Solved

Cisco 877W Dynamic WAN configuration, Cable modem

Posted on 2010-08-29
10
555 Views
Last Modified: 2012-05-10

Below is working config that I used for several months with a static ip address from the ISP. Now I am going dynamic with cable modem and trying to figure out what I am doing wrong.
I started to change the config. I added the new WAN connection via vlan2, then inputted a static route pointing the traffic to the vlan. Once that happened, it retrieved an public address on vlan 2 but was unpingable.  Also keep in mind I still am connected and configured with the previous  static ISP on vlan 101. But when I tested the dynamic ISP , I shutdown the static  ISP interface. Thanks for all your help.  
! Last configuration change at 15:00:12 EDT Sun Aug 29 2010 by justme

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Cisco877

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging count

logging buffered 4096

logging console critical

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp default group radius local

aaa authorization exec default local 

aaa authorization network default group radius local 

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone EST -5

clock summer-time EDT recurring

!

crypto pki trustpoint TP-self-signed-28049375035

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-28049375035

 revocation-check none

 rsakeypair TP-self-signed-28049375035

!

!

crypto pki certificate chain TP-self-signed-28049375035

 certificate self-signed 01

 xxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxx

 xxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

 xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxx

  	quit

dot11 syslog

!

dot11 ssid WifiNet

 vlan 3

 max-associations 10

 authentication open 

 authentication key-management wpa

 guest-mode

 wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

no ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address xxx.xxx.xxx.xxx 

ip dhcp excluded-address xxx.xxx.xxx.xxx 

ip dhcp excluded-address xxx.xxx.xxx.xxx 

ip dhcp excluded-address xxx.xxx.xxx.xxx 

ip dhcp excluded-address xxx.xxx.xxx.xxx 

ip dhcp excluded-address xxx.xxx.xxx.xxx 

ip dhcp excluded-address xxx.xxx.xxx.xxx 

!

ip dhcp pool Internal-LAN

   import all

   network xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 

   default-router xxx.xxx.xxx.xxx 

   domain-name XXX.local

   dns-server xxx.xxx.xxx.xxx 

   update arp

!

ip dhcp pool WLAN

   import all

   network 172.121.91.0 255.255.255.248

   default-router xxx.xxx.xxx.xxx 

   domain-name XXX.local

   dns-server xxx.xxx.xxx.xxx 

   update arp

!

!

ip cef

no ip bootp server

ip name-server xxx.xxx.xxx.xxx 

ip name-server xxx.xxx.xxx.xxx 



!

no ipv6 cef

!

multilink bundle-name authenticated

!         

vpdn enable

!

vpdn-group 10

! Default L2TP VPDN group

! Default PPTP VPDN group

 accept-dialin

  protocol any

  virtual-template 1

 pptp tunnel echo 120

 l2tp security crypto-profile l2tp

 no l2tp tunnel authentication

 l2tp tunnel timeout no-session 15

!

!

!

!

no spanning-tree vlan 101

username justyou privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

username justme privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

username operator privilege 5 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

ip tcp synwait-time 10

!

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ts-l2tp-ipsec esp-3des esp-sha-hmac 

 mode transport

!

crypto map l2tp-ipsec 10 ipsec-isakmp profile l2tp 

 set transform-set ts-l2tp-ipsec 

!

bridge irb

!

!

!

interface Loopback0

 description Loopback

 ip address xxx.xxx.xxx.xxx 255.255.255.255

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 !

!

interface Null0

 no ip unreachables

!

interface ATM0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 shutdown 

 no atm ilmi-keepalive

 !

!

interface FastEthernet0

 !

!

interface FastEthernet1

 switchport access vlan 101

 !

!

interface FastEthernet2

 switchport access vlan 2

 !

!

interface FastEthernet3

 switchport access vlan 3

 !

