Solved

Cisco 1900 ISR

Posted on 2011-02-27
17
1,363 Views
Last Modified: 2012-05-11
i have the next setup but i still have no internet access, firewall is not active and i can't access the router telnet to inside IP address.
Thanks and regards,

!version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname MYROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$7m9x$0UtJfC0.KS28Q.ZnLoTE40
!
no aaa new-model
!
!
!
clock timezone PCTime 2
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3425677286
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3425677286
 revocation-check none
 rsakeypair TP-self-signed-3425677286
!
!
crypto pki certificate chain TP-self-signed-3425677286
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33343235 36373732 3836301E 170D3131 30323234 31303235
  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34323536
  37373238 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B801 83E185C4 584B0904 1F9DC603 C31D9468 B73351A1 62AABDDA 7205CBE5
  A6F9D387 DCFB94BC 1B84B9F2 14641591 07A0EA73 A9115E49 109BC4AA BFF41FCF
  77116532 D133E8FE 3569B2AB CEB316B1 B83C9076 7BADD2E5 0BCC6822 0341039B
  849A9022 4D9E9D3E A2BA2763 C7B5CB80 2B52F3A7 36B4B3E1 2C8D4948 89DE9406
  FD630203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17544153 2D484545 4C2E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14B94E06 5B64B594 B23C7451 E8883FC2 4E7B0E7D
  F1301D06 03551D0E 04160414 B94E065B 64B594B2 3C7451E8 883FC24E 7B0E7DF1
  300D0609 2A864886 F70D0101 04050003 81810027 D4402A88 B7BB5D8C EEA91BE8
  5758B981 E774AD3C 248ED656 E27BD63B E64F15CE E8A54701 28B3DB8A E9B55D41
  92A7028C E2A0FF03 8F48C503 B5596150 0524B5BC 914A6705 7D9DB29E 3E31C873
  788A642B 3B2D57F6 DBAF7498 066098B4 33A6274D 0216DB57 09399722 6CF0517C
  D9ABE595 1699C814 617F131F D9CD9DD2 044FFE
        quit
!
!
username user1 privilege 15 password 0 pass1
username user2 privilege 15 password 0 pass2
!
redundancy
!
!
ip tcp synwait-time 10
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
 no mop enabled
 !
!
interface Dialer1
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname <user>
 ppp chap password 0 <pass>
 no cdp enable
 !
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
logging trap debugging
access-list 1 permit 192.168.10.1
access-list 1 permit 192.168.10.0 0.0.0.255
!
no cdp run

!
!
!
!
!
control-plane
 !
!
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 03296F4F425F701C
 login
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
end
0
Comment
Question by:walidaam
  • 8
  • 7
  • 2
17 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34991227
you need:


ip route 0.0.0.0 0.0.0.0 Dialer1
ip nat inside source list 1 interface Dialer1 overload
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34991232
and you need to use accesss from inside:
access-list 23 permit 192.168.10.0 0.0.0.255

0
 

Author Comment

by:walidaam
ID: 34991749
i add all but i still have the same problims
please have a look to the attached photos and advise  NATIMG-0220.JPG
IMG-0243.JPG
0
 
LVL 3

Expert Comment

by:mrmozaffari
ID: 34991966
You've missed some configurations, so there will no any pppoe connection.
Where is your Vpdn configuration ?!

Here is the solution :

1- We have to configure VPDN ,Here it is

     Conf t
     Router(config)# vpdn enable
     Router(config-vpdn)# vpdn group 1
     Router(config-vpdn-grp)# request-dialin
     Router(config-vpdn-grp)# initiate to (the ip address of pppoe server)
     Router(config-vpdn-grp)# protocol pppoe

2- Configure your interface

    Router(config)# interface GigabitEthernet0/1
    Router(config-if)# pppoe-client dial-pool-number 1

3- Now it s time to configure Dialer interface which you miss some configuration here also.

interface dialer 1

ip address negotiated
dialer pool 1
dialer-group 1

4- And Where is your Dialer List ? "you need something like this"

Router(config)# dialer-list 1 protocol ip permit


Best Regards,
Mozaffari.



0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34992417
please sjow the whole config
0
 

Author Comment

by:walidaam
ID: 34992600
I Reset the router and do all again next is the Running configuration

Building configuration...

