Solved

Cisco 1811 Configuration: Sample Please

Posted on 2006-07-18
17
1,118 Views
Last Modified: 2011-10-03
I am attempting to setup a cisco 1811 and am a nub when it comes to cisco's IOS. Something you don't want to hear from the guy working on your router..."can't I do that through the GUI?"

And I can't do it through the GUI!

 I have two static IPs that I would like to assign to the router and want both of them to be utilized by the same network segment.  I'd also like the connections to be used concurrently rather than a primary and redundant connection.  Is it possible to do this with the 1811?

I wish to implement a site to site vpn connection later using the 1811 to  a pix 515e , so the current setup should not be a detriment to those future plans if possible.


Anyway,  Id like FE0 to have X.X.X.97 and FE1 to have X.X.X.24  and only a single network segment using 10.0.0.3/253 via DHCP with both WAN interfaces servicing the 10.0.0.* range.  The *.97 IP has a subnet of 255.255.255.248 and the *.24 has a subnet of 255.255.255.252.


Any help would be appreciated.
0
Comment
Question by:modes
  • 10
  • 7
17 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17135825
Do a 'show version' on the router and post it here.

Have you gone through Cisco site for configurations ? If NO, then do it which should let you configure the basic items.

One question though, for wan .97 and .24, are they given by different ISPs or is it not on the same network ?

Once you are done with basic configuration like configuring interfaces etc, post the configuration here and we can help out.

Cheers,
Rajesh

0
 

Author Comment

by:modes
ID: 17139170
The ips are both statics , the *.24 is from a local cable company and the *.97 is from a dsl provider, both seperate providers.

Here is the basic configuration .  The problem I had with basically the same config the other day was the inability of the router's second wan interface to take over traffic when the *.24 was offline.  I should be able to test the current config later this evening and will post further details at that point.  What I would like is to utilize both wan channels simultaneosly and am unsure whether I need to do something to specify that.  That would be preferrable to a primary / secondary(backup) config.

The username and Ips are x-ed out , but are the correct working numbers in another router I am aiming to replace with the 1811.

Building configuration...
Current configuration : 6601 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LocalLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$I8tK$lNSXj1qDboNBDtT5o/Lyp0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.2
!
ip dhcp pool sdm-pool1
   import all
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 205.xx.xx.xx
ip name-server 205.xx.xx.xx
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-1173857563
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1173857563
 revocation-check none
 rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313733 38353735 3633301E 170D3036 30373139 31353337
  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
  35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
  56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
  2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
  D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
  73010203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 174C6F63 616C4C61 6E2E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 1401DF61 2F5ECEEE 0D96C260 D291E872 A7304C27
  A2301D06 03551D0E 04160414 01DF612F 5ECEEE0D 96C260D2 91E872A7 304C27A2
  300D0609 2A864886 F70D0101 04050003 81810055 D26F8484 01F7F59D EFE5ADC0
  38CB08F9 A8EF4302 2883BF2A 91973B11 6DE805B8 E7B4867C 4CAFE845 3BA32236
  BAD56897 86FF39B6 B9A6064C 73B4F8E2 A40B058E 93BE92FD D37F8644 7EBEC454
  53187847 9937B1B2 8D062760 FC60A413 4699D0B7 D597A6EF B78CE20B 46202231
  6AC084D1 B54F94B8 F822E965 F7490274 6AC58E
  quit
username xxxxx  privilege 15 secret 5 $1$161N$7wineklYRZj6TbyYeJg8U0
!
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xx.xx.xx.97 255.255.255.248
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ES_WAN$$FW_OUTSIDE$
 ip address xx.xx.xx.24 255.255.255.252
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 10.0.0.2 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip xx.xx.xx.48 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xx.xx.xx.65 eq domain host xx.xx.xx.24
access-list 101 permit udp host xx.xx.xx.65 eq domain host xx.xx.xx.24
access-list 101 deny   ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.24 echo-reply
access-list 101 permit icmp any host xx.xx.xx.24 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.24 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end



Thanks agian.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17139482
Do these;

ip cef

ip route 0.0.0.0 0.0.0.0 Ethernet1
ip route 0.0.0.0 0.0.0.0 Ethernet0

So by default, cef will enable the load balancing (Cisco Express Forwarding). So the default behaviour will be;

One session is sent out through Ethernet1 and other session is sent through Ethernet0.

http://www.cisco.com/en/US/tech/tk827/tk831/technologies_tech_note09186a0080094806.shtml#whatis

The link above should let you introduce yourselves to CEF. Don't go for the per-packet load balancing...

