[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 877W Dynamic WAN configuration, Cable modem

Posted on 2010-08-29
10
Medium Priority
?
604 Views
Last Modified: 2012-05-10

Below is working config that I used for several months with a static ip address from the ISP. Now I am going dynamic with cable modem and trying to figure out what I am doing wrong.
I started to change the config. I added the new WAN connection via vlan2, then inputted a static route pointing the traffic to the vlan. Once that happened, it retrieved an public address on vlan 2 but was unpingable.  Also keep in mind I still am connected and configured with the previous  static ISP on vlan 101. But when I tested the dynamic ISP , I shutdown the static  ISP interface. Thanks for all your help.  
! Last configuration change at 15:00:12 EDT Sun Aug 29 2010 by justme
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 4096
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization exec default local 
aaa authorization network default group radius local 
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
!
crypto pki trustpoint TP-self-signed-28049375035
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-28049375035
 revocation-check none
 rsakeypair TP-self-signed-28049375035
!
!
crypto pki certificate chain TP-self-signed-28049375035
 certificate self-signed 01
 xxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxx
 xxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx
  	quit
dot11 syslog
!
dot11 ssid WifiNet
 vlan 3
 max-associations 10
 authentication open 
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address xxx.xxx.xxx.xxx 
ip dhcp excluded-address xxx.xxx.xxx.xxx 
ip dhcp excluded-address xxx.xxx.xxx.xxx 
ip dhcp excluded-address xxx.xxx.xxx.xxx 
ip dhcp excluded-address xxx.xxx.xxx.xxx 
ip dhcp excluded-address xxx.xxx.xxx.xxx 
ip dhcp excluded-address xxx.xxx.xxx.xxx 
!
ip dhcp pool Internal-LAN
   import all
   network xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 
   default-router xxx.xxx.xxx.xxx 
   domain-name XXX.local
   dns-server xxx.xxx.xxx.xxx 
   update arp
!
ip dhcp pool WLAN
   import all
   network 172.121.91.0 255.255.255.248
   default-router xxx.xxx.xxx.xxx 
   domain-name XXX.local
   dns-server xxx.xxx.xxx.xxx 
   update arp
!
!
ip cef
no ip bootp server
ip name-server xxx.xxx.xxx.xxx 
ip name-server xxx.xxx.xxx.xxx 

