Cisco WAN Sub-Interface DHCP not getting address

HI everyone, justa  quick question or re-affirming my belief

I have a dynamic IP form my ISP i get a few from them but all dynamic. I run NAT behind my router. I have everything working perfect on my FA0/1 which is a physical interface. and all my internal ones including ym vlans on FA0/0 work great.

But since im trying to establish another public IP from my cable modem (dynamic of course) on a sub interface of my OUTSIDE one which is FA0/1 it will not get an IP. Please review bellow and let me know if my FA0/1.80 is configured correwctly because i cant get it to get a DHCP address from my ISP

Im using a Cisco 2651xm Router

ROUTER3A-EXCHANGE#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up      
FastEthernet0/0.5          172.17.17.20    YES NVRAM  up                    up      
FastEthernet0/0.20         172.25.146.6    YES NVRAM  up                    up      
FastEthernet0/0.26         192.168.9.1     YES NVRAM  up                    up      
FastEthernet0/1            174.x.x.x   YES DHCP   up                    up      
FastEthernet0/1.80         unassigned      YES unset  up                    up <--------- THIS IS WHERE THE PROBLEM IS


interface FastEthernet0/1
 description $FW_OUTSIDE$$ETH-WAN$
  ip address dhcp client-id FastEthernet0/1
 ip access-group 3 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1.80
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 2
 ip access-group 3 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no cdp enable
LVL 1
mxrider_420Asked:
Who is Participating?
 
Istvan KalmarConnect With a Mentor Head of IT Security Division Commented:
ok... try to disable firewall:

interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 no  ip access-group 109 in
 no ip inspect SDM_LOW out

Did you get ip address?
0
 
mxrider_420Author Commented:
ohh and sorry i saw above i am missing

the dhcp client id. when i add it look what happens:

ROUTER3A-EXCHANGE(config-subif)#ip address dhcp client-id FastEthernet0/1.80
                                                                         ^
% Invalid input detected at '^' marker.
0
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

you need:

interface FastEthernet0/1.80
 description $FW_OUTSIDE$$ETH-WAN$
 ip address DHCP
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
mxrider_420Author Commented:
thanks.

can you write that in full with what i have above so i can redo the interface via copy paste?

also i dont really WANT a vlan because there is no switching at this level of my network but when i create a sub-interface i assume i need to specify one correct? above i have vlan 2 there is no vlan 2 on my network not to mention this is my OUTSIDE interface im making the sub int on.

please clarify thanks

0
 
mxrider_420Author Commented:
ok so it should look like this...

interface FastEthernet0/1.80
description $FW_OUTSIDE$$ETH-WAN$
ip address DHCP
encapsulation dot1Q NATIVE
ip access-group 3 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule out
ip virtual-reassembly
no cdp enable
0
 
mxrider_420Author Commented:
Ok, so i called ISP and they dont need to do anything to release a 2nd IP to you. SO this is my config bellow. take a look and see if you can help me out. It looks like the config is ok but it is not receiving any IP. even when i reboot my cable modem to try and give me that 2nd IP i so desperately need.

By the way i changed it to .70 for a fresh start and delted my other config! :)


interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 1 native
 ip address dhcp
 ip access-group 3 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no cdp enable
!

ROUTER3A-EXCHANGE#show ip interface bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up      
FastEthernet0/0.5          172.17.17.20    YES NVRAM  up                    up      
FastEthernet0/0.20         172.25.146.6    YES NVRAM  up                    up      
FastEthernet0/0.26         192.168.9.1     YES NVRAM  up                    up      
FastEthernet0/1            174.5.180.x   YES DHCP   up                    up      
FastEthernet0/1.70         unassigned      YES DHCP   up                    up      <------------------- ?
NVI0                       unassigned      NO  unset  up                    up
0
 
Istvan KalmarHead of IT Security Division Commented:
you need to finetunin Acl 3:

 ip access-group 3 in

please provide us " sh access-list 3"
0
 
Istvan KalmarHead of IT Security Division Commented:
on the outside interface needs to be configure "inspection in":

https://learningnetwork.cisco.com/thread/13408
0
 
mxrider_420Author Commented:
ROUTER3A-EXCHANGE#sh access-list 3
Standard IP access list 3
    10 permit 192.168.1.57 (8694 matches)
    20 permit any (5615502 matches)


its a simple rule this rule is on my actual physical WIC interface too fa0/1
0
 
Istvan KalmarHead of IT Security Division Commented:
you need:

access-list 130 permit udp any eq bootps any eq bootpc

interface FastEthernet0/1.70
 no  ip access-group 3 in
ip access-group 130 in
 no  ip inspect SDM_LOW out
  ip inspect SDM_LOW in
0
 
mxrider_420Author Commented:
perfect thanks ill try this now...

