Internet thru Cisco 871

I've tried to configure my Cisco 871 and I'm either missing something
or blocking something. I first setup the router using the SDM wizards
and didn't get the internet. Then, after saving that config, I wiped
out all the wizard zones, policy-maps, class-maps, etc. and tried
building my own config, as a learning process, and still can't get the
internet. I'm able to negotiate the expected static IP address on the
Dialer0 interface but fail ping attempts when I use the "Test
Connection" in the SDM (DNS?). I have the DSL modem setup as a bridge
and supply the PPPoE authentication via the router (PPP light on the
router lights up so I think this is OK)

I'm currently just trying to get the private-internet zone pair to
work...
My current config: (I copied the "self" policy maps from the wizard
config)

!--------------------------------------------------------------------------*--
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$HGmN$Y5uqYVVIQ1kwoYN7U/ma70
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
!
!
!
crypto pki trustpoint TP-self-signed-1683258465
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1683258465
revocation-check none
rsakeypair TP-self-signed-1683258465
!
!
crypto pki certificate chain TP-self-signed-1683258465
certificate self-signed 01
<removed>
quit
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 199.166.6.2 216.183.129.9
default-router 192.168.0.1
!
!
ip port-map user-RWW port tcp 4125 description Remote Web Workplace
ip port-map user-RMS port tcp 5270 description Rights Management
Services
ip port-map user-RDP port tcp 3389 description Remote Desktop
Protocol
no ip bootp server
ip domain name mydomain.local
ip name-server 199.166.6.2
ip name-server 216.183.129.9
!
!
!
username ciscoadmin privilege 15 secret 5 <removed>
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any sbs-traffic
match protocol smtp
match protocol https
match protocol user-RWW
match protocol user-RDP
match protocol user-RMS
class-map type inspect match-any icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sbs-services
description SBS Services
match access-group name SBS
match class-map sbs-traffic
class-map type inspect match-any internet-traffic
description Basic Internet Traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
!
!
policy-map type inspect internet-self-policy
class class-default
policy-map type inspect self-internet-policy
class type inspect icmp-access
inspect
class class-default
pass
policy-map type inspect guest-internet-policy
class type inspect internet-traffic
inspect
class class-default
policy-map type inspect private-internet-policy
class type inspect internet-traffic
inspect
class class-default
policy-map type inspect internet-private-policy
class type inspect sbs-services
inspect
class class-default
!
zone security private
zone security guest
zone security internet
zone security dmz
zone-pair security internet-private source internet destination
private
service-policy type inspect internet-private-policy
zone-pair security private-internet source private destination
internet
service-policy type inspect private-internet-policy
zone-pair security guest-internet source guest destination internet
service-policy type inspect guest-internet-policy
zone-pair security internet-self source internet destination self
service-policy type inspect internet-self-policy
zone-pair security self-internet source self destination internet
service-policy type inspect self-internet-policy
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description Internal Port
!
interface FastEthernet1
description Internal Port
!
interface FastEthernet2
description Guest Port
switchport access vlan 2
!
interface FastEthernet3
description DMZ Port
switchport access vlan 3
shutdown
!
interface FastEthernet4
description Execulink aDSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security internet
ip route-cache flow
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description Private Network$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-
INFO-HWIC 4ESW$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security private
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Vlan2
description Guest Network$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security guest
ip route-cache flow
!
interface Vlan3
description DMZ Network
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security dmz
ip route-cache flow
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security internet
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username <removed> password 7 <removed>
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0
1723
ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0
3389
ip nat inside source static tcp 192.168.0.2 4125 interface Dialer0
4125
ip nat inside source static tcp 192.168.0.2 5720 interface Dialer0
5720
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended SBS
remark SBS Server
remark SDM_ACL Category=128
permit ip any host 192.168.0.2
!
logging trap debugging
access-list 1 remark NAT ACL
access-list 1 remark SDM_ACL Category=2
access-list 1 remark Internal Network
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 remark Guest Network
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark DMZ Network
access-list 1 permit 129.168.3.0 0.0.0.255
access-list 2 remark HTTP ACL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^CC
You have entered $(hostname).$(domain).
Access is for authorized users only. Disconnect IMMEDIATELY if you are
not
an authorized user! Please enter your username and password.^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 2 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500


!
webvpn cef
end

I suggest you post this information and request on the Cisco Router
Forum on

www.tek-tips.com

There are a lot of experts that there may help you with a set-up script
or to help debug the current set-up.



