aucklandnz
asked on
cisco ADSL router config
any idea why i cannot successfully establish connection with my ISP
here is my config
here is my config
Building configuration...
Current configuration : 8981 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname airport
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$TP.u$eVGh8rHFQdC8BrO.4LRex1
enable password T@ur15m
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3005635415
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3005635415
revocation-check none
rsakeypair TP-self-signed-3005635415
!
!
crypto pki certificate chain TP-self-signed-3005635415
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303035 36333534 3135301E 170D3032 30333031 30313139
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30303536
33353431 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1FC DAC316EC F6BFEC9F A0519D21 A4712918 CCCF9C7A A033B6D1 E36A8F9F
348E2C48 C452678B A43E0CE6 5DF6D157 A3EF7E8F 6FD51B31 08A4A9DC 3DF75DD4
63411709 3A860AD1 B77E12EF F3AE111C 797BBCFD F466E774 3DD25C73 A462BF45
09CDB483 EEF592E6 4CA9E283 86410956 9D862A9C 1E01C73E 16A9A8CE 4B2AF5A6
A8230203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18616972 706F7274 6E7A2E79 6F757264 6F6D6169 6E2E636F
6D301F06 03551D23 04183016 80144CAB 397AC4CC EA6B88A3 D4F738EF 7EE1777B
6218301D 0603551D 0E041604 144CAB39 7AC4CCEA 6B88A3D4 F738EF7E E1777B62
18300D06 092A8648 86F70D01 01040500 03818100 4339F3AD 5C207D80 5A5D758E
AE0A0CB9 6845C7E2 4B5B572A 2CE99AF3 1D160277 BF92120A 48551F2F 4388B5EC
A1DCA101 D4A59C93 4734E6C5 1D6524A3 667AC058 09D9B62F C585356A 35742971
83825450 265470AF 3930889C 426E9F9D 5B1BE06D E1F85880 4D632455 59B6F64C
03DA3C7D F39D0D06 C60B71BD 3267732E CAAC6C32
quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip inspect tcp synwait-time 300
ip inspect tcp max-incomplete host 200 block-time 3
ip inspect name CBACFilter tcp timeout 300
ip inspect name CBACFilter udp timeout 300
ip inspect name CBACFilter http java-list 51 timeout 3600
ip inspect name CBACFilter cuseeme
ip inspect name CBACFilter ftp
ip inspect name CBACFilter h323
ip inspect name CBACFilter realaudio
ip inspect name CBACFilter smtp
ip inspect name CBACFilter icmp alert on audit-trail on
ip inspect name FIRE-IN tcp timeout 300
ip inspect name FIRE-IN udp timeout 300
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip name-server 202.27.x.x
ip name-server 202.27.x.x
!
!
!
username myusername privilege 15 secret 5 $1$YzNp$WIB2WP/.xtqZw9f/4C/UA1
username admin privilege 15 secret 5 $1$aZTy$QOqCHsSkXtgUAvXN4DkSy.
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key ******* address 203.97.x.x
crypto isakmp identity hostname
!
!
crypto map nolan 11 ipsec-isakmp
set peer 203.97.x.x
match address TAVPN
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Local LAN
ip address 192.168.1.254 255.255.255.0
ip access-group InternetOutbound in
ip inspect CBACFilter out
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip mroute-cache
hold-queue 100 out
!
interface Dialer0
description ADSL connection to the Internet
ip address negotiated previous
ip access-group InternetInbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect CBACFilter out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username username@isp domain password 0 *******
ppp ipcp dns accept
crypto map nolan
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source static udp 192.168.16.5 52404 interface Dialer0 52405
ip nat inside source static udp 192.168.16.6 52404 interface Dialer0 52404
ip nat inside source route-map nonat interface Dialer0 overload
!
ip access-list standard host
!