what is the SDM low for?
0
 
mxrider_420Author Commented:
also with an extended acl such as the one you have above i can not do host based PAM. are you suggesting i change my standard rule 3 to a 103 extended rule?..
0
 
mxrider_420Author Commented:
when i do this my entire internet doesnt work. i even added a permit any any to 130.

interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 1 native
  ip address dhcp
  ip access-group 130 in
  ip redirects
  ip unreachables
  ip proxy-arp
  ip nat outside
  ip inspect SDM_LOW in
  ip ips sdm_ips_rule out
  ip virtual-reassembly
 no cdp enable
0
 
Istvan KalmarHead of IT Security Division Commented:
ok please disable fw and acl
interface FastEthernet0/1.70
no   ip access-group 130 in
no   ip ips sdm_ips_rule out
no   ip inspect SDM_LOW in
0
 
mxrider_420Author Commented:
keep the vlan1 tho?

so it should look like this: ...

interface FastEthernet0/1.70
encapsulation dot1Q 1 native
ip address dhcp
ip redirects
ip unreachables
ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
0
 
Istvan KalmarHead of IT Security Division Commented:
yep...

it is working?
0
 
mxrider_420Author Commented:
did not work. again when i add this interface it drops internet to entire network... :S
0
 
mxrider_420Author Commented:
i think i need the fw in there to tell it its a outside network. but im not sure why it will not allow me to access internet from fa0/1 even if the fa0/1.70 isnt configured correctly...
0
 
Istvan KalmarHead of IT Security Division Commented:
did you get IP address form the new ISP or not?
0
 
mxrider_420Author Commented:
yes they said its automatic. like im assuming that a sub interface acts as a real one. my router has 2 ports one is physically plugged into ISP side modem and the other goes to inside switch to network.

now having said this i still cant understand why when 0/1.70 is configured the rest drop off even tho fa0/1 KEEPS its IP.
0
 
mxrider_420Author Commented:
THIS allows me to have the interface FA0/1.70 AND access the itnernet but still not getting DHCP from ISP yet they STILL claim it should work. any ideas?

ROUTER3A-EXCHANGE#sh access-list 109
Extended IP access list 109
    10 permit udp any eq 2525 any eq 2525
    20 permit tcp any eq 2525 any eq 2525
    30 permit udp any any (531 matches)
    40 permit tcp any eq smtp any eq smtp
    50 permit udp host 64.59.176.15 eq domain any
    60 permit tcp any any eq ftp
    70 permit tcp any any eq 443
    80 permit tcp any any eq www
    90 permit udp host 64.59.176.13 eq domain any
    100 permit udp host 74.54.82.185 eq ntp any eq ntp
    110 permit ahp any any
    120 permit esp any any
    130 permit udp any any eq isakmp
    140 permit udp any any eq non500-isakmp
    150 permit udp any eq bootps any eq bootps
    160 permit udp any eq bootps any eq bootpc
    170 permit icmp any any echo-reply
    180 permit icmp any any time-exceeded
    190 permit icmp any any unreachable
    200 deny ip 172.17.17.0 0.0.0.255 any
    210 permit ip any any log (3079 matches)

ROUTER3A-EXCHANGE#show ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up      
FastEthernet0/0.5          172.17.17.20    YES NVRAM  up                    up      
FastEthernet0/0.20         172.25.146.6    YES NVRAM  up                    up      
FastEthernet0/0.26         192.168.9.1     YES NVRAM  up                    up      
FastEthernet0/1            174.5.180.x   YES DHCP   up                    up      
FastEthernet0/1.70         unassigned      YES DHCP   up                    up


interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 1 native
 ip address dhcp
 ip access-group 109 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no cdp enable
0
 
Istvan KalmarHead of IT Security Division Commented:
you need to add:

ip access-list extended 109
 1 permit udp any eq bootpc any bootps
 2 permit udp any eq bootp2 any bootpc
0
 
mxrider_420Author Commented:
2 permit udp any eq bootp2 any bootpc
 doesnt work. it gives error. this is maddening.
0
 
mxrider_420Author Commented:
any one?
0
 
Istvan KalmarHead of IT Security Division Commented:
ok... try to disable firewall:

interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 no  ip access-group 109 in
 no ip inspect SDM_LOW out

Did you get ip address?

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.