Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Newbie Questions 851W 1

Status
Not open for further replies.

BJZeak

Programmer
May 3, 2008
230
CA
Been spoiled by using Consumer grade routers for nearly a decade now and thought is was time to wade into a Cisco Product with ample warnings from my supplier that these products aren't simple to configure. Point taken but hopefully with a little more insight from this forum maybe I can work past these issues?

Dynamic WAN ... Static P2P LAN ... Static WLAN (HIDDEN SSID, WPA PSK, MAC FILTERED) ... NO DMZ ... NO DHCP ... one Router ... 2 switches ... 1 Static Access Point

Using SDM express and SDM Configuration software I was able to get a simple WAN and LAN connection. However after presumably enabling the Firewall and NAT the grc.com security tools shows most of the LAN ports are wide open and the WAN is replying to pings??? I see there is a Commandline FAQ that addresses the Ports but is there a SDM solution?

Would it be correct to assume that these products are not configured with any default set of rules for NAT and Firewall? ie That all ports must be blocked by user defined rules? If so is there somewhere I can download the most common set of internet rules for this Router?

After some trial and error I was able to configure a WPA link with help from Cisco's online documentation ... this link shows up on my Laptop as an encrypted link but it won't connect so not sure if its because I am not using Cisco's Laptop Network Config Software to reconfigure my Intel/ProSet card

or

Is there some documentation that explains the concept of having a VLAN attached to the WLAN? Why are they using a TKIP-WEP-128 setting for a WPA configuration? ... the documentation also specified using an IP of 10.1.6.1/16 for the ROUTER VLAN ip address ... the SDM software doesn't appear to accept any combination of IP/Mask in the VLAN setting ... I finally used a Bridge VLAN to configure the WLAN because SDM kept giving me an IP and Mask error for a ROUTER VLAN. Perhaps the bridge configuration is why the WLAN is not connecting?

I was able to set up a serial Consol and attempted to do a:
show running-config ... this fails ... a show ? reveals that running-config is not in the list of available subcommands?

I noticed that the majority of postings here provide a listing of the router configs ... is show running-config used to make these if so how do I access this command?

The SDM install process inferred I could install SDM on the Router but the FLASH space only has 2M free space out of 11M basically stating there was not enough room on the flash disk ... from the File menu in SDM there appears to be a number of "unix" tar files on the disk ... how does one know what files are required?

Thank-you in advance for any help





 
I only read the bottom part of this thread---you can install SDM on the computer that connects to the router instead of installing it on the router. It works the same way.

Burt
 
Ok slowly knocking down some of this:

1) the Firewall is NOT enabled ... need to find out why

2) the show running-config command wasn't showing up because I must have to login through the serial port? Telnet worked fine

3) the Flash disk size is 20M and only has 1 M free ... still not sure if some of the files can be removed ... would rather manage this from the router (ie install SDM on the router) instead of having to dedicate a pc
 
telnet in. then, there may be a password...

router>en

There may be another password

router#sh ver

Post this. Also,

router#sh flash

router#sh run

Burt
 
IOS ver 12.4(15)T5
ROM 12.3(8r)Y14
SDM 2.5

Flash is 20M

12.6M C850-advsecurityk9-mz.124-15.T5.bin
3K sdmconfig-8xx.cfg
930K es.tar
1.5M common.tar
1K home.shtml
110K home.tar
2.2M wlanui.tar

The sh run is huge

What I did today is reset the router to factory default and went through the Express Setup again ... this sets:

BVI1 LAN ip 192.168.210.1
Dot11Radio0 WLAN no ip
FastEthernet0 LAN Port 0 no ip
FastEthernet1 LAN Port 1 no ip
FastEthernet2 LAN Port 2 no ip
FastEthernet3 LAN Port 3 no ip
FastEthernet4 WAN Client DHCP
Vlan1 no ip

Problem 1)
Switched to SDM and attempted to add NAT entries:
SMC provides a port forwarding feature such that we can do:
INBOUND any source IP Port X (from WAN) can be forwarded TCP, UDP or BOTH (to LAN) IP N Port Y

Under SDM NAT Translation it would appear there is a similar feature but it is not working the way I expect ... as this is a Dynamic WAN I would assume that the NAT is expecting to require a Dynamic Rule? Problem is there is no port option in Dynamic ... Static requires a source IP which is not possible from external Internet Source IP address

Problem 2)
I started the WLAN configuration software and went around in circles again attempting to create a VLAN routing entry ... I have several conceptual issues :

1) What is the difference/signifigance of defining a Bridge VLAN vs a Routing VLAN?

