Ricardo_Dowell
asked on
Cisco 877w ADSL Configuration using Static IP Address from ISP
Good Morning to Everyone,
I have a Cisco 877w and I need to establish a connection to the Internet using a static IP address. I will also need to configure VPN access to this router usnig the Cisco VPN Client to connect.
I'm pretty new to the CLI but I was able to get the router connected to the internet and clients on the local segment were able to browse, however this test was done at home using a negotiated IP. I now need to take the router to the actual site and configure the ISP's static IP address once that works, i'll then focus on the VPN.
Below is the relavent portions of the current config which work with my ADSL line at home (negotiated IP):
no ip domain lookup
ip name-server 205.214.192.201
ip name-server 205.214.192.202
interface ATM0
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/36
!
dsl operating-mode auto
.......................... .......... .......... .....
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO- HWIC 4ESW$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description ADSL Dialer
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer group 1
no cdp enable
ppp chap hostname (hostname)
ppp chap password 0 (password)
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
For the static configuration, is it a simple matter of replacing "ip address negotiated" with "ip address x.x.x.x y.y.y.y" (x being the static address and y being the subnet mask)?
Thanks in advance...
RD.
I have a Cisco 877w and I need to establish a connection to the Internet using a static IP address. I will also need to configure VPN access to this router usnig the Cisco VPN Client to connect.
I'm pretty new to the CLI but I was able to get the router connected to the internet and clients on the local segment were able to browse, however this test was done at home using a negotiated IP. I now need to take the router to the actual site and configure the ISP's static IP address once that works, i'll then focus on the VPN.
Below is the relavent portions of the current config which work with my ADSL line at home (negotiated IP):
no ip domain lookup
ip name-server 205.214.192.201
ip name-server 205.214.192.202
interface ATM0
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/36
!
dsl operating-mode auto
..........................
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description ADSL Dialer
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer group 1
no cdp enable
ppp chap hostname (hostname)
ppp chap password 0 (password)
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
For the static configuration, is it a simple matter of replacing "ip address negotiated" with "ip address x.x.x.x y.y.y.y" (x being the static address and y being the subnet mask)?
Thanks in advance...
RD.
ASKER
Hey Greg,
Thanks for such a quick response.
I will visit the site this afternoon and make this change to the config - I will let you know if all goes well.
Thanks again,
RD.
Thanks for such a quick response.
I will visit the site this afternoon and make this change to the config - I will let you know if all goes well.
Thanks again,
RD.
You should change ip route 0.0.0.0 0.0.0.0 Dialer0 to ip route 0.0.0.0 0.0.0.0 IPADDRESSOFDEFAULTGATEWAY
ASKER
Hello Everyone,
I tried changing from "ip address negotiated" to ip address x.x.x.x y.y.y.y. However, when I entered my static address with the subnet mask my ISP has told me to use (255.255.255.255) i get the error below:
"Bad mask /32 for address x.x.x.x"
I consulted with my ISP's tech support about the mask and they insisted that it is correct, I configured the router they provided (Simens Gigaset SE587) with the same Static Address and the /32 subnet mask and it worked.
I found a config that seems to work using the Loopback0 interface but i'm having problems in the following areas:
SSH error when trying to connect - "Server refused authentication protocol"
NAT (I'm assuming) - I can ping public addresses from the router but not from the LAN (fa0 - 3)
Finally, I've visited Cisco's website and tried to configure the VPN based on their instructions but it doesnt work.
I've attached the config for you all to review.
Thanks Guys!
I tried changing from "ip address negotiated" to ip address x.x.x.x y.y.y.y. However, when I entered my static address with the subnet mask my ISP has told me to use (255.255.255.255) i get the error below:
"Bad mask /32 for address x.x.x.x"
I consulted with my ISP's tech support about the mask and they insisted that it is correct, I configured the router they provided (Simens Gigaset SE587) with the same Static Address and the /32 subnet mask and it worked.
I found a config that seems to work using the Loopback0 interface but i'm having problems in the following areas:
SSH error when trying to connect - "Server refused authentication protocol"
NAT (I'm assuming) - I can ping public addresses from the router but not from the LAN (fa0 - 3)
Finally, I've visited Cisco's website and tried to configure the VPN based on their instructions but it doesnt work.