RymCo wrote:
> I've tried to configure my Cisco 871 and I'm either missing something
> or blocking something. I first setup the router using the SDM wizards
> and didn't get the internet. Then, after saving that config, I wiped
> out all the wizard zones, policy-maps, class-maps, etc. and tried
> building my own config, as a learning process, and still can't get the
> internet. I'm able to negotiate the expected static IP address on the
> Dialer0 interface but fail ping attempts when I use the "Test
> Connection" in the SDM (DNS?). I have the DSL modem setup as a bridge
> and supply the PPPoE authentication via the router (PPP light on the
> router lights up so I think this is OK)
>
> I'm currently just trying to get the private-internet zone pair to
> work...
> My current config: (I copied the "self" policy maps from the wizard
> config)
>
> !--------------------------------------------------------------------------*--
> !version 12.4
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname router
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 51200
> logging console critical
> enable secret 5 $1$HGmN$Y5uqYVVIQ1kwoYN7U/ma70
> !
> no aaa new-model
> clock timezone EST -5
> clock summer-time EDT recurring
> !
> !
> !
> crypto pki trustpoint TP-self-signed-1683258465
> enrollment selfsigned
> subject-name cn=IOS-Self-Signed-Certificate-1683258465
> revocation-check none
> rsakeypair TP-self-signed-1683258465
> !
> !
> crypto pki certificate chain TP-self-signed-1683258465
> certificate self-signed 01
> <removed>
> quit
> no ip source-route
> ip cef
> no ip dhcp use vrf connected
> ip dhcp excluded-address 192.168.0.1 192.168.0.10
> !
> ip dhcp pool pool1
> import all
> network 192.168.0.0 255.255.255.0
> dns-server 199.166.6.2 216.183.129.9
> default-router 192.168.0.1
> !
> !
> ip port-map user-RWW port tcp 4125 description Remote Web Workplace
> ip port-map user-RMS port tcp 5270 description Rights Management
> Services
> ip port-map user-RDP port tcp 3389 description Remote Desktop
> Protocol
> no ip bootp server
> ip domain name mydomain.local
> ip name-server 199.166.6.2
> ip name-server 216.183.129.9
> !
> !
> !
> username ciscoadmin privilege 15 secret 5 <removed>
> archive
> log config
> hidekeys
> !
> !
> ip tcp synwait-time 10
> ip ssh time-out 60
> ip ssh authentication-retries 2
> !
> class-map type inspect match-any sbs-traffic
> match protocol smtp
> match protocol https
> match protocol user-RWW
> match protocol user-RDP
> match protocol user-RMS
> class-map type inspect match-any icmp-access
> match protocol icmp
> match protocol tcp
> match protocol udp
> class-map type inspect match-all sbs-services
> description SBS Services
> match access-group name SBS
> match class-map sbs-traffic
> class-map type inspect match-any internet-traffic
> description Basic Internet Traffic
> match protocol http
> match protocol https
> match protocol dns
> match protocol icmp
> !
> !
> policy-map type inspect internet-self-policy
> class class-default
> policy-map type inspect self-internet-policy
> class type inspect icmp-access
> inspect
> class class-default
> pass
> policy-map type inspect guest-internet-policy
> class type inspect internet-traffic
> inspect
> class class-default
> policy-map type inspect private-internet-policy
> class type inspect internet-traffic
> inspect
> class class-default
> policy-map type inspect internet-private-policy
> class type inspect sbs-services
> inspect
> class class-default
> !
> zone security private
> zone security guest
> zone security internet
> zone security dmz
> zone-pair security internet-private source internet destination
> private
> service-policy type inspect internet-private-policy
> zone-pair security private-internet source private destination
> internet
> service-policy type inspect private-internet-policy
> zone-pair security guest-internet source guest destination internet
