Solved

setting up internet gateway router for dynamic ip

Posted on 2004-08-22
25
276 Views
Last Modified: 2010-04-17
I got a 2611 router, with e0 and e1 (2 ethernet ports).  I'm planning to use this as a internet gateway router, I'm using this for my home with Cox Cable internet.  I'm given a dynamic ip address, notice not a static ip.  How would I set it up to get dynamic ip?  I know how to do static, ip address x.x.x.x x.x.x.x would be easy for static, but how would I do for dynamic?  My goal is to set it up so I can later on do vpn through the same router as well.
0
Comment
Question by:Pentrix2
  • 14
  • 7
  • 2
  • +1
25 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 300 total points
ID: 11866048
On the ethernet interface connected to your ISP providing the dynamic IP address, use the following command:

interface ethernet0
ip address dhcp
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11866282
i got that router connected to a switch, then i'm hopping for all my workstations to get internet access, is this possible?  what command would i need?
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11866317
is there any security commands you recommend as well JFrederick29 before I put this in production?
0
 
LVL 4

Expert Comment

by:sriwi
ID: 11866544
You need to use one of the ethernet port to connect to your modem (Cable/dsl modem), and the other ethernet port to connect to the switch.

On the command line:

eth0: set to obtain ip automatic from isp
         Set up nat
         set up port forwarding for vpn

eth1: This is going to switch
         set up IP local (internal)

For commands:
http://www.cisco.com/en/US/products/sw/netmgtsw/ps260/products_installation_and_configuration_guide_chapter09186a008019aa68.html

After that is setup, need to setup access-list for internal network to be able to access outside (internet) network (Part of NAT)

cheers

0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11866576
okay, how would i do the access-list for internet network to be able to access the outside (internet)??
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 200 total points
ID: 11866918
interface ethernet 0
 ip address dhcp
 ip nat outside

interface ethernet 1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside

ip nat inside source list 1 interface Ethernet0 overload
access-list 1 permit any

Also, don't forget to create a default static route.

-Don
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11866945
how would i create a static route to what??
0
 
LVL 4

Expert Comment

by:sriwi
ID: 11866964
static route to the internet, (default gateway of the isp,should be given to you when setup time, or during dhcp lease is obtained
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11866974
how would i get the static route?  do a ipconfig /all on my workstation and copy the default gateway?  then, how would i create the static route to the internet?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11866978
What I do is connect a PC to the cable modem and have it pull an ip address from the ISP. Determine the default gateway (ipconfig on windows) and write down the default gateway (i.e. 12.1.2.3).

Then, create the default route:

ip route 0.0.0.0 0.0.0.0 12.1.2.3

-Don
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11869156
Here is a basic, yet effective access-list that will protect your internal network:

access-list 101 permit udp any eq 53 any          <--- Allow return DNS replies
access-list 101 permit tcp any any established   <--- Allow established TCP sessions from the inside network
access-list 101 permit icmp any any echo-reply  <--- Allow icmp replies back into your network

The implicit "deny any" at the end of the list will take care of blocking the rest of the traffic.

Add it to your ethernet0 interface:

interface ethernet0
ip access-group 101 in
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11869164
how would i do the implicit deny any?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 43

Expert Comment

by:JFrederick29
ID: 11869175
You don't have to, it is automatic.  At the end of every access-list there is a "deny all".
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11869200
Thanks JFrederick29 and donjohnston for the help!!  
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11870146
donjohnston, i tried the command you gave me.

ip nat inside source list 1 interface Ethernet0 overload

i got as far as, ethernet 0
but couldn't do the overload, it says invalid command?
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11870173
nevermind, it was a typo.  it was
ip nat inside source list 1 interface ethernet 0/0 overload

i forgot, it's 2 ethernet so i need the 0/0 in there.  :)
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11870483
alright, so i know now how to make e0/0 to have dhcp, outside.  but i notice e0/1 has a static route 192.168.1.1 255.255.255.0.  now, how would my workstations get a valid ip address from my router?  or would i need a windows server dhcp server to assign them to my workstations?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11870518
You can setup the router as a DHCP server or you can use Windows DHCP.  Windows DHCP server is a little easier to configure if you have a server available.  If not, configure the DHCP server on the router:

ip dhcp pool dhcppool  <---- create the DHCP pool using whatever name you want
   network 192.168.1.0 255.255.255.0  <---- use your network and mask
   default-router 192.168.1.1  <---- set the default gateway to be sent to clients
   domain-name test1   < set the clients domain name
   dns-server 68.x.x.10  <---- set DNS server 1 to your ISP DNS server (primary)
   dns-server 68.x.x.11  <---- set DNS server 2 to your ISP DNS server (secondary)
   netbios-name-server 192.168.1.10  <---- set the WINS server if applicable

