Hi pdriver,

I have disabled the acl 100 in and 101 in but i dont know what you mean by CBAC ?

internet is working again now but for how long ??

this happened before ... it worked then slowly blocked and no http?

Phish#sh startup-config

Using 1818 out of 196600 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Phish

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$mUiL$Wp/m0Ciaigy4nQA77SeI0.

enable password *********

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.30

!

ip dhcp pool insudeDHCP

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

!

!

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

!

!

!

!

!

!

!

!

interface FastEthernet0/0

description WAN$FW_OUTSIDE$

mac-address 0012.1742.1fe9

ip address dhcp

ip access-group 101 in

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

speed auto

full-duplex

no mop enabled

!

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.1.10 80 interface FastEthernet0/0 80

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

password *******

login

!

scheduler allocate 20000 1000

end

this is before applying johns settings

thanks

Hi garry,

remove ip inspect SDM_LOW out from you wan interface,

Do you say that you now have connection your WEB server?

hi,

yes i have internet again ? but no www routing to my server

will remove ip inspect SDM_LOW out now ... brb

thanks

ok done that ... removed ip inspect sdm low for http only

here is a port scan result

GRC Port Authority Report created on UTC: 2011-07-21 at 07:54:06

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,

                            119, 135, 139, 143, 389, 443, 445,

                            1002, 1024-1030, 1720, 5000

    2 Ports Open

   21 Ports Closed

    3 Ports Stealth

---------------------

   26 Ports Tested

Ports found to be OPEN were: 23, 80

Ports found to be STEALTH were: 135, 139, 445

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,

                   - NO unsolicited packets were received,

                   - A PING REPLY (ICMP Echo) WAS RECEIVED.

Okay so can you now post your exisitng config:

Garry,

Its looks like you have removed the acl config instead of just removing the ip access-group statements, would be good to remove all ios sec just for the time being, but if you dont wish to do that, try the following.

int fa0/1

no ip access-group 100 in

add:

ip inspect name SDM_LOW http

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

no access-list 101

access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.0.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 224.0.0.0 15.255.255.255 any

access-list 101 deny   ip any host 192.168.1.255

access-list 101 deny   ip any host 192.168.1.0

access-list 101 permit tcp any any eq www - ( or use public ip address)

access-list 101 deny   icmp any any redirect

access-list 101 deny   icmp any any mask-request

access-list 101 permit icmp any host x.x.x.x (public ip address)

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.1.10 80 interface FastEthernet0/0 80

res

Paul

Hi Paul,

Sorry but I have been unable to make any posts from my network on the 1841 ??

And today is the first day I have been able to use my iPhone on this forum too?

I tried your setting and I lost all Internet access so I have wiped and restarted as i feel the iOS security was an issue

So I am back with a default config again and I now have Internet access yet again.

My server is accessible from my iPhone on 3G but not using Internet to my domain name on my pc that

Is on the 1841 network though I can access my server on my internal LAN?

Will try and get the basic config up for you in the next few hrs.

Thanks for your time.

Hi,

I think i have found the reason for all of this not being able to call my www up from my external address.

It's an DNS issue...sort of, as well as a consumer router issue...sort of.

Essentially, most businesses are using running their own DNS server so you just need to put the appropriate entries into DNS but it probably doesn't need to be the full domain, just the name (exmaple, "mailserver" instead of "mailserver.domain.com").

Most consumer routers have a loopback style feature that will allow you to resolve back to internal devices using the external IP address or DNS name

Essentially, most businesses are using running their own DNS server so you just need to put the appropriate entries into DNS but it probably doesn't need to be the full domain, just the name (exmaple, "mailserver" instead of "mailserver.domain.com").

Most consumer routers have a loopback style feature that will allow you to resolve back to internal devices using the external IP address or DNS name.

I believe that some thing like this would correct this ? correct me please if need be ...

Then just make sure your DNS server match your routers internal IP in your DHCP scope.