cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
0
Helpful
6
Replies

887W changes security on startup?

Hi, when I power off and power on my 887W it changes the settings so that I cannot VPN using PPTP anymore. I have to go into the settings and to run the basic firewall wizard and tell it that I need to permit pptp passthrough. It then allows pptp passthrough. I have told the machine to save the settings to flash ram. Yet when the power off power on happens, the same problem occurs.

Is this a known issue? How do I stop the machine preventing pptp passthrough after a power cycle?

regards,

mark                  

6 Replies 6

paolo bevilacqua
Hall of Fame
Hall of Fame

Update IOS.

Are you certain this is a solution to this bug or is your answer a guess? If it is a guess then please don't waste everyone's time by posting guesses.

The 887W has serious issues and it is probably the worst product I have ever bought - why is it being sold with FE and not GE ports?

Anyway, I need a response that can provide some light on this situation.

Are you certain this is a solution to this bug or is your answer a guess? If it is a guess then please don't waste everyone's time by posting guesses.

Did you see the two "badges" next to Paolo's name?  Paolo didn't get either one of those two due to his charms and good looks.  On the contrary, Paolo got them because HE KNOWS WHAT HE'S TALKING ABOUT.   If Paolo says that 1+1 = 3, then you'd better believe it!  (NOTE:  I've seen someone prove, using some devil formula that 1 + 1 = 3.) 

when I power off and power on my 887W it changes the settings so that I cannot VPN using PPTP anymore. I have to go into the settings and to run the basic firewall wizard and tell it that I need to permit pptp passthrough.

What if I have the same conclusion with Paolo?  Your description alone is indicative that you're router is loaded with an IOS bug.

How did you go through the "settings and to run the basic firewall wizard"?  Did you go through CLI or GUI?  Did you save the configuration?

I have found many people on many websites that are marked as gurus simply because they respond with silly responses to posts. If Paolo knows the upgrade is necessary then something more than a two word response would be good and until then I will take the response as being flippant.

Having said that, I have been told that I have a working IOS by Cisco.

I do not have maintenance and refuse to pay Cisco more money for firmware upgrades for this device. It is a ADSL2+ device and every other company provides firmware upgrades for free so Cisco should do the same.

Please don't spam me and say I should be prepared to pay Cisco for firmware upgrades. I have already argued this with cisco when I got the device and found the wireless would not work. Cisco finally admitted the wireless needed a firmware upgrade from day one. More arguing was needed but finally cisco gave me the wireless firmware upgrade for free.

What I would appreciate is to know whether other people have the same issue or is it something that I need to turn off to prevent the unit making changes at power on.

I use the CCP GUI normally but also the CLI when needed. Yes the config was saved to startup flash and I had this confirmed by a friend who is a CCIE and could not work out what the 887W actually does.

I have found many people on many websites that are marked as gurus simply because they respond with silly responses to posts. If Paolo knows the upgrade is necessary then something more than a two word response would be good and until then I will take the response as being flippant.

Let me put it this way:  Paolo has WORKED for Cisco in the past.  Particularly in the engineering of the 7300 routers.  So, again, he know the sh1t and I would be particularly crazy (or stoned drunk off my behind) to criticze or contradict him.  Only a few people can get away to contradict him and I ain't one of `em. 

HOWEVER, as I've pointed out before.  Your opening statement is indicative of an IOS bug. 

I have been told that I have a working IOS by Cisco.

Sure.  Windows 3.1 is a "working" OS by MS.  But why bother upgrading?  Cisco IOS is not like any firmwares by other manufacturer.  You upgrade when deemed necessary.  (Personally, I upgrade my firmware every 3-4 months to >1000 Cisco appliances.)

It is a ADSL2+ device and every other company provides firmware upgrades for free so Cisco should do the same.

Sorry, I'm not going to go down to this debate.

What I would appreciate is to know whether other people have the same issue or is it something that I need to turn off to prevent the unit making changes at power on.

Can I ask you to post the config of your router?  PLEASE remove the confidential bits (such as IP addresses, encryption keys, passwords, etc.)

What I would appreciate is to know whether other people have the same issue or is it something that I need to turn off to prevent the unit making changes at power on.