!
no ipv6 cef
!
multilink bundle-name authenticated
!         
vpdn enable
!
vpdn-group 10
! Default L2TP VPDN group
! Default PPTP VPDN group
 accept-dialin
  protocol any
  virtual-template 1
 pptp tunnel echo 120
 l2tp security crypto-profile l2tp
 no l2tp tunnel authentication
 l2tp tunnel timeout no-session 15
!
!
!
!
no spanning-tree vlan 101
username justyou privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username justme privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username operator privilege 5 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
ip tcp synwait-time 10
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ts-l2tp-ipsec esp-3des esp-sha-hmac 
 mode transport
!
crypto map l2tp-ipsec 10 ipsec-isakmp profile l2tp 
 set transform-set ts-l2tp-ipsec 
!
bridge irb
!
!
!
interface Loopback0
 description Loopback
 ip address xxx.xxx.xxx.xxx 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 !
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown 
 no atm ilmi-keepalive
 !
!
interface FastEthernet0
 !
!
interface FastEthernet1
 switchport access vlan 101
 !
!
interface FastEthernet2
 switchport access vlan 2
 !
!
interface FastEthernet3
 switchport access vlan 3
 !
!
interface Virtual-Template1
 description $FW_INSIDE$
 ip unnumbered BVI1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 peer default ip address pool DIAL-IN
 ppp mtu adaptive
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2 callin
 !
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no ip route-cache cef
 no ip route-cache
 no dot11 extension aironet
 !
 encryption vlan 3 mode ciphers tkip 
 !
 encryption mode ciphers aes-ccm 
 !
 broadcast-key vlan 3 change 45
 !
 broadcast-key change 180 membership-termination
 !
 !
 ssid DigiNet
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 antenna receive right
 antenna transmit right
 antenna gain 128
 world-mode dot11d country US both
 no cdp enable
 !
!
interface Dot11Radio0.3
 encapsulation dot1Q 3 native
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no ip route-cache
 no cdp enable
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 spanning-disabled
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
!
interface Vlan1
 description NETWORK$ES_LAN$$FW_INSIDE$
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast source reachable-via rx
 ip flow ingress
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 !
!
interface Vlan2
 description WAN(1) Connection$FW_OUTSIDE$
 ip address dhcp
 ip access-group FW-in in
 ip access-group FW-out out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast reverse-path
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 bridge-group 3
 bridge-group 3 spanning-disabled
 !
!
interface Vlan3
 description Wifi(Access) Interface
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast source reachable-via rx
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 bridge-group 3
 bridge-group 3 spanning-disabled
 !
 hold-queue 100 out
!
interface Vlan101
 description WAN Connection$FW_OUTSIDE$
 ip address xxx.xxx.xxx.xxx  255.255.255.0
 ip access-group FW-in in
 ip access-group FW-out out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast reverse-path
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 !
!
interface BVI1
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 
 ip nat inside
 ip virtual-reassembly
 !
!
interface BVI3
 description $FW_INSIDE$
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 !
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-top-talkers
 top 10
 sort-by packets
 cache-timeout 10000
!
ip dns server
ip nat inside source static tcp xxx.xxx.xxx.xxx  1233 interface Vlan101 1233
ip nat inside source static tcp xxx.xxx.xxx.xxx  1234 interface Vlan101 1234
ip nat inside source route-map WAN interface Vlan101 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx  permanent (ISP gateway)
ip route 0.0.0.0 0.0.0.0 vlan 2  permanent
!
ip access-list standard NAT
 permit xxx.xxx.xxx.xxx  0.0.0.31
 permit xxx.xxx.xxx.xxx  0.0.0.7
 permit xxx.xxx.xxx.xxx 0.0.0.7
 permit xxx.xxx.xxx.xxx  0.0.0.7
!
ip access-list extended FW-in
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 255.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   ip host xxx.xxx.xxx.xxx any
 deny   ip 10.20.25.0 0.0.0.255 any
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   53 any any
 deny   55 any any
 deny   77 any any
 deny   pim any any
 evaluate traffic 
 permit tcp any host xxx.xxx.xxx.xxx  eq 1723 log-input
 permit udp any host xxx.xxx.xxx.xxx  eq 1701 log-input
 permit udp any host xxx.xxx.xxx.xxx  eq non500-isakmp log-input
 permit udp any host xxx.xxx.xxx.xxx  eq isakmp log-input
 permit gre any host xxx.xxx.xxx.xxx  log-input
 permit esp any host xxx.xxx.xxx.xxx  log-input
 permit tcp host xxx.xxx.xxx.xxx  host xxx.xxx.xxx.xxx  eq domain
 permit tcp host xxx.xxx.xxx.xxx  host xxx.xxx.xxx.xxx  eq domain
 permit udp host xxx.xxx.xxx.xxx  eq domain host xxx.xxx.xxx.xxx 
 permit udp host xxx.xxx.xxx.xxx  eq domain host xxx.xxx.xxx.xxx 
 permit udp host 64.236.96.53 host xxx.xxx.xxx.xxx  eq ntp
 permit udp host 64.90.182.55 host xxx.xxx.xxx.xxx eq ntp
 permit icmp any any net-unreachable
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any ttl-exceeded
 permit icmp any any echo-reply log-input
 deny   icmp any any
 deny   tcp any range 0 65535 any range 0 65535
 deny   udp any range 0 65535 any range 0 65535
 deny   ip any any
ip access-list extended FW-out
 remark private addressing exclusions
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 10.0.0.0 0.255.255.255
 remark deny netbios traffic
 deny   udp any any eq netbios-ns
 deny   udp any any eq netbios-dgm
 deny   udp any any eq netbios-ss
 deny   tcp any any eq 137 log-input
 deny   udp any any eq bootps
 deny   udp any any eq bootpc
 permit ip any any reflect traffic timeout 100
 deny   ip any any
!
logging history informational
logging facility local6
logging xxx.xxx.xxx.xxx
no cdp run

!
!
!
!
route-map WAN permit 10
 match ip address NAT
 match interface Vlan101
!
snmp-server community xxxxxxxxx
snmp-server community xxxxxxxxx
snmp-server trap-source Loopback1
snmp-server host xxx.xxx.xxx.xxx  xxxxxxxx
tftp-server xxx.xxx.xxx.xxx 
radius-server host xxx.xxx.xxx.xxx  auth-port 1645 acct-port 1646
radius-server key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
control-plane
 !
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 3 protocol ieee
bridge 3 route ip
banner login ^C
*****************************************************
*   You Access Restricted Equipment                  *
*****************************************************
!
line con 0
 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
 logging synchronous
 no modem enable
 transport output telnet
line aux 0
 exec-timeout 0 1
 no exec
 transport output none
line vty 0 4
 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
 logging synchronous
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp logging
ntp server 64.226.96.44
ntp server 64.92.182.73
end

