12-17-2011 12:09 PM - edited 03-07-2019 03:56 AM
This Cisco 800 series has been "handed" to me to get configured...
I am having issues ussing CCP to connect to the device, I am getting"Connection to the device could not be established. Either the device is not reachable or the HTTP/HTTPS service is not enabled on the device."
I know I saved some wrong configuration but having a tough time figuring out where. Can someone point out to a cisco newb where I am going wrong?
I have checked off the following troubleshooting and can't find where I made my mistake.
Any help with the proper commands would be greatly appreciated!
881W#show config
Using 5319 out of 262136 bytes
!
! No configuration change since last restart
! NVRAM config last updated at 14:54:38 PCTime Sat Dec 17 2011
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 881W
!
boot-start-marker
boot system flash c880data-universalk9-mz.151-3.T2.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$0IZb$gTe9qzmC2khcz4q7t1H1r0
!
no aaa new-model
memory-size iomem 10
--More-- clock timezone PCTime -5 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-542214224
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-542214224
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-542214224
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
ip source-route
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
--More-- !
!
ip cef
no ip domain lookup
ip domain name Masternet
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX152401DC
!
!
username ***** privilege 15 secret 5 $1$FJ5H$buqflzYdL8pf9wOuZE8wm/
!
!
!
!
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
--More-- match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
--More-- class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
--More-- zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
--More-- description $ES_WAN$
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description Bellsouth WAN$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
ip tcp adjust-mss 1412
!
interface Dialer0
--More-- description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *******
ppp chap password 0 ********
ppp pap sent-username ******** password 0 ********
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
--by bytes
cache-timeout 3000000
--More-- !
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
logging esm config
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 91 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any source-quench
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any time-exceeded
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
banner login ^CYou are using a network that logs all users activities. If you are not authorized disconnect now.^C
--More-- !
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp update-calendar
ntp server 24.56.178.140 source Wlan-GigabitEthernet0
ntp server 64.90.182.55 prefer source Wlan-GigabitEthernet0
end
Solved! Go to Solution.
12-19-2011 08:04 AM
Hi,
take a look at my previous post , this is a ZBF config problem.
Regards.
Alain
12-19-2011 08:26 AM
Hi,
zone security in-zone
int vlan 1
no ip nat ouside
ip nat inside
no zone-member security out-zone
zone-member security in-zone
Regards.
Alain
12-17-2011 02:18 PM
Jason
Can you tell us what is the source address when you attempt to use CCP? I am guessing that this is the problem. Look at these parts of the config
ip http access-class 23
access-list 23 permit 10.10.10.0 0.0.0.7
This says that the router will only accept connections from source addresses 10.10.10.1 through 10.10.10.6.
HTH
Rick
12-17-2011 05:58 PM
Do you think it is the preffered adapter messing things up?
C:\ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ether
net Controller #2
Physical Address. . . . . . . . . : 00-23-54-51-41-F7
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.10.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : 10.10.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Masternet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ether
net Controller
Physical Address. . . . . . . . . : 00-23-54-51-41-F8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.113(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, December 17, 2011 3:54:53 PM
Lease Expires . . . . . . . . . . : Sunday, December 18, 2011 3:54:53 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 205.152.144.23
205.152.132.23
192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{319730B2-D3E1-4D78-BC1E-A9F7827A84E8}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1851:27dc:3f57:fe8e(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::1851:27dc:3f57:fe8e%13(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.{B794DE4E-C0A2-4CC6-A5D3-A5657D38F1B4}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
12-18-2011 09:58 AM
Jason
The PC seems to have 2 IP addresses and I do not see anything in what you posted that tells us which address is being used (and both addresses have the notation that they are preferred). So I am going to assume that it is likely that the device is using the 192.168.1.113 address and that this is causing the problem. I can suggest a couple of things that you could do that would prove this.