Use the command "ip dhcp excluded-address 192.168.1.1" to exclude the router address.  Use the command to exclude other addresses that you want statically assigned, you can use a range as follows:

ip dhcp excluded-address 192.168.1.100 192.168.1.254
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11870611
i see a starting point for the dhcp to being which is at 192.168.1.0, does it automoatically assume that it will end at 192.168.1.254?  
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11870718
Yes, based on the subnet mask.  Using a 255.255.255.0 subnet mask indicates 254 addresses.
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11870795
I'll give you an extra 1000 points JFrederick29 for helping me out.  I'll post some questions and paste the link for you.  Just put in a comment and I'll accept the answer.  I did the configurations but my workstation still isn't receiving a valid ip address from my router's dhcp services.  Here is my running-config.  Am I doing something wrong here?

sh ru
Building configuration...

Current configuration : 1095 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret 5 $1$60dM$agBXmEfl295aosf75SOHN1
!
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool dhcppool
   network 192.168.1.0 255.255.255.0
   domain-name HamFarm.com
   dns-server 205.171.3.65
   default-router 192.168.1.1
!
 --More--         !
!
!
interface Ethernet0/0
 ip address 65.126.22.180 255.255.255.224
 ip access-group 101 in
 full-duplex
!
interface BRI0/0
 no ip address
 encapsulation hdlc
 shutdown
!
interface Serial0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 shutdown
 half-duplex
!
 --More--         ip nat inside source list 1 interface Ethernet0/0 overload
ip classless
no ip http server
!
access-list 1 permit any
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
!
line con 0
 password 7 001012080354
 login
line aux 0
 password 7 105A08170218
 login
line vty 0 4
 password 7 105A08170218
 login
!
end

Router#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11870916
Your Ethernet0/1 interface is shutdown.

en
conf t
interface ethernet0/1
no shutdown
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11870970
LOL, you must be kidding me.  I feel so freaking dumb.  And it worked.  thanks.  those are the 2 questions with 500 points as promised.  just post a comment and i'll accept.

http://www.experts-exchange.com/Hardware/Routers/Q_21103724.html
http://www.experts-exchange.com/Hardware/Routers/Q_21103725.html
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 11875027
I tried it on my home network, it's connected directly to my cable modem on e0/0, and e0/1 is to my switch.  when i ping my default gateway ip, i get.

Reply frmo 192.168.1.1 :  Destination host unreachable.

Here is my running config

sh run
Building configuration...

Current configuration : 1157 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret 5 $1$60dM$agBXmEfl295aosf75SOHN1
!
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool dhcppool
   network 192.168.1.0 255.255.255.0
   default-router 68.106.112.1
   domain-name Farm.com
   dns-server 68.100.16.25
!
 --More--         !
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address dhcp
 ip access-group 101 in
 full-duplex
!
interface BRI0/0
 no ip address
 encapsulation hdlc
 shutdown
!
interface Serial0/0
 no ip address
 shutdown
 --More--         !
interface Ethernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 full-duplex
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 68.106.112.1
no ip http server
!
access-list 1 permit any
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
!
dial-peer cor custom
!
!
!
!
!
line con 0
 --More--          password 7 001012080354
 login
line aux 0
 password 7 105A08170218
 login
line vty 0 4
 password 7 105A08170218
 login
!
end

Router#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11880136
Is there a reason why you are running full-duplex on your ethernet ports?  Is the switch port connected to ethernet0/1 also set to full-duplex?  I'd switch it back to auto negotiate.

Post the "ipconfig" from the PC you are unable to ping the router from.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now