 => 192.168.1.7:5721 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000071: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 203.17.42.115:1807 => 192.168.1.7:5721 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000072: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 203.17.42.115:4204 => 192.168.1.7:5721 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000073: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 95.118.248.51:0 => 192.168.1.12:3 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000074: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 203.17.42.115:1492 => 192.168.1.7:5721 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000075: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 91.214.128.54:0 => 192.168.1.12:3 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000076: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 219.74.109.10:0 => 192.168.1.12:3 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000077: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 203.17.42.115:2208 => 192.168.1.7:5721 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000078: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 203.17.42.115:1792 => 192.168.1.7:5721 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000079: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 218.220.152.75:8338 => 27.32.146.114:8456 (target:class)-(ccp-zp-out-self:class-default)
000080: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 3 packets were dropped from 203.17.42.115:2353 => 192.168.1.7:5721 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000081: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 219.78.77.130:25339 => 192.168.1.12:8456 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000082: *Nov 26 00:21:11.075 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.46.252.180:0 => 192.168.1.12:3 (target:class)-(sdm-zp-NATOutsideToInside-1:class-default)
000083: *Nov 26 00:21:26.203 PCTime: %FW-6-DROP_PKT: Dropping tcp session 210.23.137.90:3762 192.168.1.7:5721 on zone-pair sdm-zp-NATOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 0

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

cctrouter01#sh ip nat statistics
Total active translations: 648 (0 static, 648 dynamic; 648 extended)
Peak translations: 721, occurred 00:59:58 ago
Outside interfaces:
Dialer0, Virtual-Access1
Inside interfaces:
Vlan1
Hits: 48139 Misses: 0
CEF Translated packets: 45844, CEF Punted packets: 1971
Expired translations: 7596
Dynamic mappings:
-- Inside Source
[Id: 8] access-list 1 interface Dialer0 refcount 605
Appl doors: 0
Normal doors: 0
Queued Packets: 0

cadet alain · ‎11-25-2010

Hi,

Can you try adding the keyword extendable to all your static NAT mappings then clear your nat table and then retry.

What is happening now? and if not working then repost the shows I asked you before after clearing logs and nat table and trying to communicate with this port 5721.

Regards.

Don't forget to rate helpful posts.

RonnieLowe · ‎11-25-2010

How do I add the keyword extendable to all the static NAT mappings

How do I clear the nat table

Also: I have just noticed that 443 (https), 80 (http), and 25 (smtp) are alk standard ports and work fine. And there is this line: "ip port-map user-protocol--1 port tcp 8456" and that port also works fine.

Is this coincidence?