!

interface Virtual-Template1

 description $FW_INSIDE$

 ip unnumbered BVI1

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat inside

 ip nat enable

 ip virtual-reassembly

 peer default ip address pool DIAL-IN

 ppp mtu adaptive

 ppp encrypt mppe auto required

 ppp authentication ms-chap ms-chap-v2 callin

 !

!

interface Dot11Radio0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 no ip route-cache cef

 no ip route-cache

 no dot11 extension aironet

 !

 encryption vlan 3 mode ciphers tkip 

 !

 encryption mode ciphers aes-ccm 

 !

 broadcast-key vlan 3 change 45

 !

 broadcast-key change 180 membership-termination

 !

 !

 ssid DigiNet

 !

 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

 station-role root

 antenna receive right

 antenna transmit right

 antenna gain 128

 world-mode dot11d country US both

 no cdp enable

 !

!

interface Dot11Radio0.3

 encapsulation dot1Q 3 native

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 no ip route-cache

 no cdp enable

 bridge-group 3

 bridge-group 3 subscriber-loop-control

 bridge-group 3 spanning-disabled

 bridge-group 3 block-unknown-source

 no bridge-group 3 source-learning

 no bridge-group 3 unicast-flooding

!

interface Vlan1

 description NETWORK$ES_LAN$$FW_INSIDE$

 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip verify unicast source reachable-via rx

 ip flow ingress

 ip nat inside

 ip nat enable

 ip virtual-reassembly

 !

!

interface Vlan2

 description WAN(1) Connection$FW_OUTSIDE$

 ip address dhcp

 ip access-group FW-in in

 ip access-group FW-out out

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip verify unicast reverse-path

 ip flow ingress

 ip nat outside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

 bridge-group 3

 bridge-group 3 spanning-disabled

 !

!

interface Vlan3

 description Wifi(Access) Interface

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip verify unicast source reachable-via rx

 ip nat inside

 ip nat enable

 ip virtual-reassembly

 ip tcp adjust-mss 1452

 bridge-group 3

 bridge-group 3 spanning-disabled

 !

 hold-queue 100 out

!

interface Vlan101

 description WAN Connection$FW_OUTSIDE$

 ip address xxx.xxx.xxx.xxx  255.255.255.0

 ip access-group FW-in in

 ip access-group FW-out out

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip verify unicast reverse-path

 ip flow ingress

 ip nat outside

 ip virtual-reassembly

 !

!

interface BVI1

 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 

 ip nat inside

 ip virtual-reassembly

 !

!

interface BVI3

 description $FW_INSIDE$

 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat inside

 ip virtual-reassembly

 !

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip flow-top-talkers

 top 10

 sort-by packets

 cache-timeout 10000

!

ip dns server

ip nat inside source static tcp xxx.xxx.xxx.xxx  1233 interface Vlan101 1233

ip nat inside source static tcp xxx.xxx.xxx.xxx  1234 interface Vlan101 1234

ip nat inside source route-map WAN interface Vlan101 overload

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx  permanent (ISP gateway)

ip route 0.0.0.0 0.0.0.0 vlan 2  permanent

!

ip access-list standard NAT

 permit xxx.xxx.xxx.xxx  0.0.0.31

 permit xxx.xxx.xxx.xxx  0.0.0.7

 permit xxx.xxx.xxx.xxx 0.0.0.7

 permit xxx.xxx.xxx.xxx  0.0.0.7

!

