831 config errors and questions 2

[silverhairb]

I'm trying to get to the point of being able to use CRWS or SDM to configure an 831 for a different network. Two problems have come up on a previously working 831 that I can't seem to figure out.

First problem is that the running configuration will save to a file called startup-config but won't start when the router boots. When I copy the config over from startup-config to run I get the right config, but get the following two errors:

Error activating CNBAR on Ethernet0
Error activating CNBAR on Ethernet1

These errors also appeared when I was keying in the config (#ip nat outside for e1 and #ip nat inside for e0). If needed, I can provide the step-by-step script of how I got here.

Any help would be greatly appreciated.

TIA,

Bill


To start, I got into rommon on cold boot and reset the router doing the following:

rommon1>
rommon1>confreg 2142
rommon2>reset

[router reboots]

router>
router>en
router#copy start run
router#conf t
router(config)#line con 0
router(config-line)#password whatever
router(config-line)#login
router(config-line)#exit
router(config)#enable password whatever
router(config)#enable secret cisco
router(config)#config-register 2102
router(config)#exit
router#copy run start
[enter twice]
router#reload

Then I keyed a config script.

Follows is sh run:

831router#sh run
Building configuration...

Current configuration : 1490 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 831router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.150 192.168.1.254
!
ip dhcp pool silver1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 24.217.0.5 24.217.201.67
lease 45
!
!
no ip bootp server
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
partition flash 2 10 2
!
username silver privilege 15 secret 5 $1$UpWI$Otq1HMOcJKQxphk/HT9DR/
!
!
no crypto isakmp enable
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
shutdown
!
interface Ethernet1
ip address dhcp
no ip redirects
ip nat outside
shutdown
duplex auto
!
ip classless
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Ethernet1 overload
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny tcp any 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password 7 044C03071B245A4B1B
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end

 

[burtsbees]

int e0
no shut

int e1
no shut

nbar cannot run because the interfaces are shut down. Everything else looks good. Remember---if I told you, that is (lol)---that you have to do a no shut on the interfaces when copying from a config file. Or you can...what's the word I'm looking for...adjust, update...crap---anywho, type "no shut" on the interfaces in the config file. You can edit---THAT's the word...lol---the file with Word Pad in Windows.

Burt

 

[silverhairb]

Thanks. I'll give that a try tonight.

Any idea why the startup config won't run at cold boot? Is the confreg wrong?

 

[burtsbees]

Yeah---I missed that as I skimmed through the first time. This

router(config)#config-register 2102

needs to be this

router(config)#config-reg 0x2102

The "0x" is not used in rommon, but is used in global config.

Burt

 

[silverhairb]

That helped. Still doesn't show no shut in the running config (see below) and I'm still getting:

Error activating CNBAR on Ethernet0
Error activating CNBAR on Ethernet1

but am able to connect to the router via both CRWS and SDM from a PC that's getting an address via DHCP. But the connection to the cable modem (neighbor's house, not my DSL) isn't getting an address (activity lights are blinking), Used a couple of different cable modem setups without success.

I used SDM to test/ping the connection and it failed at DHCP.

What am I missing trying to get through to the cable modem?

Thanks in advance for the time and effort.

Bill


Follows is the current running config as set through CWRS:

831router#sh run
Building configuration...

Current configuration : 3142 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 831router
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
ip subnet-zero
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.150 192.168.1.254
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool silver1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 24.217.0.5 24.217.201.67
lease 45
!
ip dhcp pool CLIENT
import all
default-router 192.168.1.1
lease 0 2
!
!
no ip bootp server
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit po max-events 100
no ftp-server write-enable
!
!
partition flash 2 10 2
!
username silver privilege 15 secret 5 $1$UpWI$Otq1HMOcJKQxphk/HT9DR/
!
!
no crypto isakmp enable
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip access-group 122 out
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
no ip redirects
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
!
ip classless
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Ethernet1 overload
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny tcp any 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
no cdp run
!
!
!
!
line con 0
logging synchronous
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 120 0
password 7 044C03071B245A4B1B
login
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end

831router#

 

[burtsbees]

First off, get rid of the dhcp pools. Second, get rid of NAT---it is not needed, since the cable modem will be doing the NAT. Third, take acl 111 off of e1. Fourth, acl 122 prevents anyone in the LAN, including you, from telnetting to anything on the outside world. If you want to prevent telnet access to your router, there are three ways to do this. You can enable ssh, and do trans in ssh on the vty 0 4 (if the IOS supports ssh), or you can make an acl and place it inbound on the vty lines like so...

access-list 10 deny any any
line vty 0 4
ip access-class 10 in

The third way---remove the login keyword and the password from the vty lines.

Last---read this link before posting level 7 encrypted (service password-encryption) passwords...

http://www.ifm.net.nz/cookbooks/passwordcracker.html

Wait--one more thing...you probably should do an enable secret and username user priv 15 secret blabla. Also, for the most secure router, you should disable ip redirects, small tcp servers, small udp servers, http, nagle, and enable tcp syn-wait time. I could run this through Cisco's online tool, and post the result---it will give you LOTS of security violations! Will do that in a minute.

Burt

 

[burtsbees]

Just had it emailed to you.

Burt

 

[silverhairb]

Thanks. I'll give these a try. I had this router working in the same kind of environment a little over a year ago, but don't have a copy of that running config. When I get this one working, I'll back it up along with the IOS and copy it into another 831 to use as a cold spare.

Right after I posted the last message I was told that I won't get another shot at the router until Friday.

I got the email and started looking at it. I think just getting the 831 working using its basic firewall will be a big step up in security from the 3Com DLS/Cable OfficeConnect it will be replacing (not to mention reliability).

 

[burtsbees]

If you want to really see all your CBAC firewall options, then you can

ip inspect ?

and also

ip inspect myfw ?

Burt

 

[silverhairb]

When using those options, isn't there a risk of hammering the router CPU to the extent that it will kill throughput on an 831?

 

[burtsbees]

If you use all of them on an 831, perhaps. I have all of them enabled on my 2620 at work, which has Advanced Security 12.3, which has not even hiccuped, and I will enable them all on my 2620XM at home, which has Advanced Enterprise 12.4(10) on it. I can load SDM and look at CPU usage that way, or I can do sh stacks, sh blocks, sh cpu blablabla...I will let you know in a day or two.

Burt

 

[Minue]

Hello Burt
Can you confirm that the ip inspect myfw rule should be on the E0 interface in the inbound direction instead of the WAN interface like the below:

interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip access-group 122 out
ip nat inside
ip inspect myfw in
no cdp enable
hold-queue 32 in

Regards

 

[burtsbees]

Yes, you're right, Minue--I saw that and forgot to mention that. Thanks!

Burt

 

[burtsbees]

I have about 1/3 of the options enabled at home, and CPU is at 1%.

Burt

 

[silverhairb]

Our 831 would spike higher than that during normal use. But we never experienced any notable slowdown. Often, we would exceed Cisco's published max performance getting close and sometimes a little above 5mbs.

Bill