Solved

Config for Cisco 1720 T1

Posted on 2010-11-09
10
1,063 Views
Last Modified: 2012-05-10
I know next to nothing about Cisco routers, but even so I foolishly decided to tackle the task of setting up a Cisco router on my own and things have not gone well. I just had a T1 line installed in my home. I have a Cisco 1720 Router with a WIC 1DSU T1 card installed. I'm not sure if it matters, but I will be using this line primarily to VPN into my employer's corporate network.

My service provider gave me the following information:

WAN Network: 4.28.49.100/30
Gateway: 4.28.49.101
WAN: 4.28.49.102
Cust LAN IPs: 4.28.49.104/30

DNS:
209.244.0.3 primary
209.244.0.4 secondary

encapsulation: PPP
crc: 16

This is a home network. I have a PIX 501 firewall that I would like to add to the mix as well as a Linksys WRT54G (v1) wireless router, but these can wait till later.

I can connect to my Cisco 1720 router through a serial cable. I have tried using sample configurations I found on the Internet and doing my best to figure out how to modify them to meet my needs, but so far nothing has worked. I have also tried using the Cisco ConfigMaker application. In ConfigMaker I added devices for EthernetLAN, Cisco 1720 Router, and Internet. I connected EthernetLAN and Cisco1720 devices with an Ethernet connection with the IP address 192.168.1.2. I connected the Cisco1720 and Internet devices with a PPP connection and tried assigning it all four IP addresses (one at a time) given to my by my service provider. After each alteration I used the Deliver Configuration Wizard to push the configuration out to the router. Each time the ethernet indicators on the router light up as does the CD indicator on the WIC, but the LP indicator never lights up. (The WIC 0/0 indicator is lit.)

The ideal solution would be one that holds my hand through the configuration process with step-by-step instructions. However, I am not entirely technically deficient, so a solution that includes a sample configuration would be just as welcome -- as long as it is a full configuration and not just the parts that relate to the T1 (I don't know what it is that I don't know).

Please let me know if there are any further details I can provide or if there is any additional info I should request from my service provider.
0
Comment
Question by:otto45
  • 6
  • 4
10 Comments
 
LVL 13

Accepted Solution

by:
SIM50 earned 500 total points
Comment Utility
Some explanation. Your provider gave you 4.28.49.100/30. It gives 4 IP addresses total but only 2 usable IPs. First IP is used as network ID, second IP and third IP are usable, forth is broadcast IP. First and forth IP can't be used.

Your configuration on Serial 0/0:
 bandwidth 1536
 ip address 4.28.49.102 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip nat outside
 encapsulation ppp
 load-interval 30
 no fair-queue
 no cdp enable

Now you need to setup default route so you can get to the internet. In enable mode, it looks like #, type:
conf t
ip route 0.0.0.0 0.0.0.0 4.28.49.101
end

You need to configure your internal interface:
interface FastEthernet0/0
 description internal
 ip address 192.168.2.1 255.255.255.0
 ip virtual-reassembly
 ip nat inside
 duplex auto
 speed auto

Setup Network Address Translation (NAT). In this example, all traffic from your network will look like it's coming from 4.28.49.102.
access-list 10 permit 192.168.2.0 0.0.0.255
ip nat inside source list 10 interface serial 0/0 overload

Right now, if you will connect a computer directly to the internal port on the router, your default gateway will be 192.168.2.1. You will also need to setup computer's IP address to 192.168.2.3 for example, network mask 255.255.255.0 and gateway 192.168.2.1. Use DNS IP's provided by ISP.

If you will connect firewall to the router, do the following on the firewall:
1. Connect outside interface of firewall to routers internal.
2. Setup IP address 192.168.2.2 net mask 255.255.255.0
3. Setup default route to point to 192.168.2.1
4. Create NAT overload to outside interface.
5. Setup IP address on internal interface to 192.168.1.1

With the firewall attached, your default gateway for the internal network is 192.168.1.1.
0
 
LVL 13

Expert Comment

by:SIM50
Comment Utility
A note, my configuration example is assuming you have full T1.
0
 

Author Comment

by:otto45
Comment Utility
SIM50, thanks for you quick reply. I've used the information you provided to configure the router, but I am still unable to reach the Internet. Below is transcript of my terminal session into the router. In addition, I connected my computer directly into the router and changed its IPv4 settings to use the IP, default gateway, and network mask that you suggested. I can ping the router using 192.168.2.1 but I cannot ping 4.28.49.101 or 4.28.49.102 or any other external IP address.

Note from the transcript that I was unable to execute the two 'ip virtual-reassembly' settings or the 'duplex auto' setting.