Cheers,
Rajesh
0
 

Author Comment

by:modes
ID: 17147280
It would appear to me that I have a routing table problem.  The SDM check on the wan interfaces comes back with a positive report, indicating that they are up and running, but I cannot ping from the router out and get no functionality from machines that pick up an ip from the router.   Below is the running config in hopes that you can see where I am obviously missing something.



Building configuration...

Current configuration : 6694 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LocalLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$I8tK$lNSXj1qDboNBDtT5o/Lyp0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.2
!
ip dhcp pool sdm-pool1
   import all
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server xx.xx.3.65
ip name-server xx.xx.2.65
ip name-server xx.xx.0.11
ip name-server xx.xx.0.10
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-1173857563
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1173857563
 revocation-check none
 rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313733 38353735 3633301E 170D3036 30373139 31353337
  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
  35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
  56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
  2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
  D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
  73010203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 174C6F63 616C4C61 6E2E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 1401DF61 2F5ECEEE 0D96C260 D291E872 A7304C27
  A2301D06 03551D0E 04160414 01DF612F 5ECEEE0D 96C260D2 91E872A7 304C27A2
  300D0609 2A864886 F70D0101 04050003 81810055 D26F8484 01F7F59D EFE5ADC0
  38CB08F9 A8EF4302 2883BF2A 91973B11 6DE805B8 E7B4867C 4CAFE845 3BA32236
  BAD56897 86FF39B6 B9A6064C 73B4F8E2 A40B058E 93BE92FD D37F8644 7EBEC454
  53187847 9937B1B2 8D062760 FC60A413 4699D0B7 D597A6EF B78CE20B 46202231
  6AC084D1 B54F94B8 F822E965 F7490274 6AC58E
  quit
username myusername privilege 15 secret 5 $1$161N$7wineklYRZj6TbyYeJg8U0
!
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xx.xx.xx.97 255.255.255.248
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ES_WAN$$FW_OUTSIDE$
 ip address xx.xx.xx.50 255.255.255.252
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 10.0.0.2 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip xx.xx.xx.48 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xx.xx.2.65 eq domain host xx.xx.xx.50
access-list 101 permit udp host xx.xx.3.65 eq domain host xx.xx.xx.50
access-list 101 deny   ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.50 echo-reply
access-list 101 permit icmp any host xx.xx.xx.50 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.50 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end



Thanks Again.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17147746
An easy thing. Can you remove the access-lists from both the interfaces and try to ping once for me ? The SDM created access-lists are horrible.

If it works then, we can concentrate on the acls.

Cheers,
Rajesh
0
 

Author Comment

by:modes
ID: 17154225
Well,  I can now browse using the FE1 , but FE0 still gives me nothing.   I configured the router with the sdm startup guide for FE1 when I first booted and manually confiogured FE0, so Im guessing somewhere in there lies the problem.
0
 

Author Comment

by:modes
ID: 17162284
The ACLs are removed.  I have full functionalty on FE1 and nothing on FE0.  Do you see anything in the config that leaps out and says FE0   the *.97 address,  is pooched?

I Would it be handy to include any other information that isnt outputted by default in the show running config?


Building configuration...

Current configuration : 6601 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LocalLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$I8tK$lNSXj1qDboNBDtT5o/Lyp0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.2
!
ip dhcp pool sdm-pool1
   import all
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server xx.xx.xx.65
ip name-server xx.xx.xx.65
ip name-server xx.xx.xx.10
ip name-server xx.xx.xx.11
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-1173857563
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1173857563
 revocation-check none
 rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313733 38353735 3633301E 170D3036 30373139 31353337
  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
  35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
  56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
  2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
  D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
  73010203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 174C6F63 616C4C61 6E2E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 1401DF61 2F5ECEEE 0D96C260 D291E872 A7304C27
  A2301D06 03551D0E 04160414 01DF612F 5ECEEE0D 96C260D2 91E872A7 304C27A2
  300D0609 2A864886 F70D0101 04050003 81810055 D26F8484 01F7F59D EFE5ADC0
  38CB08F9 A8EF4302 2883BF2A 91973B11 6DE805B8 E7B4867C 4CAFE845 3BA32236
  BAD56897 86FF39B6 B9A6064C 73B4F8E2 A40B058E 93BE92FD D37F8644 7EBEC454
  53187847 9937B1B2 8D062760 FC60A413 4699D0B7 D597A6EF B78CE20B 46202231
  6AC084D1 B54F94B8 F822E965 F7490274 6AC58E
  quit
username myusername privilege 15 secret 5 $1$161N$7wineklYRZj6TbyYeJg8U0
!
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xx.xx.xx.97 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address xx.xx.xx.50 255.255.255.252
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 10.0.0.2 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip xx.xx.xx.48 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xx.xx.xx.65 eq domain host 24.111.15.50
access-list 101 permit udp host xx.xx.xx.65 eq domain host 24.111.15.50
access-list 101 deny   ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.50 echo-reply
access-list 101 permit icmp any host xx.xx.xx.50 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.50 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17163052
Do 'show ip int brief' and post it here.