- you could add a line to access list 23 that permits 192.168.1.113 (premit the specific host, or permit a range of hosts that include this, or permit the entire 192.168.1.0 network). If you add the line and then access works you have prooved what was the problem and have also achieved a workaround for the problem.
- you could add a line to access list 23 with deny any and specifying the log parameter like this
access-list 23 deny any log
This will generate a log message which should tell you what address is attempting access. This could tell you exactly what the problem is but you would then have to decide whether it is better to do something on the host to get it to use the 10.10.10.2 address or to do something on the router to get it to accept the address.
HTH
Rick
As an after-thought can you tell us whether that host has 2 Ethernet cards? Perhaps the solution is as simple as moving the Ethernet connection to the other card.
12-18-2011 03:36 PM
Rick,
I did disable the 192.168.1.113 DHCP address and that still proved to not work. I should of been more clear back when I posted the IPCONFIG. On your advice I have switched the network cords around, and disabled the 192.x.x.x network for safe keeping. No luck...
Here is the new access-lists info:
881W(config)#end
881W#
Dec 18 23:13:04.751: %SYS-5-CONFIG_I: Configured from console by ****** on consolewrite
Building configuration...
[OK]
881W#show access-lists
Standard IP access list 23
10 permit any
Standard IP access list 91
10 permit any
Extended IP access list 100
10 permit ip host 255.255.255.255 any
20 permit ip 127.0.0.0 0.255.255.255 any
Extended IP access list 101
10 permit ip any any
Extended IP access list 110
10 permit icmp any any echo
20 permit icmp any any echo-reply
30 permit icmp any any source-quench
40 permit icmp any any packet-too-big
50 permit icmp any any time-exceeded
881W#
As you can see I did the ole permit any and still not working. Also below is my current IPCONFIG.
Windows IP Configuration
Ethernet adapter Masternet:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.1.122
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
Ethernet adapter Cisco:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : 10.10.10.1
Tunnel adapter isatap.{319730B2-D3E1-4D78-BC1E-A9F7827A84E8}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:30:2954:3f57:fe85
Link-local IPv6 Address . . . . . : fe80::30:2954:3f57:fe85%13
Default Gateway . . . . . . . . . : ::
Tunnel adapter isatap.{B794DE4E-C0A2-4CC6-A5D3-A5657D38F1B4}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
As far the log reporting, here is what I set:
881W#show access-lists
Standard IP access list 23
10 deny any log
Standard IP access list 91
10 permit any
Extended IP access list 100
10 permit ip host 255.255.255.255 any
20 permit ip 127.0.0.0 0.255.255.255 any
Extended IP access list 101
10 permit ip any any
Extended IP access list 110
10 permit icmp any any echo
20 permit icmp any any echo-reply
30 permit icmp any any source-quench
40 permit icmp any any packet-too-big
50 permit icmp any any time-exceeded
881W#show log
I took the NIC adapter up and down to make sure I saw active logging, this is the result:
Dec 18 23:32:59.179: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
Dec 18 23:33:06.447: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
Dec 18 23:33:07.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
I didn't see any activity from the CCP. Any more advice?
Jason
12-18-2011 04:02 PM
Hi Jason,
Could you post your show version output? Make sure you've temporarily disabled your PC FW/AV.
Sent from Cisco Technical Support iPhone App
12-18-2011 08:38 PM
John,
I removed MS Security Essentials, and checked the Windows Firewall and all firewalls(zones) are set to off. The CCP was working until I made some changes a couple days back. The system (PC) I am using has not changed in really any way. I was assuming I made a bonehead change and committed it before checking. Looking over the config it seemed fine except for the local PC having two NICS. I was using one NIC for my local LAN, and the other to connect to the CCP on the Cisco 881.