Please LMK if there are any other settings I should set or if I can provide a 'show' transcript of any sort.

+++++

User Access Verification

Password:
Cisco1720>enable
Password:
Cisco1720#config
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco1720(config)#config Serial0
                         ^
% Invalid input detected at '^' marker.

Cisco1720(config)#interface Serial0
Cisco1720(config-if)#bandwidth 1536
Cisco1720(config-if)#ip address 4.28.49.102 255.255.255.252
Cisco1720(config-if)#no ip redirects
Cisco1720(config-if)#no ip unreachables
Cisco1720(config-if)#no ip proxy-arp
Cisco1720(config-if)#ip virtual-reassembly
                         ^
% Invalid input detected at '^' marker.

Cisco1720(config-if)#ip ?
Interface IP configuration subcommands:
  access-group        Specify access control for packets
  accounting          Enable IP accounting on this interface
  address             Set the IP address of an interface
  authentication      authentication subcommands
  bandwidth-percent   Set EIGRP bandwidth limit
  broadcast-address   Set the broadcast address of an interface
  directed-broadcast  Enable forwarding of directed broadcasts
  hello-interval      Configures IP-EIGRP hello interval
  helper-address      Specify a destination address for UDP broadcasts
  hold-time           Configures IP-EIGRP hold time
  irdp                ICMP Router Discovery Protocol
  mask-reply          Enable sending ICMP Mask Reply messages
  mtu                 Set IP Maximum Transmission Unit
  nat                 NAT interface commands
  nhrp                NHRP interface subcommands
  ospf                OSPF interface commands
  policy              Enable policy routing
  probe               Enable HP Probe support
  proxy-arp           Enable proxy ARP
  rarp-server         Enable RARP server for static arp entries
  redirects           Enable sending ICMP Redirect messages
  rip                 Router Information Protocol
  route-cache         Enable fast-switching cache for outgoing packets
  rtp                 RTP parameters
  security            DDN IP Security Option
  split-horizon       Perform split horizon
  summary-address     Perform address summarization
  tcp                 TCP header compression parameters
  unnumbered          Enable IP processing without an explicit address
  unreachables        Enable sending ICMP Unreachable messages
  verify              Enable per packet validation
  vrf                 VPN Routing/Forwarding parameters on the interface

Cisco1720(config-if)#ip nat outside
Cisco1720(config-if)#encapsulation ppp
Cisco1720(config-if)#load-interval 30
Cisco1720(config-if)#no fair-queue
Cisco1720(config-if)#no cdp enable
Cisco1720(config-if)#^Z
Cisco1720#
00:07:15: %SYS-5-CONFIG_I: Configured from console by console
Cisco1720#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco1720(config)#ip route 0.0.0.0 0.0.0.0 4.28.49.101
Cisco1720(config)#end
Cisco1720#
00:07:54: %SYS-5-CONFIG_I: Configured from console by console
Cisco1720#interface FastEthernet0
           ^
% Invalid input detected at '^' marker.

Cisco1720#config
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco1720(config)#interface FastEthernet0
Cisco1720(config-if)#description internal
Cisco1720(config-if)#ip address 192.168.2.1 255.255.255.0
Cisco1720(config-if)#ip virtual-reassembly
                         ^
% Invalid input detected at '^' marker.

Cisco1720(config-if)#ip nat inside
Cisco1720(config-if)#duplex auto
                      ^
% Invalid input detected at '^' marker.

Cisco1720(config-if)#speed auto
Cisco1720(config-if)#access-list 10 permit 192.168.2.0 0.0.0.255
Cisco1720(config)#ip nat inside source list 10 interface serial0 overload
Cisco1720(config)#^Z
Cisco1720#
00:10:35: %SYS-5-CONFIG_I: Configured from console by console
Cisco1720#
0
 
LVL 13

Expert Comment

by:SIM50
Comment Utility
Can you please post your full config?
0
 

Author Comment

by:otto45
Comment Utility
Current running IOS config:


!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco1720
!
no logging console
enable password 7 08165E4F071E0912005A
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Serial0
 bandwidth 1536
 ip address 4.28.49.102 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 load-interval 30
 shutdown
 no fair-queue
 no cdp enable
!
interface FastEthernet0
 description internal
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 speed auto
!
router rip
 version 2
 network 192.168.1.0
 no auto-summary
!
ip nat inside source list 10 interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 4.28.49.101
no ip http server
!
access-list 10 permit 192.168.2.0 0.0.0.255
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 password 7 10791B180B101E0E1E55
 login
line aux 0
line vty 0 4
 password 7 0738334D400E15000543
 login
!
no scheduler allocate
end
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 13

Expert Comment

by:SIM50
Comment Utility
You have to enable serial0 interface. In serial0 config mode type: no shutdown.
Also, in global config mode type:
ip routing
ip cef

Instead of enable password, use enable secret because when you use enable password, it can by decrypted.
0
 

Author Comment

by:otto45
Comment Utility
SIM50, you are a God-send. I have the router up and running. I've had some trouble getting the firewall configured though. I think I've performed the other steps properly, but I'm not sure how to do the step, "Create NAT overload to outside interface.".