Why does the router regularly go into power up?  I mean, don't you just leave the router turned on all the time?

My router is left on all the time, but unfortunately has been reset a couple of times due to power failures and also due to what appears to be some type of lockup - this could be because of network problems upstream.

I have attached the config.

----


Building configuration...

Current configuration : 17738 bytes
!
! Last configuration change at 22:13:09 PCTime Sun Nov 11 2012 by cisco
! NVRAM config last updated at 22:13:10 PCTime Sun Nov 11 2012 by cisco
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 887w
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 notifications
enable secret 5 abcd
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-229575130
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-229575130
revocation-check none
rsakeypair TP-self-signed-229575130
!
!
crypto pki certificate chain TP-self-signed-229575130
certificate self-signed 01
  abcd
   quit
ip source-route
!
!
!
!
ip cef
ip domain name alive.local
ip name-server 192.168.1.48
ip name-server 139.130.4.4
ip port-map user-protocol--2 port udp 2350
ip port-map user-protocol--3 port tcp 3450
ip port-map user-protocol--1 port tcp 2350
ip port-map user-protocol--6 port udp 3389
ip port-map user-protocol--4 port udp 3450
ip port-map user-protocol--5 port tcp 3389
no ipv6 cef
!
!
license udi pid CISCO887W-GN-A-K9 sn FHK1440763G
!
!
username cisco1 privilege 15 secret 5 abcd
!
!
no ip ftp passive
!
class-map type inspect match-all sdm-nat-http-4
match access-group 102
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 104
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-http-5
match access-group 110
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--5-2
match access-group 110
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 104
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 109
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-smtp-2
match access-group 105
match protocol smtp
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 109
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
match access-group 103
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 109
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-2
match access-group 104
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 109
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-http-3
match access-group 105
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-all sdm-nat-imap-1
match access-group 105
match protocol imap
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-pptp-1
match access-group 103
match protocol pptp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all sdm-nat-pop3-1
match access-group 105
match protocol pop3
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 108
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-dns-1
match access-group 104
match protocol dns
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-4
match access-group 110
match protocol https
class-map type inspect match-all sdm-nat-https-3
match access-group 105
match protocol https
class-map type inspect match-all sdm-nat-https-2
match access-group 104
match protocol https
class-map type inspect match-all sdm-nat-https-1
match access-group 103
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect sdm-nat-pptp-1
  inspect
class type inspect sdm-nat-dns-1
  inspect
class type inspect sdm-nat-http-2
  inspect
class type inspect sdm-nat-https-2
  inspect
class type inspect sdm-nat-smtp-2
  inspect
class type inspect sdm-nat-http-3
  inspect
class type inspect sdm-nat-pop3-1
  inspect
class type inspect sdm-nat-imap-1
  inspect
class type inspect sdm-nat-https-3
  inspect
class type inspect CCP_PPTP
  pass
class type inspect sdm-nat-http-4
  inspect
class type inspect sdm-nat-user-protocol--1-1
  inspect
class type inspect sdm-nat-user-protocol--2-1
  inspect
class type inspect sdm-nat-user-protocol--3-1
  inspect
class type inspect sdm-nat-user-protocol--4-1
  inspect
class type inspect sdm-nat-user-protocol--5-1
  inspect
class type inspect sdm-nat-user-protocol--6-1
  inspect
class type inspect sdm-nat-http-5
  inspect
class type inspect sdm-nat-https-4
  inspect
class type inspect sdm-nat-user-protocol--5-2
  inspect
class class-default
  drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip access-group 106 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 165.228.87.236 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname abcd
ppp chap password 7 abcd
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source list 151 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.49 53 165.228.87.236 53 extendable
ip nat inside source static udp 192.168.1.49 53 165.228.87.236 53 extendable
ip nat inside source static tcp 192.168.1.31 25 203.36.222.121 25 extendable
ip nat inside source static tcp 192.168.1.31 80 203.36.222.121 80 extendable
ip nat inside source static tcp 192.168.1.50 80 203.36.222.122 80 extendable
ip nat inside source static tcp 192.168.1.50 443 203.36.222.122 443 extendable
ip nat inside source static tcp 192.168.1.50 1723 203.36.222.122 1723 extendable
ip nat inside source static tcp 192.168.1.49 80 203.36.222.123 80 extendable
ip nat inside source static tcp 192.168.1.49 443 203.36.222.123 443 extendable
ip nat inside source static tcp 192.168.1.49 3389 203.36.222.123 3389 extendable
ip nat inside source static udp 192.168.1.49 3389 203.36.222.123 3389 extendable
ip nat inside source static tcp 192.168.1.45 25 203.36.222.124 25 extendable
ip nat inside source static tcp 192.168.1.45 80 203.36.222.124 80 extendable
ip nat inside source static tcp 192.168.1.45 110 203.36.222.124 110 extendable
ip nat inside source static tcp 192.168.1.45 143 203.36.222.124 143 extendable
ip nat inside source static tcp 192.168.1.45 443 203.36.222.124 443 extendable
ip nat inside source static tcp 192.168.1.88 2350 203.36.222.125 2350 extendable
ip nat inside source static udp 192.168.1.88 2350 203.36.222.125 2350 extendable
ip nat inside source static tcp 192.168.1.88 3450 203.36.222.125 3450 extendable
ip nat inside source static udp 192.168.1.88 3450 203.36.222.125 3450 extendable
ip nat inside source static tcp 192.168.1.81 80 203.36.222.126 80 extendable
ip nat inside source static tcp 192.168.1.81 443 203.36.222.126 443 extendable
ip nat inside source static tcp 192.168.1.81 3389 203.36.222.126 3389 extendable
ip route 0.0.0.0 0.0.0.0 165.228.87.1
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended icmp
remark CCP_ACL Category=128
permit ip any host 165.228.87.236
!
logging trap notifications
logging 192.168.1.49
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 165.228.87.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.31
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.50
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.49
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.45
access-list 106 remark Auto generated by SDM Management Access feature
access-list 106 remark CCP_ACL Category=1
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq telnet
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq 22
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq www
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq 443
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq cmd
access-list 106 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq snmp
access-list 106 deny   tcp any host 192.168.1.254 eq telnet
access-list 106 deny   tcp any host 192.168.1.254 eq 22
access-list 106 deny   tcp any host 192.168.1.254 eq www
access-list 106 deny   tcp any host 192.168.1.254 eq 443
access-list 106 deny   tcp any host 192.168.1.254 eq cmd
access-list 106 deny   udp any host 192.168.1.254 eq snmp
access-list 106 permit ip any any
access-list 107 remark Auto generated by SDM Management Access feature
access-list 107 remark CCP_ACL Category=1
access-list 107 permit ip 192.168.1.0 0.0.0.255 any
access-list 108 remark CCP_ACL Category=128
access-list 108 permit ip host 255.255.255.255 any
access-list 108 permit ip 127.0.0.0 0.255.255.255 any
access-list 108 permit ip 165.228.87.0 0.0.0.255 any
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip any host 192.168.1.88
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip any host 192.168.1.81
access-list 150 remark CCP_ACL Category=1
access-list 150 permit ip any any
access-list 151 remark CCP_ACL Category=2
access-list 151 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^CCCC


% Password expiration warning.


-----------------------------------------------------------------------



Cisco Configuration Professional (Cisco CP) is installed on this device


and it provides the default username "cisco" for  one-time use. If you have


already used the username "cisco" to login to the router and your IOS image


supports the "one-time" user option, then this username has already expired.


You will not be able to login to the router with this username after you exit


this session.



It is strongly suggested that you create a new username with a privilege level


of 15 using the following command.



username privilege 15 secret 0



Replace and with the username and password you


want to use.



-----------------------------------------------------------------------


^C
banner login ^CCCC


-----------------------------------------------------------------------


Cisco Configuration Professional (Cisco CP) is installed on this device.


This feature requires the one-time use of the username "cisco" with the


password "cisco". These default credentials have a privilege level of 15.



YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE 


PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username   privilege 15 secret 0


no username cisco

Replace and with the username and password you want


to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL


NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.



For more information about Cisco CP please follow the instructions in the


QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp


-----------------------------------------------------------------------


^C
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 107 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp update-calendar
ntp server 192.168.1.48 prefer source Vlan1
end

Review Cisco Networking for a $25 gift card