ip access-list extended InternetInbound
permit icmp any any
remark allowes Head office full access
permit ip host 203.97.x.x any
remark allowes Telnet from Head Office
permit tcp host 203.97.x.x any eq telnet
remark allow VNC from Head Office
permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900
remark allow RDP from Head Office
permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
remark allow TELNET from Head Office
permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq telnet
remark allowes C400 Data Gatherer
permit tcp host 210.54.x.x any eq 52404
remark allowes C400 Data Gatherer via UDP
permit udp host 210.54.x.x any eq 52404
permit tcp host 210.54.x.x any eq 52405
permit udp host 210.54.x.x any eq 52405
ip access-list extended InternetOutbound
permit ip any any
permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
permit icmp any any
remark allowes WWW
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq www
remark allowes RDP
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 3389
remark allowes VNC
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 5900
remark allowes TELNET
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq telnet
remark allowes C400 Data Gatherer
permit tcp host 210.54.x.x any eq 52404
remark allowes C400 Data Gatherer via UDP
permit udp host 210.54.x.x any eq 52404
permit tcp host 210.54.x.x any eq 52405
permit udp host 210.54.x.x any eq 52405
ip access-list extended TAVPN
permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.0.255
!
logging trap debugging
access-list 1 remark Local LAN
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 150 remark NAT bypass for VPN traffic
access-list 150 deny ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.16.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server enable traps tty
snmp-server host 192.168.16.1 255.255.255.0
no cdp run
!
!
route-map nonat permit 10
match ip address 150 130
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
length 0
transport input telnet
transport output telnet ssh
!
scheduler max-task-time 5000
ntp server 218.185.224.8
end
On line 154, did you remove your UN/PW provided by your dsl provider for this forum? If not, I believe you need to configure this with the combo provided to you. Also, you may need to no shut the physical ATM0 interface as it shows to be shutdown on line 109.
ASKER
thanks for your reply,
yes i remove username and password.
i will try no shutdown and will let you know.
yes i remove username and password.
i will try no shutdown and will let you know.
ASKER
i put no shutdown and now i have a green light on ppp but i cannot browse the internet
can you log into the router and ping 4.2.2.2 from cli?
ASKER
hi,
yes i can ping it
thanks
yes i can ping it
thanks
ASKER
any idea anyone ?
sorry.. had a dental emergency.
So, if you can ping 4.2.2.2 the connection to your ISP is now up and functional.
What other problems are you having specifically? Can't browse?
Need to know machine OS, ip address assigned to machine, and default gateway on machine first.
Also see if you can ping 4.2.2.2 from the machine you are trying to browse with.
So, if you can ping 4.2.2.2 the connection to your ISP is now up and functional.
What other problems are you having specifically? Can't browse?
Need to know machine OS, ip address assigned to machine, and default gateway on machine first.
Also see if you can ping 4.2.2.2 from the machine you are trying to browse with.
ASKER
hi,
Thanks for your reply, hope you're not in pain anymore.
I cannot browse the net from xp client.
machine is on the same network 192.168.1.x and gateway is same ip as interface Vlan1, DNS is ip of domain controller
Thanks for your reply, hope you're not in pain anymore.
I cannot browse the net from xp client.
machine is on the same network 192.168.1.x and gateway is same ip as interface Vlan1, DNS is ip of domain controller
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
actually I said that wrong on on the last part.. Its the inbouned access list applied to dialer 0 that doesn't appear to allow web traffic back inside unless coming from the head office, not the vlan interface
ASKER
ok,
i will explain in deeper what i have done.
I have ADSL cisco router 837 at my remote locations. They are configured for ISP and for VPN channel back to head office ( 192.168.0.x)
I have 2 new location so i have bought 2 new ADSL Cisco 877 and was trying to reconfigure it based on old config.
i took config from the router that was on 192.168.16.x ( so when i was pasting the access-list i forgot to change it to 192.168.1.x
i will explain in deeper what i have done.
I have ADSL cisco router 837 at my remote locations. They are configured for ISP and for VPN channel back to head office ( 192.168.0.x)
I have 2 new location so i have bought 2 new ADSL Cisco 877 and was trying to reconfigure it based on old config.
i took config from the router that was on 192.168.16.x ( so when i was pasting the access-list i forgot to change it to 192.168.1.x
ahh.. ok that explains a lot.. so you still need to make those changes to the config then..
ASKER
will go there now and make the changes.
will post results soon.
will post results soon.
ASKER
i have updated the config
waiting once i can hook it up to the line ( staff is using internet at the momemnt)
this is my updated config:
waiting once i can hook it up to the line ( staff is using internet at the momemnt)
this is my updated config:
Building configuration...
Current configuration : 8875 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname airportnz
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$TP.u$eVGh8rHFQdC8BrO.4LRex1
enable password vccvcvcvc
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3005635415
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3005635415
revocation-check none
rsakeypair TP-self-signed-3005635415
!