2) Reading between the lines of the online documentation/help led me to believe the RADIO connection somehow requires an IP address ... the only way I can envision this happening is via a VLAN link ... I haven't been able to find a way in the SDM to add an IP to this directly to this interface without using a VLAN ... I attempted to create a VLAN-Template but noticed this is not recognized by the WLAN setup

Problem 3)
SDM 2.5 Basic/Advanced Firewall settings for High/Med/Low appear to have the list of Basic Firewall rules ... the problem is when I attempt to "deliver" the Router Config there is an error occurring which halts and aborts the Firewall process and it never starts up.

class-map type inspect imap match-any sdm-app-imap

error detected at this command Click Ok



************************************************
I know XP has different ways to configure things and sometimes not all the GUI Wizzards reach all the features ... is it possible that Cisco is in the same boat ie some features need to be configured using the CLI?



 
If you are trying to "port forward" traffic from the internet, use source IP 0.0.0.0 mask 0.0.0.0

The folks here will be able to help you much better if we can see the configuration (show run).

MCSE CCNA CCDA
 
OK here is the listing after take 3 (from Default Config)
... left most of the defaults in place this time

issues still unresolved

1) Firewall is still off due to ERROR from SDM's Deliver process of the 250+ predefined commands for HIGH Security ... the error message is still as per my previous post.

2) WLAN still will not connect with WPA (suspect the VLAN configuration may be the problem here as it will not accept an IP address in the SSID setup ... trying 10.10.10.1 and 255.255.255.0 or any combination of 10.10.10.x and I receive an error message asking me to change my MASK and or IP address

The WLAN example online infers using the VLAN1 IP address although the mask is only 16 bits instead of 24 (now that I understand the notation of 10.10.10.1/16 being <ip>/<mask>) but this doesn't work for me either

3) Added a NAT setting from the Express SDM but it was for inside to outside (express doesn't appear to offer the other option) ... I deleted this entry and added an outside to Inside rule with 0.0.0.0 on WAN for port 5632 to 10.10.10.100 on LAN for port 5632 TCP using the SDM ... don't understand why I can't see this NAT setting in the running config?



!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$JjB3$MYT62VKQWETci03KsvLnD0
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1661961524
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1661961524
revocation-check none
rsakeypair TP-self-signed-1661961524
!
!
crypto pki certificate chain TP-self-signed-1661961524
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363631 39363135 3234301E 170D3038 30353233 31383131
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36363139
36313532 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A0CA A0CC9BE3 BB1CF259 79735B8D 2E6F4F5A 3A8E8E98 ED12DA41 8A0DB456
190209BC 42AE865A 1CA3E560 6B88C242 7B427DD5 8185838E C764DD86 275329FF
D419C1BD FD5E532E 70C7E09F E8C5BD27 315AAFEF F4F9BF86 C023B1CE EF5CE7E6
9186BD63 45306CB0 073F97D9 162210C7 9306EA41 6F312D59 208AACF1 CC4B94D5
C67F0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1482AF7F 0E4E9F42 3465F2DA 6784A146 CD254592
47301D06 03551D0E 04160414 82AF7F0E 4E9F4234 65F2DA67 84A146CD 25459247
300D0609 2A864886 F70D0101 04050003 81810033 C7E233AE CAE52CFC 1C5B8C6E
EF16D2DC BAC0CB44 B78E0A53 1FDB0FB5 F6F0C9AB 1BCE6614 042B1737 4B426E37
53D370FC 4C0CB797 52DA2C10 46C9721F C576C3C8 08354EC9 49E84E27 0469A59C
0C64C2A1 AA9D6996 FD647647 56EEC3DA F4D1E359 38DADBCC E82872B4 2EE33754
4C0B271D C152AF66 CE642650 910E4493 7E910E
quit
dot11 syslog
!
dot11 ssid RSL
authentication open
wpa-psk ascii 7 09191D5D4D17181904
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
!
!
!
username rsl privilege 15 secret 5 $1$trfP$OSAr57OrTwNHR1YaLuf4A1
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip wep128
!
ssid RSL
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
!
logging trap debugging
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 10.10.10.100
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 10.10.10.100
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
 