I've attached the config for you all to review.
Thanks Guys!
Using 4587 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Triloninc
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password xxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPNUSERS local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network VPNGROUP1 local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool Intra
import all
network 192.168.0.0 255.255.255.0
dns-server 205.214.192.201 205.214.192.202
default-router 192.168.0.1
domain-name INSIDE.local
!
!
no ip domain lookup
ip domain name Triloninc.com
ip name-server 205.214.192.201
ip name-server 205.214.192.202
!
crypto pki trustpoint TP-self-signed-1934165822
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1934165822
revocation-check none
rsakeypair TP-self-signed-1934165822
!
!
crypto pki certificate chain TP-self-signed-1934165822
certificate self-signed 01 nvram:IOS-Self-Sig#3204.cer
username xxxxx password 0 xxxxxx
username xxxxx password 0 xxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 600
!
!
crypto isakmp client configuration group VPNGROUP
key Keyw0rd
dns 192.168.0.1 205.214.192.201
domain Intranetwork.com
pool dynpool
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
!
crypto ipsec client ezvpn ezvpnclient
connect auto
group ezvpnclient key xxxxxxx
mode client
peer 192.168.0.1
xauth userid mode interactive
!
!
crypto dynamic-map dynmap 1
set transform-set VPN
reverse-route
!
!
crypto map dynmap isakmp authorization list VPNGROUP
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Loopback0
ip address x.x.x.x 255.255.255.255
ip virtual-reassembly
!
interface ATM0
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/36
encapsulation aal5autoppp Dialer0
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
crypto ipsec client ezvpn ezvpnclient
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description ADSL Dialer
ip unnumbered Loopback0
ip nat outside
no ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer watch-group 1
dialer-group 1
no cdp enable
ppp chap hostname (hostname)
ppp chap password 0 (password)
!
ip local pool dynpool 192.168.254.10 192.168.254.20
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
end
just to clarify.. will you be using this as the ADSL modem / router? or did your carrier provide you a modem?
nevermind i see it in the config.
i use a /24 and it works for me( although i think its not correct)
a /32 would give only 1 ip address on the network not sure that shouldbe right however
thats how cisco used to do it. Have a quick read of that.
http://www.velocityreviews.com/forums/t57088-entering-32-subnet-mask-on-ppp-wan-interface.html
This has changed from 12.3 something.
Old software permitted /32 mask, new software didn't.
Greg
a /32 would give only 1 ip address on the network not sure that shouldbe right however
thats how cisco used to do it. Have a quick read of that.
http://www.velocityreviews.com/forums/t57088-entering-32-subnet-mask-on-ppp-wan-interface.html
This has changed from 12.3 something.
Old software permitted /32 mask, new software didn't.
Greg
ASKER
Hey Guys, just to clarify a few things - this router is also the ADSL modem, the telephone cable connects directly to the WIC.
I can see that the modem is authenticated, the PPP LED is on and the RXD and TXD LEDs are active. When I connect a computer to one of the FastEthernet ports, I receive an IP address from the dhcp pool but I am unable to ping the same Public IP addresses that I can ping successfully directly from the router. So I know the loopback0 interface did the trick but something may be wrong with my NAT.
RD
I can see that the modem is authenticated, the PPP LED is on and the RXD and TXD LEDs are active. When I connect a computer to one of the FastEthernet ports, I receive an IP address from the dhcp pool but I am unable to ping the same Public IP addresses that I can ping successfully directly from the router. So I know the loopback0 interface did the trick but something may be wrong with my NAT.
RD
interface ATM0
no ip address
ip nat inside--well this looks wrong
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
I would set up the first line as its easier and see if it works.
ie
add access-list 1
Greg
no ip address
ip nat inside--well this looks wrong
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
I would set up the first line as its easier and see if it works.
ie
add access-list 1
Greg
please provide us:
sh ip int brief
sh ip int brief
ASKER
Hi Guys,
Sorry for the tardy response, I had to go back to the site.
Ok, I reset the router to factory default then reconfigured the Loopback, Atm and Dialer interfaces leaving out the VPN stuff for the time being and i'm still stuck at a point where I can ping public addresses (using the CLI) when connected to the console port on the router but cannot ping any public addresses when connected to the LAN (fa ports). I get an address from the DHCP pool, it assigns a gateway and DNS to my nic but I cant pint any public addresses.
In my new config I added access-list 1 as suggested by Greg.
Below is the sh ip int br output:
Triloninc#show ip int br
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
Dot11Radio0 unassigned YES TFTP administratively down down
ATM0 unassigned YES manual up up
Vlan1 192.168.0.1 YES manual up up
Virtual-Dot11Radio0 unassigned YES TFTP administratively down down
Virtual-Access1 unassigned YES unset up up
Dialer0 65.48.132.91 YES TFTP up up
Loopback0 65.48.132.91 YES manual up up
NVI0 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
I've also attached a copy of my new running config for you to review.
Thanks again.
Sorry for the tardy response, I had to go back to the site.
Ok, I reset the router to factory default then reconfigured the Loopback, Atm and Dialer interfaces leaving out the VPN stuff for the time being and i'm still stuck at a point where I can ping public addresses (using the CLI) when connected to the console port on the router but cannot ping any public addresses when connected to the LAN (fa ports). I get an address from the DHCP pool, it assigns a gateway and DNS to my nic but I cant pint any public addresses.
In my new config I added access-list 1 as suggested by Greg.
Below is the sh ip int br output:
Triloninc#show ip int br
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
Dot11Radio0 unassigned YES TFTP administratively down down
ATM0 unassigned YES manual up up
Vlan1 192.168.0.1 YES manual up up
Virtual-Dot11Radio0 unassigned YES TFTP administratively down down
Virtual-Access1 unassigned YES unset up up
Dialer0 65.48.132.91 YES TFTP up up
Loopback0 65.48.132.91 YES manual up up
NVI0 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
I've also attached a copy of my new running config for you to review.
Thanks again.
ASKER
Sorry, somehow the running-config wasnt attached..
Current configuration : 3839 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Triloninc
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$zQP/$4Szj75yXmnOQMrJExAgLu/
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool Triloninc
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 205.214.192.201 205.214.192.202
domain-name Inside.local
!
!
no ip domain lookup
ip domain name Triloninc.com
ip name-server 205.214.192.201
ip name-server 205.214.192.202
!
!
crypto pki trustpoint TP-self-signed-1934165822
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1934165822
revocation-check none
rsakeypair TP-self-signed-1934165822
!
!
!
crypto pki certificate chain TP-self-signed-1934165822
certificate self-signed 01
quit
username xxxx password 0 xxxxxx
!
!
!
!
!
interface Loopback0
ip address x.x.x.x 255.255.255.255
!
interface ATM0
no ip address
ip virtual-reassembly
no ip route-cache cef
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/36
encapsulation aal5autoppp Virtual-Template1
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
description VLAN 1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description ADSL Dialer
ip unnumbered Loopback0
ip nat outside
no ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname xxxxxx
ppp chap password 0 xxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 1 permit 192.168.0.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
password xxxxx
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey, my initial issue was assigning my ISPs static address and subnetmask (255.255.255.255) in the dialer interface, it gave an error "Bad mask /32 for address x.x.x.x".
When I use the loopback interface, I can enter my static IP with a /32 netmask - this is the only method that has worked for me so far. If I disable the loopback interface, I wont be able to use my static IP (open for an alternative suggestion).
I edited the config - "ip nat inside source list 1 interface Dialer0 overload"
Still unable to ping public addresses from the LAN
When I use the loopback interface, I can enter my static IP with a /32 netmask - this is the only method that has worked for me so far. If I disable the loopback interface, I wont be able to use my static IP (open for an alternative suggestion).
I edited the config - "ip nat inside source list 1 interface Dialer0 overload"
Still unable to ping public addresses from the LAN
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey Guys,
Taking out that loopback interface and changing the subnet mask to a /24 did the trick.
The router is currently connected to the internet and I can browse.
Thanks so much for your help,
Ricardo.
Taking out that loopback interface and changing the subnet mask to a /24 did the trick.
The router is currently connected to the internet and I can browse.
Thanks so much for your help,
Ricardo.
Greg