> service-policy type inspect guest-internet-policy
> zone-pair security internet-self source internet destination self
> service-policy type inspect internet-self-policy
> zone-pair security self-internet source self destination internet
> service-policy type inspect self-internet-policy
> !
> !
> !
> interface Null0
> no ip unreachables
> !
> interface FastEthernet0
> description Internal Port
> !
> interface FastEthernet1
> description Internal Port
> !
> interface FastEthernet2
> description Guest Port
> switchport access vlan 2
> !
> interface FastEthernet3
> description DMZ Port
> switchport access vlan 3
> shutdown
> !
> interface FastEthernet4
> description Execulink aDSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip virtual-reassembly
> zone-member security internet
> ip route-cache flow
> duplex auto
> speed auto
> pppoe enable group global
> pppoe-client dial-pool-number 1
> !
> interface Vlan1
> description Private Network$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-
> INFO-HWIC 4ESW$
> ip address 192.168.0.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> zone-member security private
> ip route-cache flow
> ip tcp adjust-mss 1412
> !
> interface Vlan2
> description Guest Network$FW_INSIDE$
> ip address 192.168.1.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> zone-member security guest
> ip route-cache flow
> !
> interface Vlan3
> description DMZ Network
> ip address 192.168.2.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> zone-member security dmz
> ip route-cache flow
> !
> interface Dialer0
> description $FW_OUTSIDE$
> ip address negotiated
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip mtu 1452
> ip nat outside
> ip virtual-reassembly
> zone-member security internet
> encapsulation ppp
> ip route-cache flow
> dialer pool 1
> dialer-group 1
> no cdp enable
> ppp authentication pap callin
> ppp pap sent-username <removed> password 7 <removed>
> !
> ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
> !
> ip http server
> ip http access-class 3
> ip http authentication local
> ip http secure-server
> ip http timeout-policy idle 60 life 86400 requests 10000
> ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
> ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
> ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0
> 1723
> ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0
> 3389
> ip nat inside source static tcp 192.168.0.2 4125 interface Dialer0
> 4125
> ip nat inside source static tcp 192.168.0.2 5720 interface Dialer0
> 5720
> ip nat inside source list 1 interface FastEthernet4 overload
> !
> ip access-list extended SBS
> remark SBS Server
> remark SDM_ACL Category=128
> permit ip any host 192.168.0.2
> !
> logging trap debugging
> access-list 1 remark NAT ACL
> access-list 1 remark SDM_ACL Category=2
> access-list 1 remark Internal Network
> access-list 1 permit 192.168.0.0 0.0.0.255
> access-list 1 remark Guest Network
> access-list 1 permit 192.168.1.0 0.0.0.255
> access-list 1 remark DMZ Network
> access-list 1 permit 129.168.3.0 0.0.0.255
> access-list 2 remark HTTP ACL
> access-list 2 remark SDM_ACL Category=1
> access-list 2 permit 192.168.0.0 0.0.0.255
> access-list 2 deny any
> dialer-list 1 protocol ip permit
> no cdp run
> !
> !
> !
> control-plane
> !
> banner login ^CC
> You have entered $(hostname).$(domain).
> Access is for authorized users only. Disconnect IMMEDIATELY if you are
> not
> an authorized user! Please enter your username and password.^C
> !
> line con 0
> login local
> no modem enable
> transport output telnet
> line aux 0
> login local
> transport output telnet
> line vty 0 4
> access-class 2 in
> privilege level 15
> login local
> transport input telnet ssh
> !
> scheduler max-task-time 5000
> scheduler allocate 4000 1000
> scheduler interval 500
>
>
> !
> webvpn cef
> end
>