BrixTreme,
I am having the same problem with my Cisco 851 router. When I try to implement any sort of firewall via SDM, I get the message:
class-map type inspect imap match-any sdm-app-imap

error detected at this command Click Ok

Have you had an luck finding a solution?

alex
 
No Sorry ... I ran out of time so had to finally pay for partner support in order to just get a basic configuration installed ... the person who did the configuration had the same problem with the SDM firewall configuration and had no solution without spending more of my $

Having always used grc.com to validate my network installations I am still uneasy with no Firewall configuration since the GRC tests fails my Cisco installation.

The response I received from this person was that GRC is going beyond standards ??? and that a firewall wasn't required ???

At the moment I don't know what to say to any of that other then I do have Soft firewalls installed on all the internal PC's so I will still be looking for a solution.

I was going to write an SDM 101 Faq surrounding the items that tripped me up with my configuration attempt but haven't had a moment to do that. Sort of a look at the SDM from the perspective of someone who only has delt with SMC/Linksys/other consumer based router configurations.

From my breif experience with the Cisco SDM software, it seems that the CISCO certified community only appear to use
SDM as a basic starting point then dive into the CLI to do everything else which might suggest it has limitations and or doesn't provide the configuration setting they require?
 
SDM goofs things up---I used it once to do a DDNS config, and had to jump into the cli to fix it. Other than that, I am all CLI...

Burt
 
OK, it seems that setting up the firewall via SDM is off the table. Being that the CLI is my only alternative, is there a good online resource that will introduce me to it?

Do I access it with the Windows HyperTerminal?

alex
 
SDM has a telnet feature which takes you directly to the router or if you use a command shell from XP/Vista use the DOS command telnet <router's ip> with your username and password (need to have a level 15 username to make any changes)

The CLI commands are listed under help from the CLI ... there are also plenty of online docs available from Cisco I downloaded a number of PDF's from their support site for the 851/800 series products ... I personally found it extremely difficult to get any answers to my questions from their pdf's ... perhaps just too much information to sift through coupled with my not using/understanding the "CISCO" technical terms.

Case in point: most Consumer routers have a Port Forwarding feature that allows WAN devices access to a specific/predetermined pc/device on the LAN ... such as PC Anywhere reaching across the net and reaching into the router to a specific PC ... we do this normally by assigning a unique Port on the router that will only be forwarded to a given Device/Pc on the LAN

From my perspective when I looked at the layout of the SDM NAT features it made sense to me that I would need a rule from Outside (WAN) to Inside (LAN): being than an outside device is looking for a Host device Inside on the LAN but I couldn't figure out what outside address to give the rule.

The answer I received on this thread was that I would set up an Outside to Inside Rule using a 0.0.0.0 outside address. Probably the correct answer but not the solution

2 problems with this: 1st the Router rejected this OI rule (although there were no error messages the NAT command failed to register the rule) ... 2nd as it turns out the Port Forwarding feature on this Cisco Product actually requires an Inside to Outside rule.

That's why when I get a moment I will attempt to set up a FAQ for stuff exactly like this.
 
Bought a new Cisco 881 router (retail - sealed box) and it did not come with a software cd or a quick setup guide of any kind. I have setup Cisco routers before using SDM, but for some reason this new 881 doesn't even have an IP address. I don't have the experiance to use the command line interface. Can any one help me get this thing into a basic config so I can get started?
 
Hello Everyone,

I bought 8 851W before realizing that Zone-Based Firewall is NOT supported on the 851, you need an 871 router to use the class-map command. Unfortunately no comparison chart easily makes this information available, but the 851 Q&A does specify it. Basically never buy a 851!!!

The Cisco 850 Series has only one feature-set option, which includes Stateful Inspection Firewall and IPsec features. Wireless capability is available across all feature sets of the wireless models in the Cisco 870 Series and 850 Series.

Q. Do the platforms support transparent Cisco IOS Firewall?
A. Yes. Transparent Cisco IOS Firewall is supported only on the Cisco 870 Series routers.
Q. Do the platforms support Zone Based Cisco IOS Firewall?
A. Zone-Based Cisco IOS Firewall is supported only on the Cisco 870 Series routers.

Hope this spares someone my frustration...
fafo
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top