[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1198
  • Last Modified:

Home Office using RoadRunner Cable Motorola Surfboard SB5100

I have almost this same setup at my home for VPN computer and IP phone to connect to the office. Although mine uses a static IP and is not a cable modem.
We are trying to setup a home office for a user who has residential RoadRunner Cable service.
The router is a Cisco 871W.  I can obtain an IP address and from the router can ping their gateway.
However I can't reach any address on the Internet nor the VPN parent. I thought it may be a MAC address list limitation issue but the provider claims to have cleared the list.  We setup his portable directly to the modem. It receives a valid Internet address and can ping locations on the Internet. However since this computer had previously been hooked up but was behind a LinkSys router.

I just can't see anything wrong with the setup but perhaps I am just overlooking something.  If someone sees an issue please advise.
FastEthernet4 is the WAN port and default gateway.


version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname remotevpn3
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
username gecuser privilege 15 secret 5 $1$t3Jg$nx5FI6NnI3Nj2yxDSUkE6.
no aaa new-model
ip subnet-zero
ip cef
ip dhcp excluded-address 172.19.1.1 172.19.1.10
ip dhcp excluded-address 172.19.2.1 172.19.2.10
!
ip dhcp pool 0
   network 172.19.1.0 255.255.255.0
   dns-server 172.17.0.2
   default-router 172.19.1.1
   netbios-name-server 172.17.5.74 172.17.0.5
   lease 30
!
ip dhcp pool 1
   network 172.19.2.0 255.255.255.0
   dns-server 172.17.0.2
   default-router 172.19.2.1
   netbios-name-server 172.17.5.74 172.17.0.5
   lease 30
!
!
no ip domain lookup
ip domain name rga.com
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key GasEquip235$ address 205.159.25.7
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 205.159.25.7
 set transform-set myset
 match address 100
!
!
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map mymap
!
interface Dot11Radio0
 ip address 172.19.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
 encryption mode ciphers tkip
 !
 ssid Cisco871W
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 ########
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 172.19.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
access-list 100 permit ip 172.19.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 100 permit ip 172.19.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 105 deny   ip 172.19.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 105 deny   ip 172.19.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 105 permit ip 172.19.0.0 0.0.255.255 any
snmp-server community GEC RW
no cdp run
route-map nonat permit 10
 match ip address 105
!
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 login
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
0
jameshoweth
Asked:
jameshoweth
  • 8
  • 6
  • 3
  • +2
1 Solution
 
Scotty_ciscoCommented:
what are you NATING to ??? I do not see a NAT statement you are going from a private to a public you need to define what traffic gets NATED.

IP NAT inside source static list 101 interface fa4 overload...

create access-list 101 permit ip 172.19.2.0 0.0.0.255

this should help

Thanks
Scott
0
 
jameshowethAuthor Commented:
Access list 100 along with the reference to Crypto Map with it's match statement and the overload statement should take care of this.


I should have added. Using the console via Hyper-Terminal I can't ping an Internet Address except the gateway.  This would be from the router console not from a PC connected to the Router. So I think the router would just be using it's assigned address not a NAT.  Only the gateway answers the ping request.


0
 
Scotty_ciscoCommented:
ok I see that now so from a console you can not ping from the router to anything on the net?  Have they assigned you a static IP address?  many ISP's do not route back to the interface they give the CPE comcast gives Cable modems 73.x.x.x addresses and will not route to them except from their hosts so that does not seem too out of line.

Thanks
Scott
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
jameshowethAuthor Commented:
It's a DHCP address. The last one assing was a 24.x.x.x.  Show IP lease statement shows the IP address and gateway.  Using a PC (substituted for the router plugged into the cable modem) it assigns a similar addrss and all seems to work well.  I tried to argue with the cable tech but got no where. He insist there is a problem with the router setup.  I hope it is a setup problem because that I can fix.  
I suggested to the client he may need to upgrade to RoadRunner Business and get a static IP, but that does not explain why this doesn't work and if there is a problem with my setup it still would not function.

 

0
 
Scotty_ciscoCommented:
ok so I see you problem it is a cable provider so when you ping are you using the external IP address?  Try an extended ping and use int fa4 dhcp assigned address as source and see if that works.  If it does then there is a problem with the NAT setup and we can look closer.

Thanks
Scott
0
 
jameshowethAuthor Commented:
I won't be able to try this again until Friday when the client returns from business.  I have to guide him through this over the phone since he is in a different city.  You say to use int Fa4 assigned address.  I thought this is what I would be using from the command line.  Is there a command to insure this is the source.

Also I did have him try a traceroute to a known IP that I know will respond.  The traceroute did not even show the gateway on step 1.  Which made me think possibly there was something wrong with the setup but I am not sure this means anything.
0
 
Scotty_ciscoCommented:
well we need to figure out if it is a routing issue upstream or if it is a NAT issue... do you know how to do a extended ping?

ping (enter)
ect???