Open in new window

0
Comment
Question by:Ituser
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33554415
you need to update the NAT as well:

Save your config!
no ip nat inside source static tcp xxx.xxx.xxx.xxx  1233 interface Vlan101 1233
no ip nat inside source static tcp xxx.xxx.xxx.xxx  1234 interface Vlan101 1234
no ip nat inside source route-map WAN interface Vlan101 overload
ip nat inside source route-map WAN interface Vlan2 overload
no ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx  permanent
no route-map WAN
route-map WAN permit 10
 match ip address NAT
 match interface Vlan2

int vlan 101
shut

Billy
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33554440
HI,

it seems tah you blocked DHCP messages on firewall acl-s, please enable it, and it will be working...

ip access-list extended FW-out
1 permit udp any any eq bootpc
ip access-list extended FW-in
1 permit udp any eany eq bootpc

0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 750 total points
ID: 33554444
sorry this lines you need :

ip access-list extended FW-out
1 permit udp any any eq bootpc
ip access-list extended FW-in
1 permit udp any eq bootps any
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 2

Assisted Solution

by:nblancpain
nblancpain earned 750 total points
ID: 33556639
You need to get your ip from the carrier instead of static address if I understand well your question :

interface Vlan101
 ip address negociated
0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33556641
You may also import DNS settings to your DHCP pools among others, do you want this setting ?
0
 
LVL 6

Author Comment

by:Ituser
ID: 33560027
Thank you ALL for the information posted.

rfc1180

I need my port forwarding statements
no ip nat inside source static tcp xxx.xxx.xxx.xxx  1234 interface Vlan101 1234

but I did needed to update my NAT

ikalmar

I was blocking port 67 and 68, I temporarily took the access-group off the interface for testing. I am redoing my acl statements ...gettin rid of reflexive access list.

nblancpain
Your comment was not correct for the vlan interface
I have to 'ip address dhcp' if I was using a the dialer interface that would work but it pointed me in the right direction

nblancpain

the router acts as dns server for all machines connected, I thought about allowing the machines to pull the dns from the ISP but im cautious. Let me know best practice.

--------------------------------------------------------

I am pulling dhcp now and accessing the internet. Below is the commands that I used to do that:  (basically using the vlan101 interface rather than vlan 2 interface)

no ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx  permanent
no ip route 0.0.0.0 0.0.0.0 vlan 2  permanent
ip route 0.0.0.0 0.0.0.0 vlan 101 permanent

interface vlan 101
no ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip address dhcp
no ip access-group FW-in in
no ip access-group FW-out out

exit

no ip name-server xxx.xxx.xxx.xxx
no ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx used new dns servers from ISP
ip name-server xxx.xxx.xxx.xxx used new dns servers from ISP
ip name-server xxx.xxx.xxx.xxx public dns server

I am rebuilding ACL firewall for it, I am open for any suggestions on best practices (maybe a template), also I will be rewarding the points after these comments.

Thanks again


0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33560080
Hello again,

You are right to set the DNS to external DNS if it's the router's source anyway. This is best practice unless you run internal DNS architecture. You just need to remove manually specified dns server and let the "import all" statement get the aquired dhcp parameters. Not sure it will work with "negotiated" ip (done via L2 nego) instead of "dhcp" L3 negociation. Try it out...

ip dhcp pool Internal-LAN
   import all
   no dns-server
0
 
LVL 6

Author Comment

by:Ituser
ID: 33560333
nblancpain

I tried it out. It will not import dns under the dhcp pool using import all. (took out 'ip dns server' this tells the router to act as dns server and forwards the packets- tried it both ways just in case) I do have a internal server with AD, but it uses internal dns for computers connected then forwards it to the router(dns server) then to the ISP dns server.  FYI, don't know if this has any anything to do with it, I am using linux os machines.

Thanks

0
 
LVL 6

Author Comment

by:Ituser
ID: 33563366
I seemed to have misassigned the points. I wanted blancpain and ikalmar to split points 250 a piece. I submitted the final solution in one my comments. I selected that so that others could see what actually solved my issue. Please reassign the points to the appropiate parties as they deserve it. Thanks
0
 
LVL 6

Author Closing Comment

by:Ituser
ID: 33563370
Thanks!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question