ip access-list extended FW-in

 deny   ip 192.168.0.0 0.0.255.255 any

 deny   ip 172.16.0.0 0.15.255.255 any

 deny   ip 10.0.0.0 0.255.255.255 any

 deny   ip 127.0.0.0 0.255.255.255 any

 deny   ip 255.0.0.0 0.255.255.255 any

 deny   ip 224.0.0.0 31.255.255.255 any

 deny   ip host 0.0.0.0 any

 deny   ip host xxx.xxx.xxx.xxx any

 deny   ip 10.20.25.0 0.0.0.255 any

 deny   ip 0.0.0.0 0.255.255.255 any

 deny   ip 169.254.0.0 0.0.255.255 any

 deny   53 any any

 deny   55 any any

 deny   77 any any

 deny   pim any any

 evaluate traffic 

 permit tcp any host xxx.xxx.xxx.xxx  eq 1723 log-input

 permit udp any host xxx.xxx.xxx.xxx  eq 1701 log-input

 permit udp any host xxx.xxx.xxx.xxx  eq non500-isakmp log-input

 permit udp any host xxx.xxx.xxx.xxx  eq isakmp log-input

 permit gre any host xxx.xxx.xxx.xxx  log-input

 permit esp any host xxx.xxx.xxx.xxx  log-input

 permit tcp host xxx.xxx.xxx.xxx  host xxx.xxx.xxx.xxx  eq domain

 permit tcp host xxx.xxx.xxx.xxx  host xxx.xxx.xxx.xxx  eq domain

 permit udp host xxx.xxx.xxx.xxx  eq domain host xxx.xxx.xxx.xxx 

 permit udp host xxx.xxx.xxx.xxx  eq domain host xxx.xxx.xxx.xxx 

 permit udp host 64.236.96.53 host xxx.xxx.xxx.xxx  eq ntp

 permit udp host 64.90.182.55 host xxx.xxx.xxx.xxx eq ntp

 permit icmp any any net-unreachable

 permit icmp any any host-unreachable

 permit icmp any any port-unreachable

 permit icmp any any packet-too-big

 permit icmp any any administratively-prohibited

 permit icmp any any source-quench

 permit icmp any any ttl-exceeded

 permit icmp any any echo-reply log-input

 deny   icmp any any

 deny   tcp any range 0 65535 any range 0 65535

 deny   udp any range 0 65535 any range 0 65535

 deny   ip any any

ip access-list extended FW-out

 remark private addressing exclusions

 deny   ip 192.168.0.0 0.0.255.255 any

 deny   ip 172.16.0.0 0.15.255.255 any

 deny   ip 10.0.0.0 0.255.255.255 any

 deny   ip any 192.168.0.0 0.0.255.255

 deny   ip any 172.16.0.0 0.15.255.255

 deny   ip any 10.0.0.0 0.255.255.255

 remark deny netbios traffic

 deny   udp any any eq netbios-ns

 deny   udp any any eq netbios-dgm

 deny   udp any any eq netbios-ss

 deny   tcp any any eq 137 log-input

 deny   udp any any eq bootps

 deny   udp any any eq bootpc

 permit ip any any reflect traffic timeout 100

 deny   ip any any

!

logging history informational

logging facility local6

logging xxx.xxx.xxx.xxx

no cdp run



!

!

!

!

route-map WAN permit 10

 match ip address NAT

 match interface Vlan101

!

snmp-server community xxxxxxxxx

snmp-server community xxxxxxxxx

snmp-server trap-source Loopback1

snmp-server host xxx.xxx.xxx.xxx  xxxxxxxx

tftp-server xxx.xxx.xxx.xxx 

radius-server host xxx.xxx.xxx.xxx  auth-port 1645 acct-port 1646

radius-server key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

control-plane

 !

!

bridge 1 protocol ieee

bridge 1 route ip

bridge 3 protocol ieee

bridge 3 route ip

banner login ^C

*****************************************************

*   You Access Restricted Equipment                  *

*****************************************************

!

line con 0

 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx

 logging synchronous

 no modem enable

 transport output telnet

line aux 0

 exec-timeout 0 1

 no exec

 transport output none

line vty 0 4

 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx

 logging synchronous

 transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

ntp logging

ntp server 64.226.96.44

ntp server 64.92.182.73

end

Open in new window

0
Comment
Question by:Ituser
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33554415
you need to update the NAT as well:

Save your config!
no ip nat inside source static tcp xxx.xxx.xxx.xxx  1233 interface Vlan101 1233
no ip nat inside source static tcp xxx.xxx.xxx.xxx  1234 interface Vlan101 1234
no ip nat inside source route-map WAN interface Vlan101 overload
ip nat inside source route-map WAN interface Vlan2 overload
no ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx  permanent
no route-map WAN
route-map WAN permit 10
 match ip address NAT
 match interface Vlan2

int vlan 101
shut

Billy
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33554440
HI,

it seems tah you blocked DHCP messages on firewall acl-s, please enable it, and it will be working...

ip access-list extended FW-out
1 permit udp any any eq bootpc
ip access-list extended FW-in
1 permit udp any eany eq bootpc

0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 250 total points
ID: 33554444
sorry this lines you need :

ip access-list extended FW-out
1 permit udp any any eq bootpc
ip access-list extended FW-in
1 permit udp any eq bootps any
0
 
LVL 2

Assisted Solution

by:nblancpain
nblancpain earned 250 total points
ID: 33556639
You need to get your ip from the carrier instead of static address if I understand well your question :

interface Vlan101
 ip address negociated
0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33556641
You may also import DNS settings to your DHCP pools among others, do you want this setting ?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Author Comment

by:Ituser
ID: 33560027
Thank you ALL for the information posted.

rfc1180

I need my port forwarding statements
no ip nat inside source static tcp xxx.xxx.xxx.xxx  1234 interface Vlan101 1234

but I did needed to update my NAT

ikalmar

I was blocking port 67 and 68, I temporarily took the access-group off the interface for testing. I am redoing my acl statements ...gettin rid of reflexive access list.

nblancpain
Your comment was not correct for the vlan interface
I have to 'ip address dhcp' if I was using a the dialer interface that would work but it pointed me in the right direction

nblancpain

the router acts as dns server for all machines connected, I thought about allowing the machines to pull the dns from the ISP but im cautious. Let me know best practice.

--------------------------------------------------------

I am pulling dhcp now and accessing the internet. Below is the commands that I used to do that:  (basically using the vlan101 interface rather than vlan 2 interface)

no ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx  permanent
no ip route 0.0.0.0 0.0.0.0 vlan 2  permanent
ip route 0.0.0.0 0.0.0.0 vlan 101 permanent

interface vlan 101
no ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip address dhcp
no ip access-group FW-in in
no ip access-group FW-out out

exit

no ip name-server xxx.xxx.xxx.xxx
no ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx used new dns servers from ISP
ip name-server xxx.xxx.xxx.xxx used new dns servers from ISP
ip name-server xxx.xxx.xxx.xxx public dns server

I am rebuilding ACL firewall for it, I am open for any suggestions on best practices (maybe a template), also I will be rewarding the points after these comments.

Thanks again


0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33560080
Hello again,

You are right to set the DNS to external DNS if it's the router's source anyway. This is best practice unless you run internal DNS architecture. You just need to remove manually specified dns server and let the "import all" statement get the aquired dhcp parameters. Not sure it will work with "negotiated" ip (done via L2 nego) instead of "dhcp" L3 negociation. Try it out...

ip dhcp pool Internal-LAN
   import all
   no dns-server
0
 
LVL 6

Author Comment

by:Ituser
ID: 33560333
nblancpain

I tried it out. It will not import dns under the dhcp pool using import all. (took out 'ip dns server' this tells the router to act as dns server and forwards the packets- tried it both ways just in case) I do have a internal server with AD, but it uses internal dns for computers connected then forwards it to the router(dns server) then to the ISP dns server.  FYI, don't know if this has any anything to do with it, I am using linux os machines.

Thanks

0
 
LVL 6

Author Comment

by:Ituser
ID: 33563366
I seemed to have misassigned the points. I wanted blancpain and ikalmar to split points 250 a piece. I submitted the final solution in one my comments. I selected that so that others could see what actually solved my issue. Please reassign the points to the appropiate parties as they deserve it. Thanks
0
 
LVL 6

Author Closing Comment

by:Ituser
ID: 33563370
Thanks!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now