!
crypto pki certificate chain TP-self-signed-3005635415
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303035 36333534 3135301E 170D3032 30333031 30313139
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30303536
33353431 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1FC DAC316EC F6BFEC9F A0519D21 A4712918 CCCF9C7A A033B6D1 E36A8F9F
348E2C48 C452678B A43E0CE6 5DF6D157 A3EF7E8F 6FD51B31 08A4A9DC 3DF75DD4
63411709 3A860AD1 B77E12EF F3AE111C 797BBCFD F466E774 3DD25C73 A462BF45
09CDB483 EEF592E6 4CA9E283 86410956 9D862A9C 1E01C73E 16A9A8CE 4B2AF5A6
A8230203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18616972 706F7274 6E7A2E79 6F757264 6F6D6169 6E2E636F
6D301F06 03551D23 04183016 80144CAB 397AC4CC EA6B88A3 D4F738EF 7EE1777B
6218301D 0603551D 0E041604 144CAB39 7AC4CCEA 6B88A3D4 F738EF7E E1777B62
18300D06 092A8648 86F70D01 01040500 03818100 4339F3AD 5C207D80 5A5D758E
AE0A0CB9 6845C7E2 4B5B572A 2CE99AF3 1D160277 BF92120A 48551F2F 4388B5EC
A1DCA101 D4A59C93 4734E6C5 1D6524A3 667AC058 09D9B62F C585356A 35742971
83825450 265470AF 3930889C 426E9F9D 5B1BE06D E1F85880 4D632455 59B6F64C
03DA3C7D F39D0D06 C60B71BD 3267732E CAAC6C32
quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip inspect tcp synwait-time 300
ip inspect tcp max-incomplete host 200 block-time 3
ip inspect name CBACFilter tcp timeout 300
ip inspect name CBACFilter udp timeout 300
ip inspect name CBACFilter http java-list 51 timeout 3600
ip inspect name CBACFilter cuseeme
ip inspect name CBACFilter ftp
ip inspect name CBACFilter h323
ip inspect name CBACFilter realaudio
ip inspect name CBACFilter smtp
ip inspect name CBACFilter icmp alert on audit-trail on
ip inspect name FIRE-IN tcp timeout 300
ip inspect name FIRE-IN udp timeout 300
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip name-server 202.27.158.40
ip name-server 202.27.156.72
!
!
!
username aucklandnz privilege 15 secret 5 $1$YzNp$WIB2WP/.xtqZw9f/4C/UA1
username admin privilege 15 secret 5 $1$aZTy$QOqCHsSkXtgUAvXN4DkSy.
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key mysecret address 203.97.x.x
crypto isakmp identity hostname
!
!
crypto map nolan 11 ipsec-isakmp
set peer 203.97.x.x
match address TAVPN
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Local LAN
ip address 192.168.1.200 255.255.255.0
ip inspect CBACFilter out
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip mroute-cache
hold-queue 100 out
!
interface Dialer0
description ADSL connection to the Internet via Xtra
ip address negotiated previous
ip access-group InternetInbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect CBACFilter out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username tourismauck1.xadsl@xtra.co.nz password 0 tuesday0
ppp ipcp dns accept
crypto map nolan
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map nonat interface Dialer0 overload
!
ip access-list standard host
!
ip access-list extended InternetInbound
permit icmp any any
remark allowes Head office full access
permit ip host 203.97.x.x any
remark allowes Telnet from Head Office
permit tcp host 203.97.x.x any eq telnet
remark allow VNC from Head Office
permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900
remark allow RDP from Head Office
permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
remark allow TELNET from Head Office
permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq telnet
ip access-list extended InternetOutbound
permit ip any any
permit icmp any any
remark allowes WWW
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq www
remark allowes RDP
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 3389
remark allowes VNC
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 5900
remark allowes TELNET
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq telnet
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended TAVPN
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server enable traps tty
snmp-server host 192.168.1.1 255.255.255.0
no cdp run
!
!
route-map nonat permit 10
match ip address 150 130
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
transport input telnet
transport output telnet ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
terminal-type telnet
length 0
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
ntp server 218.185.224.8
end
ASKER
thanks,
ADSL is up and running, only ipsec tunnel is down now but i will post it as seperate question.
Thanks for your help.
ADSL is up and running, only ipsec tunnel is down now but i will post it as seperate question.
Thanks for your help.