Steve ....
Message:
--------------------------------------------------------------
I would add this to your config, I may have overlooked it but I did not see a gateway of last-resort.
ip route 0.0.0.0 0.0.0.0 dhcp
Also, on your original reply you mentioned that you were not getting an IP address. I seen that you were blocking 10.10.10.0, when you removed the ACL it worked.
"access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_11##
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log"
Dependent on Cox network their DHCP/BOOTP servers may be on a 10.x.x.x network. Possibly the 10.10.10.x network you were blocking by your first ACL statement. I know TW I receive my IP via a 10.x address. Look below for reference.
Router871w#sh dhcp lease
Temp IP addr: 24.94.x.x for peer on Interface: FastEthernet4
Temp sub net mask: 255.255.252.0
DHCP Lease server: 10.113.240.1, state: 5 Bound
DHCP transaction id: C3C
Lease: 43200 secs, Renewal: 21600 secs, Rebind: 37800 secs
Temp default-gateway addr: 24.94.x.x
Next timer fires after: 05:29:54
Retry count: 0 Client-ID: cisco-001b.8fxx.a2xx-Fxx
Client-ID hex dump: 636973636F2D303031622E386664332E
Verify for yourself with a "sh dhcp lease"
----------------------------------------------------------------------------------- Here it is:
yourname#sh dhcp lease
Temp IP addr: 192.168.1.6 for peer on Interface: FastEthernet4
Temp sub net mask: 255.255.255.0
DHCP Lease server: 192.168.1.1, state: 3 Bound
DHCP transaction id: BF2
Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs
Temp default-gateway addr: 192.168.1.1
Next timer fires after: 11:25:56
Retry count: 0 Client-ID: cisco-0018.1849.a68a-Fa4
Client-ID hex dump: 636973636F2D303031382E313834392E
613638612D466134
Hostname: yourname
-------------------------------------------------------------------------------------------------------
You may want to place this first on any inbound ACL:
permit udp any eq bootps any eq bootpc ---- It gave me an error when I put this into the config
Also, when you do a deny ip any any, you need to configure the firewall feature in the IOS to allow connections that originate inside out.
Example:
ip inspect name FIREWALL tcp -- worked
ip inspect name FIREWALL udp -- wprked
interface FastEthernet4
ip inspect FIREWALL out -- worked
I did a wr after and rebooted
test out at 25 mb down about half of the other PC's
But a great improvement...
Heres the new running config:
yourname#sh config
Using 2914 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool mypool
network 10.10.10.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
lease 7
!
!
ip cef
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
no ip domain lookup
!
!
crypto pki trustpoint TP-self-signed-1837859499
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1837859499
revocation-check none
rsakeypair TP-self-signed-1837859499
!
!
crypto pki certificate chain TP-self-signed-1837859499
certificate self-signed 01 nvram:IOS-Self-Sig#3906.cer
username cisco privilege 15 secret 5 $1$IC4h$/C4XPpTV2sPLwL1OffScd/
username mark privilege 15 secret 5 $1$VJhP$7fvxL41Unrqb8fQGhu7W/1
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username privilege 15 secret 0
no username cisco
Replace and with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
yourname#
