Newbie with 871 ethernet router

[rymco]

I've had this router since October 2007 and was unsuccessful configuring it then and I'm back to it now. The modem supplied by the ISP is configured in bridge mode so I'm supplying the pppoe authentication from the router. My desired setup is Fe0-Fe1:Internal LAN, Fe2:Guest internet access (to Wireless AP), Fe3:Future DMZ and Fe4:WAN interface. We have a static IP address to publish various MS Small Business Server (SBS) services.
With the running-config below, I get the PPP light on the unit to light up (authentication successful?) and I'm able to ping our public IP but I can't get to the internet (DNS?). I've read and tried various posts and sample configs but no luck yet. There is still some SDM stuff in there but I'm basically using CLI to config it. Can someone please help me get this working?

Also, I'm not sure whether it's just Vista but I'm not picking up an IP address from the DHCP server. If I restart Vista, it will pick one up but not if I just plug in the cable. Currently using manually configured IP...

Are there logs that will help me figure out what's wrong? Is so, how do I view them?

!This is the running config of the router: 192.168.0.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 <snip>password</snip>
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
! 
!
!
<snip>crypto</snip>
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool pool1
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1 
!
ip dhcp pool pool2
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
!
!
ip port-map user-RWW port tcp 4125 description Remote Web Workplace
ip port-map user-RMS port tcp 5270 description Rights Management Services
ip port-map user-RDP port tcp 3389 description Remote Desktop Protocol
no ip bootp server
no ip domain lookup
ip domain name <snip>mydomain.local</snip>
ip name-server <snip>ISP DNS1</snip>
ip name-server <snip>ISP DNS2</snip>
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
username <snip>username</snip> privilege 15 secret 5 <snip>password</snip>
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any sbs-traffic
 match protocol smtp
 match protocol https
 match protocol user-RWW
 match protocol user-RDP
 match protocol user-RMS
class-map type inspect match-any guest-traffic
 description Guest Traffic
 match protocol tcp
 match protocol udp
class-map type inspect match-any icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sbs-services
 description SBS Services
 match access-group name SBS
 match class-map sbs-traffic
class-map type inspect match-any internet-traffic
 description Basic Internet Traffic
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp
 match protocol ftp
!
!
policy-map type inspect internet-self-policy
 class class-default
policy-map type inspect self-internet-policy
 class type inspect icmp-access
  inspect
 class class-default
  pass
policy-map type inspect guest-internet-policy
 class type inspect internet-traffic
  inspect
 class class-default
policy-map type inspect private-internet-policy
 class type inspect internet-traffic
  inspect
 class class-default
policy-map type inspect internet-private-policy
 class type inspect sbs-services
  inspect
 class class-default
!
zone security private
zone security guest
zone security internet
zone security dmz
zone-pair security internet-private source internet destination private
 service-policy type inspect internet-private-policy
zone-pair security private-internet source private destination internet
 service-policy type inspect private-internet-policy
zone-pair security guest-internet source guest destination internet
 service-policy type inspect guest-internet-policy
zone-pair security internet-self source internet destination self
 service-policy type inspect internet-self-policy
zone-pair security self-internet source self destination internet
 service-policy type inspect self-internet-policy
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description Internal Port
!
interface FastEthernet1
 description Internal Port
!
interface FastEthernet2
 description Guest Port
 switchport access vlan 2
!
interface FastEthernet3
 description DMZ Port
 switchport access vlan 3
 shutdown
!
interface FastEthernet4
 description ISP aDSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
 no ip address
 ip nat outside
 ip virtual-reassembly
 zone-member security internet
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Vlan1
 description Private Network$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security private
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan2
 description Guest Network$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security guest
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan3
 description DMZ Network
 ip address 192.168.2.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security dmz
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer1
 ip address negotiated
 ip mtu 1452
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <snip>username</snip>
 ppp chap password 7 <snip>password</snip>
 ppp pap sent-username <snip>username</snip> password 7 <snip>password</snip>
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.2 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.0.2 4125 interface FastEthernet4 4125
ip nat inside source static tcp 192.168.0.2 5720 interface FastEthernet4 5720
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended SBS
 remark SBS Server
 remark SDM_ACL Category=128
 permit ip any host 192.168.0.2
!
logging trap debugging
access-list 1 remark NAT ACL
access-list 1 remark SDM_ACL Category=2
access-list 1 remark Internal Network
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 remark Guest Network
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark DMZ Network
access-list 1 permit 129.168.2.0 0.0.0.255
access-list 2 remark HTTP ACL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny   any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^CCC
You have entered $(hostname).$(domain).
Access is for authorized users only. Disconnect IMMEDIATELY if you are not
an authorized user! Please enter your username and password.^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 2 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

!
webvpn cef
end

 

[t0mm0]

On your Vista machines, what happens when you type in, say 21.28.251.206 onto the browser? Do you get an internet connection?
As you mentioned that you can ping the public IP, but intermittently your devices do not recieve IP's from your router.

Also havyou tried running a debug to see where exactly the dhcp, maybe failing?

I believe the commeand is:

debug ip dhcp server

 

[rymco]

I updated the NIC driver on my Vista machine and it's picking up an IP address now... faulty driver I guess.

I added "dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx" to my DHCP pools and it seems to be working now.

I also had to change my "ip nat inside source" entries from FastEthernet4 to Dialer1 to expose the SBS services but I have to change my policy to actually allow the SBS server to respond to requests. At this point, I know the ports are open but I can't send email out or get to my https server.

 

[t0mm0]

What error messages do you get, to prove that you can't send mails out?

What IP is your https Server on?

 

[rymco]

I know emails aren't getting out because I see them in the the Exchange queue. The only additional message I see is (from memory), "could not bind to DSN host" which I would interpret as my SMTP server couldn't get past the firewall.

It's a Small Business Server so all the internet based services are hanging on that machine at 192.168.0.2

 

[burtsbees]

interface FastEthernet1
description Internal Port

to this, add...
switchport access vlan 1

This may be screwing you up...
class-map type inspect match-any internet-traffic
description Basic Internet Traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ftp
so, to test...

int vlan1
no zone-member security private
Then try the exchange server to get past the firewall...

Can you get out to the internet from anything, especially the Vista box and 192.168.0.2? Also, why is this exchange server (assuming it is running on the SBS box at this IP) NOT in the DMZ, but rather in the private LAN interface???

One more thing, which it looks like you have changed...all of these:
ip nat inside source static tcp 192.168.0.2 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.0.2 4125 interface FastEthernet4 4125
ip nat inside source static tcp 192.168.0.2 5720 interface FastEthernet4 5720
need to be bound to int di1, not fa4...
Can you telnet to port 25 from the outside? I see you have a static PAT translation for RDC (3389)...can you RDC to the SBS server from the outside?

Burt

Burt

 

[rymco]

Thanks Burt...

I added "switchport access vlan 1" to Fe0 and Fe1 but it doesn't show up in the running-config making me think it's a default.

If I remove the private zone from vlan 1, I can't go anywhere. As soon as I add "zone-member security private" back in... I get the internet again.

All static NAT entries now go to the Dialer1 interface. OK there. I'll try to telnet and RDC today...

The SBS server provides almost all of our network services on the internal LAN (File, Print, Sharepoint, Exchange). Probably not the optimal configuration to have it publishing internet services as well but we don't have the budget for another server to put in the DMZ to host a front-end Exchange and http server. I'm open to any further suggestions on this...??

I created another policy to allow the SBS send smtp traffic to the internet which seemed to work but the https traffic didn't work. I'll fiddle with it some more...

Thanks
-Scott