Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unable to get external access with SDM and cisco 870

Status
Not open for further replies.

ianmurdoch

IS-IT--Management
Jan 7, 2008
4
LU
Please help I am using SDM to configure a Cisco 870 ADSL over ISDN router. SDM is version 2.3.4.
The set up is simple - router connected to ADSL line, with PC,s connected via a switch to the router. Router to handle DNS and DHCP.

However I cannot get any PC on the network to access the outside network. I am obviously overlooking something or doing something silly. Please advise what is wrong with the config below.
Fixed IP 111.222.333.444
DNS from ISP 555.666.777.888


Building configuration...

Current configuration : 6785 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname frodo
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret 5 $1$PN89$NRYAkYrE8evfMgonGQr1C0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 555.666.777.888
lease infinite
!
!
ip domain name domain.com
ip name-server 555.666.777.888
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-143601839
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-143601839
revocation-check none
rsakeypair TP-self-signed-143601839
!
!
crypto pki certificate chain TP-self-signed-143601839
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343336 30313833 39301E17 0D303230 33303130 33313233
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3134 33363031
38333930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BF728D82 3984713B 1F5A3F40 C97C20D9 A343C96F 0E58E9A0 5D216FA4 6E74D41D
287EED24 ECD8C3D8 22306EEA CC4754F8 5F72C81A 860C1DCB 2828A686 0CD2F0F3
7983B219 606BBBA5 2DAE99CD BFF73B26 240CF91B BBE34DA8 23949A2A 22560C50
76D945EE B6AB82AF A66A5544 94560377 7A4247BA FECA0CC0 050D275A BD8A611D
02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D
11041730 15821366 726F646F 2E746F74 616C6D65 6469612E 6C75301F 0603551D
23041830 16801477 BADDCC20 34B517B4 88647161 7E8B7B50 22F72E30 1D060355
1D0E0416 041477BA DDCC2034 B517B488 6471617E 8B7B5022 F72E300D 06092A86
4886F70D 01010405 00038181 0084D0BA 2B014EA7 0658AE6D ED37C122 4E959D1F
6D47206C 1DBA2BC4 21776471 106A5893 F64DBE5B 120D6E99 786A520C 85D094A1
A5D32B9C 94E6569D BCC271F1 093F7115 70F1543F 6A0DA2D6 0DA47073 92FABB00
2E0FAC0A A9DE79BF C025456F 90D681AC 8B6EBBDA DD5AD98D 0E2EF398 3D47F696
41933CCA 1FCC82E3 C3C1BD03 D1
quit
username frodoboy privilege 15 secret 5 $1$hdpl$.YgsaAyj0z4hjgz0ff7dC.
username ianmurdoch view root secret 5 $1$dusV$CmPxmey4LkokllzNOb9Dr0
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 111.222.333.444 255.255.255.0
ip access-group 101 in
ip mtu 1492
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname login
ppp chap password 0 passw
ppp pap sent-username login password 0 passw
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Vlan1 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.1.1 111.222.333.444
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255 log
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 111.222.333.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq domain host 111.222.333.444
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 111.222.333.444 echo-reply
access-list 101 permit icmp any host 111.222.333.444 time-exceeded
access-list 101 permit icmp any host 111.222.333.444 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner login ^CCC
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
 
Hello
Did SDM configure the router only or did you add some commands manually?Normally SDM does a good job.
Try posting a "show ip int brief",also see if the router can ping the Internet.
Onother quick solution to solve the problem is to start with a more simple config.

Regards
 
Are you able to connect to your router via telnet...

If you can, I suggest you try pinging your name servers.
If that works, try ping
It should first resolve the name and then ping the IP Address.
 
Thanks Minue and Crocks for the replies I have been out of the office and will look into these options you suggest.

FYI SDM did set up the config and I cannot get any internet resolution. I can ping the router but not any outside devices with either IP address or link like
I have started this with a very simple config but I still get no DNS resolution or internet response. Could I have a faulty router or is there something I can do to load a simple config and test it ?

Regards

Ian Murdoch
 
This is not a valid IP address...

ip name-server 555.666.777.888

Just kidding...
First off, do a show int di0...if it does not have an IP address yet, then it is likely a ppp negotiation problem. So...
router>en
router#debug ppp authen
router#debug ppp neg
router#conf t
router(config)#int di0
router(config-if)#shut
router(config-if)#no shut
router(config-if)#end
Watch the messages, and post them. If it IS up/up, has an IP address and bound to a virtual template, then it could be an acl issue.

router#sh access-list
Then find what number the acl 101 ends with. Let's say it is 120...then
router#conf t
router(config)#ip access-list extended 101
router(can't remember what's here)#130 permit ip any any

Try that. If not, then try removing the acl's one at a time (quickest) from the interfaces...
router(config)#int dio
router(config-if)#no ip access-group 101 in

Try these and post back.

Burt
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top