Here is the current running config on the firewall:

+++++

        no ip address inside
Current IP Address:
        no ip address inside
mypix(config)# show ip address outside
System IP Address:
        ip address outside 192.168.2.2 255.255.255.0
Current IP Address:
        ip address outside 192.168.2.2 255.255.255.0
mypix(config)# ip address inside 192.168.0.1 255.255.255.0
Interface address is not on same subnet as DHCP pool
mypix(config)# clear dhcpd
mypix(config)# ip address inside 192.168.1.1 255.255.255.0
mypix(config)# show ip address inside
System IP Address:
        ip address inside 192.168.1.1 255.255.255.0
Current IP Address:
        ip address inside 192.168.1.1 255.255.255.0
mypix(config)# show dhcp
Ambiguous command. Please enter more characters.
mypix(config)# show dhcpd
mypix(config)#
mypix#
mypix# enable
Type help or '?' for a list of available commands.
mypix# show ?

At the end of show <command>, use the pipe character '|' followed by:
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.

aaa             Enable, disable, or view TACACS+, RADIUS or LOCAL
                user authentication, authorization and accounting
aaa-server      Define AAA Server group
access-group    Bind an access-list to an interface to filter inbound traffic
access-list     Add an access list
activation-key  Modify activation-key.
age             This command is deprecated. See ipsec, isakmp, map, ca commands
alias           Administer overlapping addresses with dual NAT.
apply           Apply outbound lists to source or destination IP addresses
arp             Change or view arp table, set arp timeout value, view statistics
auth-prompt     Customize authentication challenge, reject or acceptance prompt
auto-update     Configure auto update support
banner          Configure login/session banners
blocks          Show system buffer utilization
ca              CEP (Certificate Enrollment Protocol)
                Create and enroll RSA key pairs into a PKI
                (Public Key Infrastructure).
capture         Capture inbound and outbound packets on one or more interfaces
checksum        View configuration information cryptochecksum
chunkstat       Display chunk stats
clock           Show and set the date and time of PIX
conduit         Add conduit access to higher security level network or ICMP
configure       Configure from terminal, floppy, memory, network, or
                factory-default.  The configuration will be merged with the
                active configuration except for factory-default in which case
                the active configuration is cleared first.
conn            Display connection information
console         Set idle timeout for the serial console of the PIX
cpu             Display cpu usage and cpu profiling operations
Crashinfo       Read, write and configure crash write to flash. Force a crash.
crypto          Configure IPsec, IKE, and CA
ctiqbe          Show the current data stored for each CTIQBE session.
curpriv         Display current privilege level
debug           Debug packets or ICMP tracings through the PIX Firewall.
dhcpd           Configure DHCP Server
dhcprelay       Configure DHCP Relay Agent
domain-name     Change domain name
dynamic-map     Specify a dynamic crypto map template
eeprom          show or reprogram the 525 onboard i82559 devices
enable          Configure enable passwords
established     Allow inbound connections based on established connections
failover        Enable/disable PIX failover feature to a standby PIX
filter          Enable, disable, or view URL, FTP, HTTPS, Java, and ActiveX filtering
fixup           Add or delete PIX service and feature defaults
flashfs         Show, destroy, or preserve filesystem information
fragment        Configure the IP fragment database
global          Specify, delete or view global address pools,
                or designate a PAT(Port Address Translated) address
h225            Show the current h225 data stored for each connection.
h245            List the h245 connections.
h323-ras        Show the current h323 ras data stored for each connection.
history         Display the session command history
http            Configure HTTP server
mypix# show running-config
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UIYfoem6BlKWlBbG encrypted
passwd UIYfoem6BlKWlBbG encrypted
hostname mypix
domain-name hairenet.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e28d612e570eed9086a842bef654d560
: end
0
 
LVL 13

Expert Comment

by:SIM50
Comment Utility
Glad to help. In PIX, enter the following command:
nat (inside) 1 192.168.2.0 255.255.255.0
0
 
LVL 13

Expert Comment

by:SIM50
Comment Utility
sorry for mistake. it's nat (inside) 1 192.168.1.0 255.255.255.0
0
 

Author Closing Comment

by:otto45
Comment Utility
Many thanks to SIM50 for his quick and extremely helpful response.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now