Thanks
Scott
0
 
JJT2750Commented:
I think you need to fix acl 105,  your permit should come before your deny
0
 
Scotty_ciscoCommented:
I did not notice that ACL's are processed from the top down so all permits must come before a deny and there is an implicit deny at the end if it is not there.

Thanks
Scott
0
 
JJT2750Commented:
It reads right down the table, if a deny is listed before a permit you will never get to the permit.
0
 
jameshowethAuthor Commented:
The ACL 105 is only used for VPN.
The purpose of 105 is for the NONAT list.  
I have the same list in my router at home.

It prevents NAT for address to these VPN locations and NATs everything else for the Internet.
This allows the user to have local Internet access but when using the VPN tunnel it does not NAT the address.

If the permit was first it would NAT the VPN addresses.

This is SOP for giving the user local internet access.
IE Do not NAT if the destinations are VPN  NAT everything else.

0
 
Scotty_ciscoCommented:
ip nat inside source route-map nonat interface FastEthernet4 overload but it is still using it to determine the nat properties as well it is not broke out that way.  so if you fix the ACL things should work.... do a debug nat and see if you are even trying to nat anything if not

change this
ip nat inside source route-map nonat interface FastEthernet4 overload

to

ip nat inside source list 101 interface fa4 overload

and add

access-list 101 permit ip 172.19.0.0 0.0.255.255 any

see if that works if it does then the NAT was the issue if not go back to what you have and we can continue to trouble shoot

Thanks
scott
0
 
jameshowethAuthor Commented:
I won't be able to look at this again until Friday.  I do appreciate the help.

I have this exact same access list statements in 2 other home office setups  Line for Line.
I just subnet the 172.19 for each different location but use the entire class B for the exclusion.  
Works for locations using 172.19.0 and 172.19.3

I can't see how the NATing would be an issue since I can't ping the routers assigned address from my location or ping out on the internet from that location.
I could ping their gateway assigned from my location and from his location.  

I didn't try an extended ping but by default the router should use the external interface (according to Cisco).  However I will give it a try. At this point I will try most anything!

Actually the only statement I can see that doesn't match the other configs is the No IP CLASSLESS.  All the other have IP CLASSLESS.  However I can't see how this would be an issue but I will change that also.

I sort of lean to the problem being a MAC address limit with the service provider and the tech not understanding the issue.

 
0
 
carl_legereCommented:
Have you tried lowering to 10 megabits / half on the cable modem connection.
Also try MTU 1460
0
 
carl_legereCommented:
to be honest, Twice I've had to add cheap linksys routers infront of Cisco equipment,  It's a DHCP screw up thing.  Can you do this?  In most circumstances yes, I mean all mine were Cisco VPN's and we got it to work well.

internet -> linksys set to have 192.168.105.10 be the DMZ -> cisco 1751 access router
0
 
jameshowethAuthor Commented:
"DHCP screw up thing" I know it has a valid address. How does the DHCP cause a problem?  I don't think having him change to RR Business is going to be a problem if that would solve the problem and it would probably be a good idea for other reasons.  However I can't seem to find a logical reason why the DHCP would be a problem. If you could possibly shed some light on the DHCP problem It would be appreciated.

0
 
carl_legereCommented:
right RR business solves the issue with a static IP, but hurts you because the lowest service provides very slow internet.
0
 
jameshowethAuthor Commented:
Tried suggestions posted with no luck. didn't try putting a linksys in front of the cisco 871W. I will need to send the fellow a crossover cable to do this.

Extended ping using the WAN address does not work.
Router gets address and can ping providers gateway but can't get past the gateway.

show IP route is below. Again everything seems fine but it just won't get past the providers gateway.

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     172.19.0.0/24 is subnetted, 1 subnets
C       172.19.2.0 is directly connected, Dot11Radio0
     24.0.0.0/24 is subnetted, 1 subnets
C       24.243.100.0 is directly connected, FastEthernet4
     10.0.0.0/32 is subnetted, 1 subnets
S       10.236.112.1 [254/0] via 24.243.100.1, FastEthernet4
S*   0.0.0.0/0 is directly connected, FastEthernet4
0
 
jameshowethAuthor Commented:
OK here's the deal.  The problem was caused by having a static route "ip route 0.0.0.0 0.0.0.0 FastEthernet4"  Removing this route and bang it starts working.  I have left this route in before using DHCP with no problem
I think it has something to do with this. When RR leases and address the Gateway is listed as:  10.x.x.x via 24.x.x.x  So the subnet the router is on 24.x.x.x. is not where the gateway actually is.  

Man this almost drove me crazy!

So Carl you were somewhat correct it is a DHCP screw up thing.  Hope this may help someone else pulling their hair out!

 
 
0
 
CetusMODCommented:
PAQed with points refunded (250)

CetusMOD
Community Support Moderator
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 6
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now