Link to home
Start Free TrialLog in
Avatar of dwknight
dwknight

asked on

Cisco 877 static ip assignment using CCP

Hello,

I have a Cisco 877 router that up until now has had a dynamically assigned ip address from my ISP.

I have just been allocated a static ip address by my ISP with a /32 subnet mask.

I am having trouble with CCP 2.4 reconfiguring from dynamic to static. When I enter in the new IP4 ip address xxx.xxx.xxx.xxx and the allocated subnet mask of 255.255.255.255 I receive a configuration error stating that I must put in a valid IP address and subnet mask.

I am able to put a subnet mask of /30 without any issues - how do I enter in a subnet mask of /32 using the CCP.

Do I need to enter this new static ip with the /32 subnet mask using the cli?

Many thanks for the assistance in advance.
Avatar of dwknight
dwknight

ASKER

Additional information - the router ios version is 12.4(24)T
ASKER CERTIFIED SOLUTION
Avatar of pergr
pergr

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ArneLovius
I'm wondering if you need to make any changes, it could be that if that they provide you the same address each time using the existing dialer config...
Hey Perg - thanks for the suggestion - it is a dialer interface (dialer 0) - I will give it a go when the office gets some down time. Will I still need to use 'ip subnet-zero' (And reboot the router)? Or will the loopback0 interface allow the dialer interface to have a subnet mask of /32 - getting around the original error (in the original post) of bad subnet mask or ip address?

ArneLovius - Thanks for the additional suggestion - Some more information - I am attempting to create a site to site vpn (for the first time) - and through preliminary testing - The ccp will not allow the creation of a vpn using the wizard because the remote interface (the router at either end at each site - both are Cisco 877) is not set to static - even though the ISP has assigned us static ip addresses for both sites.

Again, thank you very much for your help!
Hey Pergr,   (my apologies)

I have had a chance to do some 'in work hours' updates.

I have added the loopback interface with the static ip address succesfully.
It will allow me to add the ip unnumbered loopback (static ip) to the dialer 0 interface.

As always, there is an issue with this, as I update the dialer 0 interface with the loopback address, there is a message that Port address transation on the interface will fail due to it being unnumbered.

It is a requirement for each site that port translation be in place.

From what I see there are a couple of possible solutions (please advise if I am on the correct path) do I need to reconfigure port translation from dialer 0 to the loopback interface? (or to the static ip address assigned to the loopback interface?)

Or is there something else I need to do elsewhere?

Many thanks for your assistance!
Try to put the loopback0 interface as your "outside" NAT interface.

No NAT on the dialer.
Thanks for the suggestion,

CCP states that NAT is not supported on the loopback 0 interface.

Found a work around - that at least allowed me to run the VPN site to site wizard.

1. Set the ip address of the Dialer0 interface with a /30 subnet mask
2. Configured the VPNs at both ends using the site to site wizard (as the interface is static)
3. Set the Dialer0 interface back to IP negotiate. (which has the /32 subnet mask)

I verified the running config and it does not reference the /30 subnet mask anywhere within the VPN config. (sneaky I know, but it got me through the VPN config!)

It is not complaining about anything regarding the wizard configuation!!! (Horah)

Now moving onto my next issue regarding testing the tunnel.

Everything passes apart from the peer connectivity. For some reason the ping is not getting from the internet to the external interface of the router at either site.

I have checked the CCP firewall config and there is no external (outside) to dialer interface (self) rule to allow ping.

I have created a rule in this zone that allows anything from the other office ip xxx.xxx.xxx.xxx to get to anything inside the network for icmp.

The ping still fails from the tunnel test, and a subsequent test from any workstation at the main office to the site office router.

I have done a ping from the main office pc to the external interface of the site office router and it fails.

I have done a tracert from the main office to the external interface of the site office and it starts, get to hop about 5 times and then I get * in the response.

I followed up with a pathping (from the main office) and it gets through the office router (!00% success), the gateway for the ISP (100% success), gets to the third hop and fails (97/100) then fails on the next 3 ending with my workstation.

I am able to ping google.com from inside both offices.

Do I need to have the external incoming ping (allow) rule in any other zone?
(Do I need to lodge another question - as I seem to have resolved my static ip usign VPN wizard issue?)

Many thanks to date for your suggestions.
My thanks to the both of you regarding setting a static ip address on the external interface using a /32 subnet mask.<br /><br />I have awarded points based upon your suggestions, and they were good, unfortunately subsequent issues arose.  But I have gone back to the original question which was setting an interface to static using a /32 bit subnet mask, and the loopback interface solution answered the base question.<br /><br />I will submit a new question regarding the inability to ping the VPN peer, as it is outside of the scope of the original question.