Solved

Cisco 803 configuration

Posted on 2003-10-28
15
1,996 Views
Last Modified: 2010-08-05
I have recently been attempting to configure a Cisco 803 router using the Cisco Fast-Step configuration program....I'm relatively new to router configuration and am wondering if there are any other options which need to be configured that the software doesn't cover....I have set up the router with an ip of 192.168.0.1 and subnet mask of 255.255.255.0, enabled the DHCP server on the router, set the pc's to obtain an ip automatically and not to use any dialup connection and yet my pc's cannot access the internet....they can ping the router ok....
0
Comment
Question by:kevkirr
  • 8
  • 7
15 Comments
 
LVL 7

Expert Comment

by:NicBrey
ID: 9633073
You have to configure NAT (network address translation) on the router

Telnet to the router and go into priveledged mode. The prompt will look like
router#

You need to add the following lines to the config

Under Ethernet interface
router(config-if)#ip nat inside

Under BRI interface or if you are using dialer profiles, under the dialer interface
router(config-if)#ip nat outside

Create an access list for the internal network addresses for NAT
router(config)#access-list 1 permit ip 192.168.0.0  0.0.0.255

Now configure the NAT statement
router(config)# ip nat inside source list 1  dialer 1           <----  if you use dialer interface
router(config)# ip nat inside source list 1  bri 0               <---- if you are not using dialer interface.

If you post the config here and just edit out the passwords etc.  I can tell you exactly what commands to add...





0
 
LVL 7

Expert Comment

by:NicBrey
ID: 9633100
>Now configure the NAT statement
>router(config)# ip nat inside source list 1  dialer 1           <----  if you use dialer interface
>router(config)# ip nat inside source list 1  bri 0               <---- if you are not using dialer interface.


One more thing.

Add the word "overload"  to the end of the NAT statement.  This will allow more than one user to connect using NAT at a time.
router(config)# ip nat inside source list 1  dialer 1  overload
0
 
LVL 7

Expert Comment

by:NicBrey
ID: 9633225
Also make sure that you have a default route that points to the outside interface:

ip route  0.0.0.0  0.0.0.0  dialer 1
0
 

Author Comment

by:kevkirr
ID: 9633897
Excellent NicBrey....I was pretty certain that the Fast-Step didn't cover everything....I'll be having another go this evening and will try out your suggestions....if they work I'll close the question tomorrow, otherwise I'll be back with the configuration file looking for further assistance....
0
 
LVL 7

Expert Comment

by:NicBrey
ID: 9633947
No problem...  good luck !!
0
 

Author Comment

by:kevkirr
ID: 9641096
Ok that was almost a complete waste of time....I did discover that the hub and router don't see eye to eye though....if I connect the hub to the router and the pc's to the hub they cannot locate the DHCP server but if I connect them to the router's built in hub they work perfectly??? I've tried every combination of setting the uplink/normal switch on the hub and hub/no hub switch on the router without success??? This is ok at the moment as there are only 4 machines on the network but there may be more after a few weeks so I don't know what I'll do with it....

Anyhow back to my original problem....

The commands given above yield the following results(via telnet logging):
User Access Verification
Username: x
Password:
router>enable
Password:
router#configure
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#interface ethernet 0
router(config-if)#ip nat inside
router(config-if)#exit
router(config)#interface dialer 1
router(config-if)#ip nat outside
router(config-if)#exit
router(config)#access-list 1 permit ip 192.168.0.0 0.0.0.255
Translating "ip"...domain server (255.255.255.255)
                                       ^
% Invalid input detected at '^' marker.
router(config)#ip nat inside source list 1 dialer 1
                                              ^
% Invalid input detected at '^' marker.
router(config)#exit
router#exit
0
 

Author Comment

by:kevkirr
ID: 9641110
The running configuration is (via telnet logging):