881W#show version
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 10-Aug-11 11:29 by prod_rel_team
ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
881W uptime is 3 minutes
System returned to ROM by power-on
System restarted at 23:30:09 PCTime Sun Dec 18 2011
System image file is "flash:c880data-universalk9-mz.151-3.T2.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
--More--
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
Processor board ID FTX152401DC
5 FastEthernet interfaces
1 Gigabit Ethernet interface
1 terminal line
1 Virtual Private Network (VPN) Module
1 cisco Embedded AP (s)
256K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
--More--
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO881W-GN-A-K9 FTX152401DC
License Information for 'c880-data'
License Level: advsecurity Type: Permanent
Next reboot license Level: advsecurity
Configuration register is 0x2102
12-18-2011 10:56 PM
hi jason,
can you do the below and try again?
no ip source-route
12-19-2011 07:41 AM
John,
No luck, still not working and giving the same error.
Latest config:
Using 5344 out of 262136 bytes
!
! Last configuration change at 10:33:56 PCTime Mon Dec 19 2011 by jmorano
! NVRAM config last updated at 10:33:58 PCTime Mon Dec 19 2011 by jmorano
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 881W
!
boot-start-marker
boot system flash c880data-universalk9-mz.151-3.T2.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$0IZb$gTe9qzmC2khcz4q7t1H1r0
!
no aaa new-model
memory-size iomem 10
--More-- clock timezone PCTime -5 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-542214224
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-542214224
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-542214224
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
ip source-route
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
--More-- !
!
ip cef
no ip domain lookup
ip domain name Masternet
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX152401DC
!
!
username jmorano privilege 15 secret 5 $1$FJ5H$buqflzYdL8pf9wOuZE8wm/
!
!
!
!
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
--More-- match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
--More-- class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
--More-- zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
--More-- description $ES_WAN$
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description Bellsouth WAN$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
ip tcp adjust-mss 1412
!
interface Dialer0
--More-- description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *********
ppp chap password 0 ********
ppp pap sent-username ******
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 3000000
--More-- !
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
logging esm config
access-list 23 permit any
access-list 91 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 perm ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any source-quench
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any time-exceeded
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
banner login ^CYou are using a network that logs all users activities. If you are not authorized disconnect now.^C
--More-- !
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp update-calendar
ntp server 24.56.178.140 source Wlan-GigabitEthernet0
ntp server 64.90.182.55 prefer source Wlan-GigabitEthernet0
end
12-18-2011 07:21 PM
Jason
I am a bit confused about how it is configured. First you tell us this:
881W#show access-lists
Standard IP access list 23
10 permit any
but then you also show us this
881W#show access-lists
Standard IP access list 23
10 deny any log
so I am really confused about the content of access list 23. Perhaps the best solution is to ask you to post a fresh copy of the output of show run.
HTH
Rick
12-18-2011 08:42 PM
881W#show run
Building configuration...
Current configuration : 6594 bytes
!
! No configuration change since last restart
! NVRAM config last updated at 23:30:52 PCTime Sun Dec 18 2011
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 881W
!
boot-start-marker
boot system flash c880data-universalk9-mz.151-3.T2.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$0IZb$gTe9qzmC2khcz4q7t1H1r0
!
no aaa new-model
--More-- memory-size iomem 10
clock timezone PCTime -5 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-542214224
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-542214224
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-542214224
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35343232 31343232 34301E17 0D313131 32313930 34333035
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3534 32323134
32323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A25FA6DA 732919AD 52606CBF E0CA905E 6F09C2FE 12A66B53 51D0967A CF4A6CD2
768A8EF7 8170F01A 00673D2A B8A92FA2 15981052 5C8DE4DF E4AD08CD 89BB75E0
BB8AFEB0 229DEC04 419019E6 CF51AEF1 54539B92 821FB287 8AE98C43 4337890E
8F23318F EF02CAD4 7EDB15DC 841D7ACE 731BCB3D A65B1935 5F030EB8 720777E3
--More-- 02030100 01A35330 51300F06 03551D13 0101FF04 0530030F1 01FF301 0603551D
23041830 16801450 28EB9B88 DC3E5C80 035D3EC8 DA79DEA8 83E11430 1D060355
1D0E0416 04145028 EB9B88DC 3E5C8003 5D3EC8DA 79DEA883 E114300D 06092A86
4886F70D 01010405 00038181 0085F224 F8273C2D E639AAA9 BD0D0AD8 775ADDB1
C38BD8A0 F8EB8A02 AF4A75DE 6E561CAD 524FBA59 31C58805 6EB92D6B 479764E1
3BFC656D BC0E7C8A C1CEBB28 9D95A202 339E8988 90CF67BC F7BAA4C8 FA31A725
31439CF7 3C9A6824 BB79C505 FC06F068 B833B27A 4881E93D 20E71EA0 3B4F4E1D
E9D13421 4C0FF6E6 2A9C063D 02
quit
ip source-route
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip cef
--More-- no ip domain lookup
ip domain name Masternet
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX152401DC
!