Thanks Cal... will do that. Wasn't sure where to go...

On Oct 10, 6:17 pm, Cal Vanize <dont.even.spam...@myspam.org> wrote:
> I suggest you post this information and request on the Cisco Router
> Forum on
>
> www.tek-tips.com
>
> There are a lot of experts that there may help you with a set-up script
> or to help debug the current set-up.
>

RymCo wrote:

> I've tried to configure my Cisco 871 and I'm either missing something
> or blocking something. I first setup the router using the SDM wizards
> and didn't get the internet. Then, after saving that config, I wiped
> out all the wizard zones, policy-maps, class-maps, etc. and tried
> building my own config, as a learning process, and still can't get the
> internet. I'm able to negotiate the expected static IP address on the
> Dialer0 interface but fail ping attempts when I use the "Test
> Connection" in the SDM (DNS?). I have the DSL modem setup as a bridge
> and supply the PPPoE authentication via the router (PPP light on the
> router lights up so I think this is OK)
>
> I'm currently just trying to get the private-internet zone pair to
> work...
> My current config: (I copied the "self" policy maps from the wizard
> config)
>
> !--------------------------------------------------------------------------*--
> !version 12.4
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname router
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 51200
> logging console critical
> enable secret 5 $1$HGmN$Y5uqYVVIQ1kwoYN7U/ma70
> !
> no aaa new-model
> clock timezone EST -5
> clock summer-time EDT recurring
> !
> !
> !
> crypto pki trustpoint TP-self-signed-1683258465
> enrollment selfsigned
> subject-name cn=IOS-Self-Signed-Certificate-1683258465
> revocation-check none
> rsakeypair TP-self-signed-1683258465
> !
> !
> crypto pki certificate chain TP-self-signed-1683258465
> certificate self-signed 01
> <removed>
> quit
> no ip source-route
> ip cef
> no ip dhcp use vrf connected
> ip dhcp excluded-address 192.168.0.1 192.168.0.10
> !
> ip dhcp pool pool1
> import all
> network 192.168.0.0 255.255.255.0
> dns-server 199.166.6.2 216.183.129.9
> default-router 192.168.0.1
> !
> !
> ip port-map user-RWW port tcp 4125 description Remote Web Workplace
> ip port-map user-RMS port tcp 5270 description Rights Management
> Services
> ip port-map user-RDP port tcp 3389 description Remote Desktop
> Protocol
> no ip bootp server
> ip domain name mydomain.local
> ip name-server 199.166.6.2
> ip name-server 216.183.129.9
> !
> !
> !
> username ciscoadmin privilege 15 secret 5 <removed>
> archive
> log config
> hidekeys
> !
> !
> ip tcp synwait-time 10
> ip ssh time-out 60
> ip ssh authentication-retries 2
> !
> class-map type inspect match-any sbs-traffic
> match protocol smtp
> match protocol https
> match protocol user-RWW
> match protocol user-RDP
> match protocol user-RMS
> class-map type inspect match-any icmp-access
> match protocol icmp
> match protocol tcp
> match protocol udp
> class-map type inspect match-all sbs-services
> description SBS Services
> match access-group name SBS
> match class-map sbs-traffic
> class-map type inspect match-any internet-traffic
> description Basic Internet Traffic
> match protocol http
> match protocol https
> match protocol dns
> match protocol icmp
> !
> !
> policy-map type inspect internet-self-policy
> class class-default
> policy-map type inspect self-internet-policy
> class type inspect icmp-access
> inspect
> class class-default
> pass
> policy-map type inspect guest-internet-policy
> class type inspect internet-traffic
> inspect
> class class-default
> policy-map type inspect private-internet-policy
> class type inspect internet-traffic
> inspect
> class class-default
> policy-map type inspect internet-private-policy
> class type inspect sbs-services
> inspect
> class class-default
> !
> zone security private
> zone security guest
> zone security internet
> zone security dmz
> zone-pair security internet-private source internet destination
> private
> service-policy type inspect internet-private-policy
> zone-pair security private-internet source private destination
> internet
> service-policy type inspect private-internet-policy
> zone-pair security guest-internet source guest destination internet
> service-policy type inspect guest-internet-policy
> zone-pair security internet-self source internet destination self
> service-policy type inspect internet-self-policy
> zone-pair security self-internet source self destination internet
> service-policy type inspect self-internet-policy
> !
> !
> !
> interface Null0
> no ip unreachables
> !
> interface FastEthernet0
> description Internal Port
> !
> interface FastEthernet1
> description Internal Port
> !
> interface FastEthernet2
> description Guest Port
> switchport access vlan 2
> !
> interface FastEthernet3
> description DMZ Port
> switchport access vlan 3
> shutdown
> !
> interface FastEthernet4
> description Execulink aDSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip virtual-reassembly
> zone-member security internet
> ip route-cache flow
> duplex auto
> speed auto
> pppoe enable group global
> pppoe-client dial-pool-number 1
> !
> interface Vlan1
> description Private Network$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-
> INFO-HWIC 4ESW$
> ip address 192.168.0.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> zone-member security private
> ip route-cache flow
> ip tcp adjust-mss 1412
> !
> interface Vlan2
> description Guest Network$FW_INSIDE$
> ip address 192.168.1.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> zone-member security guest
> ip route-cache flow
> !
> interface Vlan3
> description DMZ Network
> ip address 192.168.2.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> zone-member security dmz
> ip route-cache flow
> !
> interface Dialer0
> description $FW_OUTSIDE$
> ip address negotiated
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip mtu 1452
> ip nat outside
> ip virtual-reassembly
> zone-member security internet
> encapsulation ppp
> ip route-cache flow
> dialer pool 1
> dialer-group 1
> no cdp enable
> ppp authentication pap callin
> ppp pap sent-username <removed> password 7 <removed>
> !
> ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
> !
> ip http server
> ip http access-class 3
> ip http authentication local
> ip http secure-server
> ip http timeout-policy idle 60 life 86400 requests 10000
> ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
> ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
> ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0
> 1723
> ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0
> 3389
> ip nat inside source static tcp 192.168.0.2 4125 interface Dialer0
> 4125
> ip nat inside source static tcp 192.168.0.2 5720 interface Dialer0
> 5720
> ip nat inside source list 1 interface FastEthernet4 overload
> !
> ip access-list extended SBS
> remark SBS Server
> remark SDM_ACL Category=128
> permit ip any host 192.168.0.2
> !
> logging trap debugging
> access-list 1 remark NAT ACL
> access-list 1 remark SDM_ACL Category=2
> access-list 1 remark Internal Network
> access-list 1 permit 192.168.0.0 0.0.0.255
> access-list 1 remark Guest Network
> access-list 1 permit 192.168.1.0 0.0.0.255
> access-list 1 remark DMZ Network
> access-list 1 permit 129.168.3.0 0.0.0.255
> access-list 2 remark HTTP ACL
> access-list 2 remark SDM_ACL Category=1
> access-list 2 permit 192.168.0.0 0.0.0.255
> access-list 2 deny any
> dialer-list 1 protocol ip permit
> no cdp run
> !
> !
> !
> control-plane
> !
> banner login ^CC
> You have entered $(hostname).$(domain).
> Access is for authorized users only. Disconnect IMMEDIATELY if you are
> not
> an authorized user! Please enter your username and password.^C
> !
> line con 0
> login local
> no modem enable
> transport output telnet
> line aux 0
> login local
> transport output telnet
> line vty 0 4
> access-class 2 in
> privilege level 15
> login local
> transport input telnet ssh
> !
> scheduler max-task-time 5000
> scheduler allocate 4000 1000
> scheduler interval 500
>
>
> !
> webvpn cef
> end
>
First off, you FastEthernet must be set to NAT inside. I see that you
have it set to NAT Outside - that will never work. The fastethernet is
the port that connects to your inside (home) network. Then make sure
that you have Ethernet0 (or whatever you happen to call your DSL card)
set to NAT outside. By the way, don't do the manual configuration, it
can only lead to trouble. Make sure you read the error messages when
you test each interface set up and you will find that the connection
problem is related to the error message given when the interface test
fails.

Finally, check you router's Configuration register by doing a, show
version, from the enabled prompt#. The last line in the display will
show you the configuration register. For example, I set my
configuration register to be 0x0101 and it shows up in the "show
version" command as "Configuration register is 0x101. If you are using
another configuration register, be sure to look up what those numbers
mean. In some cases, the configuration register prohibit an inside
interface from connecting to an outside interface!

DatrhOdor

On Oct 15, 12:34 am, DarthOdor <My...@cfl.rr.com> wrote:
> RymCo wrote:
> > I've tried to configure my Cisco 871 and I'm either missing something
> > or blocking something. I first setup the router using the SDM wizards
> > and didn't get the internet. Then, after saving that config, I wiped
> > out all the wizard zones, policy-maps, class-maps, etc. and tried
> > building my own config, as a learning process, and still can't get the
> > internet. I'm able to negotiate the expected static IP address on the
> > Dialer0 interface but fail ping attempts when I use the "Test
> > Connection" in the SDM (DNS?). I have the DSL modem setup as a bridge
> > and supply the PPPoE authentication via the router (PPP light on the
> > router lights up so I think this is OK)
>
> > I'm currently just trying to get the private-internet zone pair to
> > work...
> > My current config: (I copied the "self" policy maps from the wizard
> > config)
>
> > !--------------------------------------------------------------------------**--
> > !version 12.4
> > no service pad
> > service tcp-keepalives-in
> > service tcp-keepalives-out
> > service timestamps debug datetime msec localtime show-timezone
> > service timestamps log datetime msec localtime show-timezone
> > service password-encryption
> > service sequence-numbers
> > !
> > hostname router
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > logging buffered 51200
> > logging console critical
> > enable secret 5 $1$HGmN$Y5uqYVVIQ1kwoYN7U/ma70
> > !
> > no aaa new-model
> > clock timezone EST -5
> > clock summer-time EDT recurring
> > !
> > !
> > !
> > crypto pki trustpoint TP-self-signed-1683258465
> > enrollment selfsigned
> > subject-name cn=IOS-Self-Signed-Certificate-1683258465
> > revocation-check none
> > rsakeypair TP-self-signed-1683258465
> > !
> > !
> > crypto pki certificate chain TP-self-signed-1683258465
> > certificate self-signed 01
> > <removed>
> > quit
> > no ip source-route
> > ip cef
> > no ip dhcp use vrf connected
> > ip dhcp excluded-address 192.168.0.1 192.168.0.10
> > !
> > ip dhcp pool pool1
> > import all
> > network 192.168.0.0 255.255.255.0
> > dns-server 199.166.6.2 216.183.129.9
> > default-router 192.168.0.1
> > !
> > !
> > ip port-map user-RWW port tcp 4125 description Remote Web Workplace
> > ip port-map user-RMS port tcp 5270 description Rights Management
> > Services
> > ip port-map user-RDP port tcp 3389 description Remote Desktop
> > Protocol
> > no ip bootp server
> > ip domain name mydomain.local
> > ip name-server 199.166.6.2
> > ip name-server 216.183.129.9
> > !
> > !
> > !
> > username ciscoadmin privilege 15 secret 5 <removed>
> > archive
> > log config
> > hidekeys
> > !
> > !
> > ip tcp synwait-time 10
> > ip ssh time-out 60
> > ip ssh authentication-retries 2
> > !
> > class-map type inspect match-any sbs-traffic
> > match protocol smtp
> > match protocol https
> > match protocol user-RWW
> > match protocol user-RDP
> > match protocol user-RMS
> > class-map type inspect match-any icmp-access
> > match protocol icmp
> > match protocol tcp
> > match protocol udp
> > class-map type inspect match-all sbs-services
> > description SBS Services
> > match access-group name SBS
> > match class-map sbs-traffic
> > class-map type inspect match-any internet-traffic
> > description Basic Internet Traffic
> > match protocol http
> > match protocol https
> > match protocol dns
> > match protocol icmp
> > !
> > !
> > policy-map type inspect internet-self-policy
> > class class-default
> > policy-map type inspect self-internet-policy
> > class type inspect icmp-access
> > inspect
> > class class-default
> > pass
> > policy-map type inspect guest-internet-policy
> > class type inspect internet-traffic
> > inspect
> > class class-default
> > policy-map type inspect private-internet-policy
> > class type inspect internet-traffic
> > inspect
> > class class-default
> > policy-map type inspect internet-private-policy
> > class type inspect sbs-services
> > inspect
> > class class-default
> > !
> > zone security private
> > zone security guest
> > zone security internet
> > zone security dmz
> > zone-pair security internet-private source internet destination
> > private
> > service-policy type inspect internet-private-policy
> > zone-pair security private-internet source private destination
> > internet
> > service-policy type inspect private-internet-policy
> > zone-pair security guest-internet source guest destination internet
> > service-policy type inspect guest-internet-policy
> > zone-pair security internet-self source internet destination self
> > service-policy type inspect internet-self-policy
> > zone-pair security self-internet source self destination internet
> > service-policy type inspect self-internet-policy
> > !
> > !
> > !
> > interface Null0
> > no ip unreachables
> > !
> > interface FastEthernet0
> > description Internal Port
> > !
> > interface FastEthernet1
> > description Internal Port
> > !
> > interface FastEthernet2
> > description Guest Port
> > switchport access vlan 2
> > !
> > interface FastEthernet3
> > description DMZ Port
> > switchport access vlan 3
> > shutdown
> > !
> > interface FastEthernet4
> > description Execulink aDSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
> > no ip address
> > no ip redirects
> > no ip unreachables
> > no ip proxy-arp
> > ip nat outside
> > ip virtual-reassembly
> > zone-member security internet
> > ip route-cache flow
> > duplex auto
> > speed auto
> > pppoe enable group global
> > pppoe-client dial-pool-number 1
> > !
> > interface Vlan1
> > description Private Network$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-
> > INFO-HWIC 4ESW$
> > ip address 192.168.0.1 255.255.255.0
> > no ip redirects
> > no ip unreachables
> > no ip proxy-arp
> > ip nat inside
> > ip virtual-reassembly
> > zone-member security private
> > ip route-cache flow
> > ip tcp adjust-mss 1412
> > !
> > interface Vlan2
> > description Guest Network$FW_INSIDE$
> > ip address 192.168.1.1 255.255.255.0
> > no ip redirects
> > no ip unreachables
> > no ip proxy-arp
> > ip nat inside
> > ip virtual-reassembly
> > zone-member security guest
> > ip route-cache flow
> > !
> > interface Vlan3
> > description DMZ Network
> > ip address 192.168.2.1 255.255.255.0
> > no ip redirects
> > no ip unreachables
> > no ip proxy-arp
> > ip nat inside
> > ip virtual-reassembly
> > zone-member security dmz
> > ip route-cache flow
> > !
> > interface Dialer0
> > description $FW_OUTSIDE$
> > ip address negotiated
> > no ip redirects
> > no ip unreachables
> > no ip proxy-arp
> > ip mtu 1452
> > ip nat outside
> > ip virtual-reassembly
> > zone-member security internet
> > encapsulation ppp
> > ip route-cache flow
> > dialer pool 1
> > dialer-group 1
> > no cdp enable
> > ppp authentication pap callin
> > ppp pap sent-username <removed> password 7 <removed>
> > !
> > ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
> > !
> > ip http server
> > ip http access-class 3
> > ip http authentication local
> > ip http secure-server
> > ip http timeout-policy idle 60 life 86400 requests 10000
> > ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
> > ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
> > ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0
> > 1723
> > ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0
> > 3389
> > ip nat inside source static tcp 192.168.0.2 4125 interface Dialer0
> > 4125
> > ip nat inside source static tcp 192.168.0.2 5720 interface Dialer0
> > 5720
> > ip nat inside source list 1 interface FastEthernet4 overload
> > !
> > ip access-list extended SBS
> > remark SBS Server
> > remark SDM_ACL Category=128
> > permit ip any host 192.168.0.2
> > !
> > logging trap debugging
> > access-list 1 remark NAT ACL
> > access-list 1 remark SDM_ACL Category=2
> > access-list 1 remark Internal Network
> > access-list 1 permit 192.168.0.0 0.0.0.255
> > access-list 1 remark Guest Network
> > access-list 1 permit 192.168.1.0 0.0.0.255
> > access-list 1 remark DMZ Network
> > access-list 1 permit 129.168.3.0 0.0.0.255
> > access-list 2 remark HTTP ACL
> > access-list 2 remark SDM_ACL Category=1
> > access-list 2 permit 192.168.0.0 0.0.0.255
> > access-list 2 deny any
> > dialer-list 1 protocol ip permit
> > no cdp run
> > !
> > !
> > !
> > control-plane
> > !
> > banner login ^CC
> > You have entered $(hostname).$(domain).
> > Access is for authorized users only. Disconnect IMMEDIATELY if you are
> > not
> > an authorized user! Please enter your username and password.^C
> > !
> > line con 0
> > login local
> > no modem enable
> > transport output telnet
> > line aux 0
> > login local
> > transport output telnet
> > line vty 0 4
> > access-class 2 in
> > privilege level 15
> > login local
> > transport input telnet ssh
> > !
> > scheduler max-task-time 5000
> > scheduler allocate 4000 1000
> > scheduler interval 500
>
> > !
> > webvpn cef
> > end
>
> First off, you FastEthernet must be set to NAT inside. I see that you
> have it set to NAT Outside - that will never work. The fastethernet is
> the port that connects to your inside (home) network. Then make sure
> that you have Ethernet0 (or whatever you happen to call your DSL card)
> set to NAT outside. By the way, don't do the manual configuration, it
> can only lead to trouble. Make sure you read the error messages when
> you test each interface set up and you will find that the connection
> problem is related to the error message given when the interface test
> fails.
>
> Finally, check you router's Configuration register by doing a, show
> version, from the enabled prompt#. The last line in the display will
> show you the configuration register. For example, I set my
> configuration register to be 0x0101 and it shows up in the "show
> version" command as "Configuration register is 0x101. If you are using
> another configuration register, be sure to look up what those numbers
> mean. In some cases, the configuration register prohibit an inside
> interface from connecting to an outside interface!
>
> DatrhOdor- Hide quoted text -
>
> - Show quoted text -

DarthOdor,

Thanks for the reply. I'm still having trouble with this...
My Fe4 port IS my WAN port. Fe0-Fe3 are the internal ethernet ports.
There isn't a DSL card in this model... I'm using the DSL modem (in
bridge mode) my ISP supplied me which is why I bought the ethernet
version of the router. I have taken this router all the way back to
factory default without a firewall and still can't connect.

show version yeilds: Configuration Register 0x2102

Thanks again for helping me out...

DarthOdor,

Thanks for the reply. I'm still having this problem...
My Fe4 port IS my WAN port. Fe0-Fe3 are the internal ports. There
isn't a DSL card in this model. I'm using the DSL modem supplied to
me by my ISP (in bridge mode). I have taken this all the way back to
factory default without a firewall and still can't connect...

show version yields: Configuration Register 0x2102

Thanks again for helping me out...