Current configuration : 6293 bytes
!
! Last configuration change at 22:22:29 PCTime Sun Feb 27 2011 by User1
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$DBAm$xgUjcRNzrDtgi2oqUiP950
!
no aaa new-model
!
!
!
clock timezone PCTime 2
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.10.0 255.255.255.0
   dns-server 192.168.10.2 213.42.20.20
   default-router 192.168.10.1
!
!
no ip bootp server
ip domain name domain.com
ip name-server 192.168.10.2
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
!
vpdn-group pppoe
!
!
crypto pki trustpoint TP-self-signed-3425677286
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3425677286
 revocation-check none
 rsakeypair TP-self-signed-3425677286
!
!
crypto pki certificate chain TP-self-signed-3425677286
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33343235 36373732 3836301E 170D3131 30323237 31353036
  32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34323536
  37373238 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A938 C13876CF E6ECAD35 475342D3 8E4DE3B4 5B974265 DC10864C B9FB4384
  933BA86C 73E26F79 2B3D6FD6 F44439C8 95CD7DA5 50DBDFCC 647E5D3D 0FB96CD8
  2ADCB40A F199C924 7588CFDA 2D7D4C1C FFB1E169 083568E9 EE242BB9 99281762
  E72A9892 11608483 AE387A20 6C06C48D F26F5794 D50852DD 10EEA203 198E58BB
  133F0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 14746173 2D686565 6C2E7461 732D6865 656C2E61 65301F06
  03551D23 04183016 8014F7CD AE47A5CF 4BB8F84A 1F6690C4 E3CA8CA5 9B06301D
  0603551D 0E041604 14F7CDAE 47A5CF4B B8F84A1F 6690C4E3 CA8CA59B 06300D06
  092A8648 86F70D01 01040500 03818100 2DB05577 D01C9B26 56FF88D4 58B617EB
  94CE54CA B7B840ED 25D1B6AD BBC6D6C0 B62D4D92 01071513 C76718FA F97CB15D
  FC5672E8 CE70C96A 82C2811B 3E095076 375EA0A0 AFC3797C B1870659 6599127B
  26A4F83C F3FAA398 C4AAC45D 39CEB52F F488EB11 4D350F8A C56A0E80 6073CAD9
  30612282 E6D2076F AE892105 22E10882
        quit
license udi pid CISCO1941/K9 sn FHK1447783P
!
!
username User1 privilege 15 secret 5 $1$ityB$ofzETFHUlJ08pk1zb2xJg1
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_OUTSIDE$$ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 zone-member security out-zone
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no mop enabled
 !
!
interface GigabitEthernet0/1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 zone-member security in-zone
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
 no mop enabled
 !
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname USER
 ppp chap password 7 0116110F0A080E5975
 ppp pap sent-username USER password 7 15171C07552923727C
 no cdp enable
 !
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging trap debugging
dialer-list 1 protocol ip permit
!
no cdp run

!
!
!
!
!
control-plane
 !
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end






I Tried to add the next command but fail

tas-heel(config-vpdn-req-in)#protocol pppoe
                                      ^
% Invalid input detected at '^' marker.

Best Regards,
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34992659
what shows : "show ip int brief" ?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34992665
vpdn config not need for this router!
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 3

Expert Comment

by:mrmozaffari
ID: 34992854
Because you IOS does not support this command ,you can change your IOS ,To find this feature go to
www.cisco.com/go/fn
0
 

Author Comment

by:walidaam
ID: 34999262
Ikalmar,
myrouter#show ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
GigabitEthernet0/0         unassigned      YES NVRAM  up                    up

GigabitEthernet0/1         192.168.10.1    YES NVRAM  up                    up

Dialer0                    unassigned      YES NVRAM  up                    up

NVI0                       unassigned      YES unset  administratively down down

Virtual-Access1            unassigned      YES unset  up                    up
0
 

Author Comment

by:walidaam
ID: 34999282
mrmozaffari,
what I have is Cisco 1941 with security bundel.
with Cisco IOS version 15.0
Regards,
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35000923
Hi,

it seems there is a problem with dialer interface, because it didn't get any ip address from ISP!
Dialer0                    unassigned      YES NVRAM  up                    up

you need to configure nat for dialer:

!
interface Dialer0
 ip nat outside

Firstly try to disable firewall:

interface GigabitEthernet0/0
no  zone-member security out-zone
interface GigabitEthernet0/1
no  zone-member security in-zone

you need to create ACL1 for NAT:
access-list 1 permit 192.168.10.0 0.0.0.255

Forget mrmozaffari recommenditaion, the "tas-heel(config-vpdn-req-in)#protocol pppoe" not need for this routers!

p.s.: "USER"  username is good for dialing PPPoE for ISP?
 ppp chap hostname USER
 ppp chap password 7 0116110F0A080E5975
 ppp pap sent-username USER password 7 15171C07552923727C

Best regards,
Istvan




0
 

Author Comment

by:walidaam
ID: 35011190
Hi ikalmar

next is my setup now . Dialer0 connected to my ISP . i can ping yahoo.com from the router.
But the PCs can not access the internet.

myrouter#show ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
GigabitEthernet0/0         unassigned      YES NVRAM  up                    up

GigabitEthernet0/1         192.168.10.1    YES NVRAM  up                    up

Dialer0                    2.XX.X.XX       YES IPCP   up                    up

NVI0                       192.168.10.1    YES unset  up                    up

Virtual-Access1            unassigned      YES unset  up                    up

Virtual-Access2            unassigned      YES unset  up                    up







interface GigabitEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_OUTSIDE$$ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 zone-member security out-zone
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no mop enabled
 !
!
interface GigabitEthernet0/1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
 no mop enabled
 !
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname HOST
 ppp chap password 7 0116110F0A080E5975
 ppp pap sent-username USER1 password 7 15171C07552923727C
 no cdp enable
 !
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging trap debugging
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 23 permit 192.168.10.0 0.0.0.255
dialer-list 1 protocol ip permit
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 35011247
The config seems to be good..

please disable fw:
interface GigabitEthernet0/0
no  zone-member security out-zone
interface GigabitEthernet0/1
no  zone-member security in-zone

Do you use right DNS, did you tried google DNS: 8.8.8.8 ?
0
 

Author Comment

by:walidaam
ID: 35059522
Thanks ikalmar
Now all working fine internet and telnet
i'll make a new Q about the setup of firewall and remote access using VPN
Please Attend it.
Regards,
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35059620
Thank you...
0
 

Author Comment

by:walidaam
ID: 35059700
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now