I am guessing that interface is not up at all.

if that is the case, then you need to make it up;

int fa0
no shut

Cheers,
Rajesh
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:modes
ID: 17178702
LocalLan#show ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              xx.xx.xx.97    YES NVRAM  up                    down
FastEthernet1              xx.xx.xx.50    YES NVRAM  up                    down
FastEthernet2              unassigned      YES unset  up                    up
FastEthernet3              unassigned      YES unset  up                    down
FastEthernet4              unassigned      YES unset  up                    down
FastEthernet5              unassigned      YES unset  up                    down
FastEthernet6              unassigned      YES unset  up                    down
FastEthernet7              unassigned      YES unset  up                    down
FastEthernet8              unassigned      YES unset  up                    down
FastEthernet9              unassigned      YES unset  up                    down
Vlan1                      10.0.0.2        YES NVRAM  up                    up
Async1                     unassigned      YES NVRAM  down                  down
NVI0                       unassigned      NO  unset  up                    up
LocalLan#


That doesn't appear to be the case unless I am reading this wrong.
0
 

Author Comment

by:modes
ID: 17203074
I killed the existing config and reset router to factory specs.  Reconfigured and will test tomorrow.  Changed the channels that the two services were coming into.  
0
 

Author Comment

by:modes
ID: 17266246
After doing the configuration a couple of different ways.  It appears as though the problem is in my routing and nat tables.

If I configure the FE1 or FE0 interfaces  rather than the first hop (or gateway on the dsl and cable modems) , I am unable to browse.  If I have the first hop and nat configured for the interface associated with the first hop, it works fine.   However, I cannot have two routes configured or it appears as though I am getting out only part of the time.  I just configured a loopback address and will see if that has anything to do with it.  


I would like to configure both FE0 and FE1 to service vlan1 (the only vlan configured) and the NAT pool associated wth the Vlan.  Right now if I do nat by the Interface that I have the default route created for.  then I can browse.  Basically I need to associate the nat pool with both interfaces and the one vlan.. That works on one channel, but  I would like to be able to have both wan interfaces route traffic back to the only nat pool on the router.  So how do I configure both ooutside interfaces to use the same nat pool.


0
 

Author Comment

by:modes
ID: 17358099
Ingore most of the above post.

Basically I have the NAT pool configured for the IP address of the DSL connection . This prevents traffic going out on the cable connection from getting to the outside as its trying to route through the .97 address.  How can I configure the 1811 to use a single nat pool for both the *.24 and *.97 addresses? Thats what my problem has finally boiled down to.


The inside interface is 10.0.0.* and the outside interfaces need to be both the *.97 address and the *.50 addresses.  I am unsure whether PAT is what I am looking for.  Any futher insights?

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17360626
Modes,

  From your previous post  >>FastEthernet0              xx.xx.xx.97    YES NVRAM  up                    down

That interface is down! and only FE0/1 and vlan1 is up.

So can you do that once again and post it here since you reconfigured everything ?

Cheers,
Rajesh
0
 

Author Comment

by:modes
ID: 17497005
The problem was when I had both interfaces enabled, I was getting traffic out only through one of them. When looking at the traffic, it was trying to route traffic out only one of the interfaces.

The question is resolved using the below config.