!
username ******* privilege 15 secret 5 $1$FJ5H$buqflzYdL8pf9wOuZE8wm/
!
!
!
!
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
--More-- match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
--More-- !
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
--More-- zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
no ip address
duplex auto
--More-- speed auto
pppoe-client dial-pool-number 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description Bellsouth WAN$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
--More-- zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ***********
ppp chap password 0 **********
ppp pap sent-username ********** password 0 **********
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 3000000
!
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
--More-- logging esm config
access-list 23 permit any
access-list 91 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any source-quench
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any time-exceeded
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
banner login ^CYou are using a network that logs all users activities. If you are not authorized disconnect now.^C
!
line con 0
--More-- login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp update-calendar
ntp server 24.56.178.140 source Wlan-GigabitEthernet0
ntp server 64.90.182.55 prefer source Wlan-GigabitEthernet0
end
12-19-2011 06:02 AM
Jason
Thanks for posting the output of show run. That clearly shows that the access class is no longer a potential problem. If CCP is still not working then we need to look for something else.
Can you post the output of tracert from your PC to the router?
If you attempt to use CCP do you get any kind of response?
HTH
Rick
12-19-2011 07:46 AM
Hi,
policy-map type inspect ccp-permit
class class-default
drop
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
interface Vlan1
description Bellsouth WAN$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
you are denying all communication from VLAN1 interface to the router and tht's why CCP is not working.
Just move interface VLAN 1 int zone-security in-zone and it will work
I also noticed you put your inside interface as a NAT outside interface but it should be a NAT inside interface and furthermore I do not see any other NAT configuration. you should configure Dialer interface as NAt outside and then create an ACL for natting in-zone to out-zone Dialer interface and a NAT statement for this like this:
access-list 199 permit ip 10.10.10.0 0.0.0.7 any
ip nat inside source list 199 interface Dialer0
You should also change your default static like this
no ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 0.0.0. 0.0.0.0 Dialer0
Also add following global config command for testing your ZBF: ip inspect log drop-pkt
Regards.
Alain
12-19-2011 08:15 AM
Alain,
you are denying all communication from VLAN1 interface to the router and tht's why CCP is not working.
Just move interface VLAN 1 int zone-security in-zone and it will work
I also noticed you put your inside interface as a NAT outside interface but it should be a NAT inside interface and furthermore I do not see any other NAT configuration.
Your explanation is now making more sense. I figured I locked myselrf out by misconfiguring the NAT. Can you assist in the proper way I can move the Vlan per your comments above?
I greatly appreciate the proper verbiage for the:
access-list 199 permit ip 10.10.10.0 0.0.0.7 any
ip nat inside source list 199 interface Dialer0
You should also change your default static like this
no ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 0.0.0. 0.0.0.0 Dialer0
Also add following global config command for testing your ZBF: ip inspect log drop-pkt
Can you assist me in the Vlan move? Thanks!
Jason
12-19-2011 08:26 AM
Hi,
zone security in-zone
int vlan 1
no ip nat ouside
ip nat inside
no zone-member security out-zone
zone-member security in-zone
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide