Question

Locked

MSN on a CISCO 871w

By Cleaver99 ·
I am very sorry for the long post...I wanted to include my SDM file too.

I have inherited a windows 2003 server and Cisco 871w "network". The employees cannot get MSN messenger to work. It will not connect with the .NET service.

I have checked GPO on server and there is nothing enabled/disabled to block MSN. I have looked over the Cisco config and there is nothing blocking MSN either. (I am very new to CISCO.)

Does the 871w deny all by default? How do I open ports for MSN (and for that matter) FTP? (RDP is not working either...) I have attached my SDM config.
Also, is there anything that stands out in this config that could be optimized, or removed for better performance?

**************************
!This is the running config of the router: 192.168.1.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 50256 informational
logging console critical
enable secret 5 ******
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -4
clock summer-time PCTime date Apr 6 2003 2:00 Oct 12 2003 12:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool sdm-pool1
network 192.168.1.0 255.255.255.0
domain-name ***********.local
default-router 192.168.1.1
dns-server 192.168.1.3
!
!
ip inspect log drop-pkt
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 198.164.4.2
ip name-server 198.164.30.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1120605352
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1120605352
revocation-check none
rsakeypair TP-self-signed-1120605352
!
!
crypto pki certificate chain TP-self-signed-1120605352
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313230 36303533 3532301E 170D3032 30333031 30303039
33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31323036
30353335 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CC88 3B32A7CD 7563070D C6388DBC 4FF9378B CEC7F1BA 849DC887 B4D23E2D
1B5C4CF7 2382AF8B B033010D 3EF6FF61 58F8F7CF C5648DF6 1E6749E9 99DB034F
FCF323B2 D57107 E8EE71EF 9F913437 D09B1D21 21E66AED C9E7EE22 0CBAB684
77F1463B CF1A5895 6510293F 410EC742 0AB6DE9C EC5B95C0 7AED0979 C0D77F77
DC5D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14B249AD 63E67B7F F61C378E 76981CE9 C83F9192
FE301D06 03551D0E 04160414 B249AD63 E67B7FF6 1C378E76 981CE9C8 3F9192FE
300D0609 2A864886 F70D0101 04050003 818100A1 00E038E7 2178578E 3ED60824
4AFFB941 3EF4B0C4 A9217AFE F2E287D4 CAD32256 3BABD536 51EC04BD C1E086FF
827C5E1E 7B545A40 7B624EBC 09380D67 F6819B72 504E346D 0DDF017B 62**695D
EECCEA88 0C0D75F3 49A10A4B B4C64800 1D096214 3820E8DA 3C286F0F 5750F921
36F4E799 99C4E840 DC1C3146 F7E34893 3E90B6
quit
username admin privilege 15 secret 5 ***********
username t******U secret 5 **************
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ******
key *********
dns 192.168.1.3
wins 192.168.1.3
domain ************.local
pool SDM_POOL_2
max-users 25
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group *********
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile sdm-ike-profile-1
!
!
bridge irb
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 142.xxx.xxx.xxx 255.255.255.248
ip access-group 107 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
description $FW_INSIDE$
ip unnumbered FastEthernet4
ip access-group 105 in
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
ip address 10.0.1.5 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
encryption mode ciphers tkip
!
ssid *********1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 ************
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$
ip address 192.168.1.1 255.255.255.0
ip access-group 106 in
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.1.225 192.168.1.250
ip local pool SDM_POOL_2 192.168.2.1 192.168.2.25
ip classless
ip route 0.0.0.0 0.0.0.0 142.xxx.xxx.xxx permanent
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.3 3389 142.xxx.xxx.xxx 3389

extendable
!
ip access-list extended sdm_virtual-template1_in
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_virtual-template1_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
permit ip any any
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 deny any
access-list 100 remark auto generated by Cisco SDM Express firewall

configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall

configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 142.xxx.xxx.xxx 0.0.0.7 any
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any host 142.xxx.xxx.xxx eq non500-isakmp
access-list 103 permit udp any host 142.xxx.xxx.xxx eq isakmp
access-list 103 permit esp any host 142.xxx.xxx.xxx
access-list 103 permit ahp any host 142.xxx.xxx.xxx
access-list 103 permit tcp any host 142.xxx.xxx.xxx eq 3389
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 permit icmp any host 142.xxx.xxx.xxx echo-reply
access-list 103 permit icmp any host 142.xxx.xxx.xxx time-exceeded
access-list 103 permit icmp any host 142.xxx.xxx.xxx unreachable
access-list 103 permit tcp any host 142.xxx.xxx.xxx eq 443
access-list 103 permit tcp any host 142.xxx.xxx.xxx eq 22
access-list 103 permit tcp any host 142.xxx.xxx.xxx eq cmd
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 deny ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit udp host 192.168.1.3 eq domain any
access-list 106 deny ip 142.xxx.xxx.xxx 0.0.0.7 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 permit udp host 198.164.4.2 eq domain any
access-list 107 permit udp host 198.164.30.2 eq domain any
access-list 107 permit udp host 142.177.129.11 eq domain any
access-list 107 permit udp host 142.177.1.2 eq domain any
access-list 107 permit udp any host 142.xxx.xxx.xxx eq non500-isakmp
access-list 107 permit udp any host 142.xxx.xxx.xxx eq isakmp
access-list 107 permit esp any host 142.xxx.xxx.xxx
access-list 107 permit ahp any host 142.xxx.xxx.xxx
access-list 107 deny ip 192.168.1.0 0.0.0.255 any
access-list 107 permit icmp any host 142.xxx.xxx.xxx echo-reply
access-list 107 permit icmp any host 142.xxx.xxx.xxx time-exceeded
access-list 107 permit icmp any host 142.xxx.xxx.xxx unreachable
access-list 107 deny ip 10.0.0.0 0.255.255.255 any
access-list 107 deny ip 172.16.0.0 0.15.255.255 any
access-list 107 deny ip 192.168.0.0 0.0.255.255 any
access-list 107 deny ip 127.0.0.0 0.255.255.255 any
access-list 107 deny ip host 255.255.255.255 any
access-list 107 deny ip host 0.0.0.0 any
access-list 107 deny ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 104 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 209.87.233.53 prefer
end

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

MSN requires TCP ports 1863 and 443 open for outbound connections

by robo_dev In reply to MSN on a CISCO 871w
Collapse -

good info, but...

by Cleaver99 In reply to MSN on a CISCO 871w

So does anybody know what lines to add and where to add them too? Or how it can be done in the SDM? I am having a hard time navigating the whole Cisco hardware/software lingo).

Back to Software Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums