Cisco 877w ADSL Configuration using Static IP Address from ISP

Good Morning to Everyone,

I have a Cisco 877w and I need to establish a connection to the Internet using a static IP address.  I will also need to configure VPN access to this router usnig the Cisco VPN Client to connect.

I'm pretty new to the CLI but I was able to get the router connected to the internet and clients on the local segment were able to browse, however this test was done at home using a negotiated IP.  I now need to take the router to the actual site and configure the ISP's static IP address once that works, i'll then focus on the VPN.

Below is the relavent portions of the current config which work with my ADSL line at home (negotiated IP):

no ip domain lookup
ip name-server 205.214.192.201
ip name-server 205.214.192.202

interface ATM0
 no ip address
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/36
 !
 dsl operating-mode auto
...................................................
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 description ADSL Dialer
 ip address negotiated
 ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer group 1
  no cdp enable
 ppp chap hostname (hostname)
 ppp chap password 0 (password)

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0

For the static configuration, is it a simple matter of replacing "ip address negotiated" with "ip address x.x.x.x y.y.y.y" (x being the static address and y being the subnet mask)?

Thanks in advance...
RD.






Ricardo_DowellAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

greg wardSystems EngineerCommented:
It is a simple matter of replacing "ip address negotiated" with "ip address x.x.x.x y.y.y.y"

Greg
0
Ricardo_DowellAuthor Commented:
Hey Greg,

Thanks for such a quick response.  
I will visit the site this afternoon and make this change to the config  - I will let you know if all goes well.

Thanks again,
RD.
0
Pro4iaCommented:
You should change ip route 0.0.0.0 0.0.0.0 Dialer0 to ip route 0.0.0.0 0.0.0.0 IPADDRESSOFDEFAULTGATEWAY
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Ricardo_DowellAuthor Commented:
Hello Everyone,

I tried changing from "ip address negotiated" to ip address x.x.x.x y.y.y.y.  However, when I entered my static address with the subnet mask my ISP has told me to use (255.255.255.255) i get the error below:

"Bad mask /32 for address x.x.x.x"

I consulted with my ISP's tech support about the mask and they insisted that it is correct, I configured the router they provided (Simens Gigaset SE587) with the same Static Address and the /32 subnet mask and it worked.

I found a config that seems to work using the Loopback0 interface but i'm having problems in the following areas:

SSH error when trying to connect - "Server refused authentication protocol"
NAT (I'm assuming) -  I can ping public addresses from the router but not from the LAN (fa0 - 3)

Finally, I've visited Cisco's website and tried to configure the VPN based on their instructions but it doesnt work.

I've attached the config for you all to review.

Thanks Guys!


Using 4587 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Triloninc
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password xxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPNUSERS local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network VPNGROUP1 local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool Intra
   import all
   network 192.168.0.0 255.255.255.0
   dns-server 205.214.192.201 205.214.192.202
   default-router 192.168.0.1
   domain-name INSIDE.local
!
!
no ip domain lookup
ip domain name Triloninc.com
ip name-server 205.214.192.201
ip name-server 205.214.192.202
!
crypto pki trustpoint TP-self-signed-1934165822
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1934165822
 revocation-check none
 rsakeypair TP-self-signed-1934165822
!
!
crypto pki certificate chain TP-self-signed-1934165822
 certificate self-signed 01 nvram:IOS-Self-Sig#3204.cer
username xxxxx password 0 xxxxxx
username xxxxx password 0 xxxxxx
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 600
!
!
crypto isakmp client configuration group VPNGROUP
 key Keyw0rd
 dns 192.168.0.1 205.214.192.201
 domain Intranetwork.com
 pool dynpool
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
!
crypto ipsec client ezvpn ezvpnclient
 connect auto
 group ezvpnclient key xxxxxxx
 mode client
 peer 192.168.0.1
 xauth userid mode interactive
!
!
crypto dynamic-map dynmap 1
 set transform-set VPN
 reverse-route
!
!
crypto map dynmap isakmp authorization list VPNGROUP
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Loopback0
 ip address x.x.x.x 255.255.255.255
 ip virtual-reassembly
!
interface ATM0
 no ip address
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/36
  encapsulation aal5autoppp Dialer0
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 crypto ipsec client ezvpn ezvpnclient
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 description ADSL Dialer
 ip unnumbered Loopback0
 ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer watch-group 1
 dialer-group 1
 no cdp enable
 ppp chap hostname (hostname)
 ppp chap password 0 (password)
!
ip local pool dynpool 192.168.254.10 192.168.254.20
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
 match ip address 100
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input ssh
!
scheduler max-task-time 5000
end

Open in new window

0
Pro4iaCommented:
just to clarify.. will you be using this as the ADSL modem / router? or did your carrier provide you a modem?
0
Pro4iaCommented:
nevermind i see it in the config.
0
greg wardSystems EngineerCommented:
i use a /24 and it works for me( although i think its not correct)
a /32 would give only 1 ip address on the network not sure that shouldbe right however
thats how cisco used to do it. Have a quick read of that.
http://www.velocityreviews.com/forums/t57088-entering-32-subnet-mask-on-ppp-wan-interface.html 
 
This has changed from 12.3 something.
Old software permitted /32 mask, new software didn't.

Greg
0
Ricardo_DowellAuthor Commented:
Hey Guys, just to clarify a few things - this router is also the ADSL modem, the telephone cable connects directly to the WIC.

I can see that the modem is authenticated, the PPP LED is on and the RXD and TXD LEDs are active.  When I connect a computer to one of the FastEthernet ports, I receive an IP address from the dhcp pool but I am unable to ping the same Public IP addresses that I can ping successfully directly from the router.  So I know the loopback0 interface did the trick but something may be wrong with my NAT.

RD
0
greg wardSystems EngineerCommented:
interface ATM0
no ip address
ip nat inside--well this looks wrong
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload

I would set up the first line as its easier and see if it works.
ie
 add access-list 1
 
 
Greg
0
Istvan KalmarHead of IT Security Division Commented:
please provide us:

sh ip int brief
0
Ricardo_DowellAuthor Commented:
Hi Guys,

Sorry for the tardy response, I had to go back to the site.  

Ok, I reset the router to factory default then reconfigured the Loopback, Atm and Dialer interfaces leaving out the VPN stuff for the time being and i'm still stuck at a point where I can ping public addresses (using the CLI) when connected to the console port on the router but cannot ping any public addresses when connected to the LAN (fa ports).  I get an address from the DHCP pool, it assigns a gateway and DNS to my nic but I cant pint any public addresses.

In my new config I added access-list 1 as suggested by Greg.

Below is the sh ip int br output:

Triloninc#show ip int br
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0              unassigned      YES unset  up                    up

FastEthernet1              unassigned      YES unset  up                    down

FastEthernet2              unassigned      YES unset  up                    down

FastEthernet3              unassigned      YES unset  up                    down

Dot11Radio0                unassigned      YES TFTP   administratively down down

ATM0                            unassigned      YES manual up                    up

Vlan1                           192.168.0.1     YES manual up                    up

Virtual-Dot11Radio0     unassigned      YES TFTP   administratively down down

Virtual-Access1            unassigned      YES unset  up                    up

Dialer0                         65.48.132.91    YES TFTP   up                    up

Loopback0                  65.48.132.91    YES manual up                    up

NVI0                             unassigned      YES unset  up                    up

Virtual-Access2            unassigned      YES unset  up                    up

I've also attached a copy of my new running config for you to review.

Thanks again.
0
Ricardo_DowellAuthor Commented:
Sorry, somehow the running-config wasnt attached..
Current configuration : 3839 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Triloninc
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$zQP/$4Szj75yXmnOQMrJExAgLu/
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool Triloninc
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 205.214.192.201 205.214.192.202
   domain-name Inside.local
!
!
no ip domain lookup
ip domain name Triloninc.com
ip name-server 205.214.192.201
ip name-server 205.214.192.202
!
!
crypto pki trustpoint TP-self-signed-1934165822
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1934165822
 revocation-check none
 rsakeypair TP-self-signed-1934165822
!
!
!
crypto pki certificate chain TP-self-signed-1934165822
 certificate self-signed 01
quit
username xxxx password 0 xxxxxx
!
!
!
!
!
interface Loopback0
 ip address x.x.x.x 255.255.255.255
!
interface ATM0
 no ip address
 ip virtual-reassembly
 no ip route-cache cef
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/36
  encapsulation aal5autoppp Virtual-Template1
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Vlan1
 description VLAN 1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 description ADSL Dialer
 ip unnumbered Loopback0
ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp chap hostname xxxxxx
 ppp chap password 0 xxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 1 permit 192.168.0.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
 password xxxxx
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window

0
Istvan KalmarHead of IT Security Division Commented:
you need
no int loop 0

ip nat inside source list 1 interface dial 0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ricardo_DowellAuthor Commented:
Hey, my initial issue was assigning my ISPs static address and subnetmask (255.255.255.255) in the dialer interface, it gave an error "Bad mask /32 for address x.x.x.x".

When I use the loopback interface, I can enter my static IP with a /32 netmask - this is the only method that has worked for me so far.  If I disable the loopback interface, I wont be able to use my static IP (open for an alternative suggestion).

I edited the config - "ip nat inside source list 1 interface Dialer0 overload"
Still unable to ping public addresses from the LAN
0
Pro4iaCommented:
can you use a dif subnet mask and get rid of the loopback? instead of /32 , try a /24 just for testing
0
Ricardo_DowellAuthor Commented:
Hey Guys,

Taking out that loopback interface and changing the subnet mask to a /24 did the trick.

The router is currently connected to the internet and I can browse.

Thanks so much for your help,

Ricardo.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Broadband

From novice to tech pro — start learning today.