User Access Verification
Username: router
Password:
router>enable
Password:
router#sh running-config
Building configuration...
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
enable secret 5 $1$FcI.$kYBz5rbtNSgemdb5E7toi.
!
username router password 7 15220A1F173D24362C
!
ip subnet-zero
no ip source-route
!
ip dhcp pool DHCPPoolLAN_0
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
!
isdn switch-type basic-net3
!
!
!
interface Ethernet0
 ip address 192.168.0.1 255.255.255.0
 ip access-group 121 in
 no ip directed-broadcast
 no ip proxy-arp
 ip nat inside
!
interface BRI0
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-net3
 ppp authentication chap pap callin
!
interface Dialer1
 description ISP
 ip address negotiated
 ip access-group 121 in
 no ip directed-broadcast
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 no ip split-horizon
 dialer remote-name Cisco1
 dialer idle-timeout 300
 dialer string 1890927171 class DialClass
 dialer hold-queue 10
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname p17269
 ppp chap password 7 071B2E4E4B1B14
 ppp pap sent-username p17269 password 7 010709065E190B
!
ip nat inside source list 18 interface Dialer1 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
map-class dialer DialClass
access-list 18 permit 192.168.0.0 0.0.0.255
access-list 121 deny   udp any eq netbios-dgm any
access-list 121 deny   udp any eq netbios-ns any
access-list 121 deny   udp any eq netbios-ss any
access-list 121 deny   tcp any eq 137 any
access-list 121 deny   tcp any eq 138 any
access-list 121 deny   tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 transport input none
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
!
time-range TIME
 periodic daily 0:00 to 23:59
!
end
router#exit


I have the monitor configuration file as well as the startup configuration if there are any other pieces of information in these that would be useful....
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 7

Expert Comment

by:NicBrey
ID: 9641292
Hi there,
Yes, that was a typo from my side - sorry bout that...
Just leave the ip out of the access list statement. - see you already have a correct have access list 18

The config looks fine...
Looks like you either have a duplex mismatch between your Ethernet 0 interface and your hub, or a faulty cable.  You should use a straight through (normal patch cable) if you connect a router to a hub and at the back of the router, the Hub button should be pressed down.

If you do a "show interface ethernet 0"  you will see the duplex setting. try setting it to half manually.
router(config-if)#duplex  half








0
 

Author Comment

by:kevkirr
ID: 9643874
Does the config already allow for dial on demand and on what criteria will it drop the ISDN connection?
0
 

Author Comment

by:kevkirr
ID: 9643887
Is it the exec-timeout?

Also what is the BRI0 interface used for?
0
 
LVL 7

Accepted Solution

by:
NicBrey earned 250 total points
ID: 9648222
The BRI interface is the physical ISDN interface on the router. The dialer interface is a logical interface. The reason for using dialer profiles is it allows more flexibility when configuring connections. Say you have more than one location that you need to connect to, then you create a dialer profile/interface for each. If you configure the physical BRI interface, you could only connect to one remote location.

The Exec-timeout on the line is not going to disconnect the ISDN call. That is for disconnecting inactive telnet sessions (line vty 0 4)
and console connections  (line con).   The dialer idle timeout 300 will disconnect the call after 300 seconds of being idle.

It is configured for dial on demand. It is just not very restrictive. The criteria is the dialer-list 18 and the routing.  At the moment, you allow all IP traffic to bring the link up. Because you only have a default route pointing to dialer 1, any IP traffic that hits your router and is destined for an address off your local 192.168.0.0 network will bring the interface up.

If you use an extended access-list  in stead, you'll have more control over what type of traffic will be allowed to bring up the link:

dialer list 110  permit tcp any any eq 80       <--- allow www traffic
dialer list 110  permit tcp any any eq 443     <----  allow  https
dialer list 110  permit tcp any any eq 25       <---- allow outgoing email

Then you'll have to change the dialer-group line under the dialer interface to point to the new dialer list:
dialer-group 110

This way ,ICMP packets etc etc will not bring up the ISDN circuit
0
 

Author Comment

by:kevkirr
ID: 9648463
I didn't even see the dialler timeout....every time I look at the configuration above it makes more sense to me....I'm going to leave this open until tomorrow evening just in case I have any other problems but after that the points are all yours....
0
 
LVL 7

Expert Comment

by:NicBrey
ID: 9648508
Yeah, once you get the hang of the Cisco IOS, it really does make sense how everything fits together.  No problem, leave it open until you are happy...
0
 

Author Comment

by:kevkirr
ID: 9721441
Sorry about the delay in getting back to this....I've been up to my eyes in work lately so I haven't had time to even look at it....I'm closing the question and awarding the points as you have been very helpful Nic....
0
 
LVL 7

Expert Comment

by:NicBrey
ID: 9721449
Thanks - Glad to help...
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now