Cisco 857W Install Issue
23 October 2006, 02:08 PM
#1
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
Cisco 857W Install Issue
Morning/Afternoon,
Friend of mine just got a Cisco 857W router and is having an issue setting it up. They said that there is a web interface that needs to be used, but some wizard is launching and they run through the steps but at the very end it just stalls and does not save the information they had entered. They can't seem to bypass the wizard and just use the web interface.
They have tried it from Mac OS X 10.4.8 using both Safari and Firefox, and also Windows 98SE and Windows 2000 with IE 6 (they are going to try firefox on the PC as well) and both platforms have the same issue.
Has anyone else experienced this, and if so, is there a workaround (they are in the process of contacting Cisco support so hopefully they will have an answer). Anyone know if/how to stop the wizard from running?
Friend of mine just got a Cisco 857W router and is having an issue setting it up. They said that there is a web interface that needs to be used, but some wizard is launching and they run through the steps but at the very end it just stalls and does not save the information they had entered. They can't seem to bypass the wizard and just use the web interface.
They have tried it from Mac OS X 10.4.8 using both Safari and Firefox, and also Windows 98SE and Windows 2000 with IE 6 (they are going to try firefox on the PC as well) and both platforms have the same issue.
Has anyone else experienced this, and if so, is there a workaround (they are in the process of contacting Cisco support so hopefully they will have an answer). Anyone know if/how to stop the wizard from running?
24 October 2006, 08:42 AM
#2
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
do you mean the SDM? if so download the latest version from
Software Download
not sure if it will fit on the router itself but try installing to local machine and using it from there. Not the best answer i know but that may be of help. 2 versions, the SDM and SDM express both are included with the SDM.
For interfacing command style
PuTTY Download Page
this is your friend, another thing to try, is try to connect via SSH or telnet to the router
login to router
try the commands show flash or sh ru (for show running config)
im not a Cisco expert by any means but this may give others a clearer picture of how its setup
Software Download
not sure if it will fit on the router itself but try installing to local machine and using it from there. Not the best answer i know but that may be of help. 2 versions, the SDM and SDM express both are included with the SDM.
For interfacing command style
PuTTY Download Page
this is your friend, another thing to try, is try to connect via SSH or telnet to the router
login to router
try the commands show flash or sh ru (for show running config)
im not a Cisco expert by any means but this may give others a clearer picture of how its setup
Last edited by mike1210; 24 October 2006 at 08:49 AM.
24 October 2006, 12:49 PM
#3
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
Does sound like it's probably the SDM. I'll get my friend to check the version of SDM he has and if it's not the latest we'll try the latest and see where that gets us.
Thanks
Thanks
24 October 2006, 12:54 PM
#4
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
If he has a CCO account try to get the latest IOS for it also, this will help with the SDM. Proceed with caution if you go down this route (IOS upgrade) as doing this wrongly will brick the router.
The SDM is ok to get it running but can mangle configs, for best results, command line configuration is king. Does he know any Cisco demons?
on my 877W mine used to hang when I had MAC to IP bindings in the config, for some reason that messed up the SDM express
The SDM is ok to get it running but can mangle configs, for best results, command line configuration is king. Does he know any Cisco demons?
on my 877W mine used to hang when I had MAC to IP bindings in the config, for some reason that messed up the SDM express
24 October 2006, 03:53 PM
#5
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
OK, he's got the router connected now, that's progress. The problem is now with the firewall. He has not used the wizard to configure the router, and he's using the web interface on the router to try and configure the firewall, but without much success.
He said " no concept of "sessions", ie. it should always allow outgoing back for an allowed incoming - so I can allow port 80 into www, which will allow the incoming, but then I have to specifically allow the outgoing too so it can return data for that request - and I can't work out how I can do that without totally invalidating the point of a firewall"
He wants to avoid using the command line if at all possible to configure this stuff.
Basically, what we want to do is allow everyone to access our web server that is behind the firewall, plus specific ranges of IP addresses should be allowed unrestrcited access to machines behind the firewall, for example, my static IP range should be allowed AFP (port 548) access to any machine behind the firewall.
Any ideas how you'd configure that type of thing from the web interface of the router?
He said " no concept of "sessions", ie. it should always allow outgoing back for an allowed incoming - so I can allow port 80 into www, which will allow the incoming, but then I have to specifically allow the outgoing too so it can return data for that request - and I can't work out how I can do that without totally invalidating the point of a firewall"
He wants to avoid using the command line if at all possible to configure this stuff.
Basically, what we want to do is allow everyone to access our web server that is behind the firewall, plus specific ranges of IP addresses should be allowed unrestrcited access to machines behind the firewall, for example, my static IP range should be allowed AFP (port 548) access to any machine behind the firewall.
Any ideas how you'd configure that type of thing from the web interface of the router?
24 October 2006, 04:43 PM
#6
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
Are you using the SDM 2.32 to set this up?
If you run through the firewall wizzard the firewall will act a "default deny" against incoming traffic, thing is though NAT translations must be created and firewall ports must be opened to let in external connections.
do you have One IP address or a block of IP adresses?
With 1 you can only open one of each port if you catch my drift.