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname myLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$fbEz$CGWMezys0uzcsaVT9Rgb90
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool sdm-pool1
   import all
   network 10.0.0.0 255.255.255.0
   dns-server IP.IP.IP.65 IP.IP.IP.65
   default-router 10.0.0.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server IP.IP.IP.65
ip name-server IP.IP.IP.65
ip ssh time-out 60
ip ssh authentication-retries 2
ip sla 1
 icmp-echo IP.IP.IP.49 source-interface FastEthernet0
 timeout 1000
 threshold 2
 frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo IP.IP.IP.102 source-interface FastEthernet1
 timeout 1000
 threshold 2
 frequency 3
ip sla schedule 2 life forever start-time now
!
!
crypto pki trustpoint TP-self-signed-1173857563
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1173857563
 revocation-check none
 rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313733 38353735 3633301E 170D3036 30383231 31333138
  33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
  35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
  56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
  2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
  D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
  73010203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 15626973 6C616E2E 796F7572 646F6D61 696E2E63 6F6D301F
  0603551D 23041830 16801401 DF612F5E CEEE0D96 C260D291 E872A730 4C27A230
  1D060355 1D0E0416 041401DF 612F5ECE EE0D96C2 60D291E8 72A7304C 27A2300D
  06092A86 4886F70D 01010405 00038181 00A98DDC F7D58C3D 7C22CBF7 752973A9
  18F24A04 5CB951BE D51AB086 CB6D648C 1C80C725 77F87A36 3936E874 1002CFD1
  E77E3521 AD8C7832 7C231BC5 7E453F84 F2B8359E 8BFB7482 5CE4AB9C 33060064
  62418160 10F283F6 5FEA9423 6119B955 A44B19F6 5162DF09 5A20E438 0483FA28
  91B01A04 F33B1044 5A5BDE67 9DE35530 1A
  quit
username XXXXXXXX privilege 15 secret 5 $1$aFMI$MGgoZCHNtPqjAAAhP3n3X0
!
!
track 100 rtr 1 reachability
!
track 101 rtr 2 reachability
!
class-map type inspect match-any internet-traffic-class
 match protocol tcp
 match protocol udp
 match protocol icmp
!
!
policy-map type inspect private-internet-policy
 class type inspect internet-traffic-class
  inspect
 class class-default
!
zone security private
zone security internet
zone-pair security private-internet source private destination internet
 service-policy type inspect private-internet-policy
!
!
crypto isakmp policy 1
 authentication pre-share
 group 2
crypto isakmp key XXXXXXX address IP.IP.IP.158
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to IP.IP.IP.158
 set peer IP.IP.IP.158
 set transform-set ESP-DES-SHA
 match address 103
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address IP.IP.IP.50 255.255.255.252
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security internet
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ES_WAN$$FW_OUTSIDE$
 ip address IP.IP.IP.97 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security internet
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security private
 ip route-cache flow
 ip tcp adjust-mss 1452
 ip policy route-map ForceOutInt
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 IP.IP.IP.49 track 100
ip route 0.0.0.0 0.0.0.0 IP.IP.IP.102 track 101
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map CABLE interface FastEthernet0 overload
ip nat inside source route-map DSL interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=3
access-list 100 remark IPSec Rule
access-list 100 deny   ip 10.0.0.0 0.0.0.255 10.35.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark Midco Only
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.0.0.0 0.0.0.255 IP.IP.IP.48 0.0.0.3
access-list 102 remark Qwest Only
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.0.0.0 0.0.0.255 IP.IP.IP.96 0.0.0.7
access-list 102 permit ip 10.0.0.0 0.0.0.255 host IP.IP.IP.158
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.0.0 0.0.0.255 10.35.1.0 0.0.0.255
no cdp run
!
!
!
route-map ForceOutInt permit 10
 description Send traffic to CABLE
 match ip address 101
 set interface FastEthernet0
!
route-map ForceOutInt permit 20
 description Send traffic to DSL
 match ip address 102
 set interface FastEthernet1
!
route-map DSL permit 10
 match ip address 100
 match interface FastEthernet1
!
route-map CABLE permit 10
 match ip address 100
 match interface FastEthernet0
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end




Thanks for your help
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17499364
So it is working now ? What was the problem ?

Cheers,
Rajesh
0
 

Author Comment

by:modes
ID: 17503074
Yes it is working now.

Basically, having NAT enabled and both wan interfaces turned on,  all traffic was trying to route out through one interface as I had nat configured with a default interface.  Route mapping the way above allows traffic to go out bother interfaces.

Is it possible to do the peer to peer tunnel on the DSL line and a easy vpn server on cable to allow dialin?
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17503204
Yea you should be, since you will be configuring the vpn based on the public ip's right? So while creating choose the one you want for each and make sure other end understand this.

Cheers,
Rajesh
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now