Re: UC540 no internet connectivity, can ping but no access to i

Digish Dave · ‎09-19-2011

Hi,

I am setting up new UC540 and trying to setup WAN connectivity. but not working,the UC540 is getting public ip address and I can ping google, microsoft but cannot surf . what am i doing worng?

all the information releted wan port are below----

interface FastEthernet0/0
description $ETH-WAN$
no ip address
ip mask-reply
ip directed-broadcast
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1

interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 105 in
ip mask-reply
ip directed-broadcast
ip mtu 1452
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname (removed for privacy of customer)
ppp chap password 7 097958510A091C0801
ppp pap sent-username (removed) password 7 03314D5315032A5644
ppp ipcp dns request

here is the access- list 105

access-list 105 remark auto generated by SDM firewall configuration##NO_ACES_16##
access-list 105 remark SDM_ACL Category=1
access-list 105 deny   ip 10.1.10.0 0.0.0.3 any
access-list 105 deny   ip 10.1.1.0 0.0.0.255 any
access-list 105 deny   ip 192.168.10.0 0.0.0.255 any
access-list 105 permit udp host 207.164.234.193 eq domain any
access-list 105 permit udp host 207.164.234.129 eq domain any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
dialer-list 1 protocol ip permit

Sorry forgot firewall setting

ip name-server 207.164.234.193

ip name-server 207.164.234.129

ip inspect WAAS flush-timeout 10

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp router-traffic

ip inspect name SDM_LOW udp router-traffic

ip inspect name SDM_LOW vdolive

no ipv6 cef

Thanks for your help

Digish

ADAM CRISP · ‎09-19-2011

There's no nat config...

Digish Dave · ‎09-19-2011

ip http server

ip http authentication local

ip http secure-server

ip http path flash:/gui

ip dns server

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0

ip identd

jyoopro4ia · ‎09-19-2011

if your desktops can ping outside but cannot browse, it's usually DNS related..

renato.guimaraes · ‎09-19-2011

jyoopro4ia, not necessarily true. While you may be able to ping the site, which means ICMP traffic is not blocked, it is also possible that port 80 is blocked or not allowed through.

You could try this: If Google's IP is 72.14.204.104, try navigating to that address in your browser. If it goes through then it might be a DNS issue. You might need to specify DNS servers or perhaps do an "ipconfig /flushdns" from your computers if you haven't restarted them.

Digish Dave · ‎09-19-2011

TCP traffice denied. So, I trun off firewall setting. still getting the same message.

David Trad · ‎09-19-2011

Hi Digish Dave,

Do you have the following command functioning?

ip name-server

[EDIT] It is there which is good...

If not then you need to go into CCA and then go to the Internet connection draw and enter in the DNS information, if you can Ping the outside world but cannot browse then you do not have DNS resolution... Also when doing it with CCA it will also add the ACL rules that are needed as well which is very important.

Try and not do the work via CLI as it might put the system out of scope.

[EDIT]

CCA Also inserted the following into my configuration which is a WAN based config with no Dialer.

ip http server

ip http authentication local

ip http secure-server

ip http path flash:/gui

ip dns server

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.16.253

ip route 10.1.10.1 255.255.255.255 Vlan90

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *

jyoopro4ia · ‎09-20-2011

hence the term "usually". it's not common tcp port 80 being blocked on a new uc540 out of the box

Digish Dave · ‎09-20-2011

Thanks Guys,

If tcp port 80 is blocked then where to cahnge in CCA??

I have seen that the tcp packets denied messages from different Ip address.

Ryan-Kramer · ‎09-20-2011

Your CBAC firewall is not inspecting HTTP traffic.

ip inspect name SDM_LOW http

You might want to add, the following inspect rules until you get everything working.

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

Can you post your entire configuration, there is a lot missing here. I do not see any NAT statements.

For one under your Dialer 0 interface, you should have:

ip nat outside

How did you configure your UC540? CLI or CCA?

David Trad · ‎09-20-2011

Digish Dave,

Are you doing anything via the CLI on this system? If you are you should be aware that unless you know exactly how CCA manages that part of the code, you will automatically place it in an OOB state, be careful because if the system has a SBCS support contract on it, it may be invalid until such time the system is put back in scope.

If you are using only CCA to manage it, then have you deleted the Firewall within CCA and recreated it again? For it to be blocking port 80 it would have had to have been instructed to do so, otherwise there is something bogus in the programing logic which shouldn't be there.

Please refer to the image below:

If your firewall rules are screwed up then you may want to consider deleting them and having CCA re-create them for you, but also try first before doing that, setting your Firewall setting on "LOW" if it is not already, or increasing it to "High", apply the settings, exit CCA and then go back in and change it to "LOW" again and see if that resolves the problem.

If the problem persists, then we need to look deeper again, which means you will need to post your configuration with the sensitive data removed so we can all look at your config and see what is happening.

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *

UC540 no internet connectivity, can ping but no access to internet