First thing to would be the NAT translations, use the Nat tab on the SDM to make these. I assume there is currently a 192.168.1.0-192.168.1.254 to an external IP in the NAT entries.
next thing would be on the additional tasks tab, DHCP pools, may be an idea to bind private IP address to MAC addresses so the Nat rules will stay consistent i.e redirect port 80 TCP to 192.168.1.10 then bind the MAC address on your webserver to 192.168.1.10.
When you make Nat entries the SDM may say "do you want the SDM to alter firewall" click no or it will totally allow all traffic
sorry i will finish this post tomorrow ive gota shoot off home,
i need to elaborate on the above also
If you run through the firewall wizzard the firewall will act a "default deny" against incoming traffic, thing is though NAT translations must be created and firewall ports must be opened to let in external connections.
do you have One IP address or a block of IP adresses?
With 1 you can only open one of each port if you catch my drift.
First thing to would be the NAT translations, use the Nat tab on the SDM to make these. I assume there is currently a 192.168.1.0-192.168.1.254 to an external IP in the NAT entries.
next thing would be on the additional tasks tab, DHCP pools, may be an idea to bind private IP address to MAC addresses so the Nat rules will stay consistent i.e redirect port 80 TCP to 192.168.1.10 then bind the MAC address on your webserver to 192.168.1.10.
When you make Nat entries the SDM may say "do you want the SDM to alter firewall" click no or it will totally allow all traffic
sorry i will finish this post tomorrow ive gota shoot off home,
i need to elaborate on the above also
Last edited by mike1210; 24 October 2006 at 04:46 PM.
24 October 2006, 05:21 PM
#7
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
OK, we are not using NAT as we have been assigned a range of static IP addresses. This is one of the reasons we've switched to a Cisco router, as we were using Linksys and Netgear routers, but they were biased towards the home user, and we found that for the firewall to work you needed to enable NAT, which we don't want to use.
I'm pretty sure he's not using SDM to set this up and he's using the web based configuration thing (where you enter a 10.x.x.x address into a browser and connect to the router - I did read about this on cisco's website and it's got an acronym such as CWRM).
He is making some progress, so he might have cracked it, but only time will tell.
thanks for the info so far
I'm pretty sure he's not using SDM to set this up and he's using the web based configuration thing (where you enter a 10.x.x.x address into a browser and connect to the router - I did read about this on cisco's website and it's got an acronym such as CWRM).
He is making some progress, so he might have cracked it, but only time will tell.
thanks for the info so far
Trending Topics
25 October 2006, 09:35 AM
#8
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
Ah right got ya. Yeah some home routers won't give you any firewall with Public IP addresses, the Cisco can be fully stateful but it depends on the config. I think I know the config utility you mean but I've never used it to be honest
. I've got to be honest here and say even though I have 8 IP addresses, I config then using static NAT (private address mapped to public IP address)so havent really dabbled with full routing on me 877. The firewall though could be configured using the SDM. The key would be to run through the firewall wizzard which should give a default deny. Opening ports would be done in the firewall tab. In the tab you would need to select the "access rules" part
http://www.cisco.com/application/pdf...00805536f7.pdf
that is a guide for the firewall and altering the firewall rules (Access Control Lists.
In the access control tab, the "Dialer In" will be the key for opeining ports to certain machines. The key rule being only open ports that you need and keep the rest closed. On page 12 there is a rule that says basically deny any any IP log. Make sure this is the LAST RULE on the Dialer Inbound rule on the firewall. The way Cisco Access Control Lists work is that the go through the rules in order, top to bottom . So it should look like this
permit
permit
permit
permit
deny IP any any Log
this allows only the ports you specify and blocks the rest, make sure the deny any any is the bottom most rule.
also use a site like Home of Gibson Research Corporation and the shields up service to ensure that the Ports are closed to start with and that rules are working correctly. There are other online scanners which are arguably better but this will give an idea about the firewall rules
The SDM allows you to open ports for an IP address, a range of IP address (wildcard masking, very useful) or all IP addresses so its quite configurable in that sense.
. I've got to be honest here and say even though I have 8 IP addresses, I config then using static NAT (private address mapped to public IP address)so havent really dabbled with full routing on me 877. The firewall though could be configured using the SDM. The key would be to run through the firewall wizzard which should give a default deny. Opening ports would be done in the firewall tab. In the tab you would need to select the "access rules" part http://www.cisco.com/application/pdf...00805536f7.pdf
that is a guide for the firewall and altering the firewall rules (Access Control Lists.
In the access control tab, the "Dialer In" will be the key for opeining ports to certain machines. The key rule being only open ports that you need and keep the rest closed. On page 12 there is a rule that says basically deny any any IP log. Make sure this is the LAST RULE on the Dialer Inbound rule on the firewall. The way Cisco Access Control Lists work is that the go through the rules in order, top to bottom . So it should look like this
permit
permit
permit
permit
deny IP any any Log
this allows only the ports you specify and blocks the rest, make sure the deny any any is the bottom most rule.
also use a site like Home of Gibson Research Corporation and the shields up service to ensure that the Ports are closed to start with and that rules are working correctly. There are other online scanners which are arguably better but this will give an idea about the firewall rules
The SDM allows you to open ports for an IP address, a range of IP address (wildcard masking, very useful) or all IP addresses so its quite configurable in that sense.
Last edited by mike1210; 25 October 2006 at 09:39 AM.
Thread
Thread Starter
Forum
Replies
Last Post
Phil3822
General Technical
0
30 September 2015 06:29 PM
