Solved

Problems configuring a Cisco SG 800 router for PPPoE

Posted on 2013-05-19
8
1,249 Views
Last Modified: 2013-05-21
We have recently had a PPPoE line installed in our office and we have connected it to a Cisco router (model SG 800). Unfortunately, we appear to configured the router incorrectly and would like assistance with this please.

I can successfully PING or TRACEROUTE to external hosts whenever I am on on the router console (via a Telnet session on my computer on the LAN side of the router), this suggests to me that the connection to the PPPoE line from the Cisco router is configured correctly. But, I am unable to make external IP connections from my PC if I assign the default gateway to be the IP address of the Cisco router.  This suggests to me that something needs configuring on the Cisco router to forward requests from its VLAN side to the Dialer1 interface.  

Below is the routing table in the Cisco router and the access-list:


SwitchIT#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 220.244.26.173 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 220.244.26.173
            is directly connected, Dialer1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, Vlan1
L        192.168.0.251/32 is directly connected, Vlan1
      220.244.26.0/32 is subnetted, 2 subnets
C        220.244.26.173 is directly connected, Dialer1
C        220.244.26.174 is directly connected, Dialer1
SwitchIT#
SwitchIT#show access-list
Standard IP access list 1
    10 permit 192.168.0.0, wildcard bits 0.0.0.255
Standard IP access list 55
    10 permit 203.12.160.5
    20 permit 172.29.0.3
    30 permit 172.29.0.4
    40 permit 172.29.0.10
SwitchIT#
0
Comment
Question by:jpguillebaud
  • 4
  • 4
8 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39180212
Please confirm the following:

1) Is 220.244.26.173 the IP address of your ISP's connection to you?
2) How are you applying ACLs 1 and 55?

3) Can you provide a scrubbed running-config? At lease the portions for the interface configuration and routing.
0
 

Author Comment

by:jpguillebaud
ID: 39180239
1) Yes that is the IP address of PE (provider edge) of the PPPoE service
2) I don't know how the ACLs have been applied. What commands are normally used to apply them?

3) Here's part of the running-config (I have removed our PPPoE credentials and replaced them with placeholders):

interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description Connection to TPG
 no ip address
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe-client dial-pool-number 10
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Vlan1
 description Cutomer LAN
 ip address 192.168.0.251 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer0
 no ip address
 no cdp enable
!
interface Dialer1
 description WAN Dialer
 mtu 1492
 ip address negotiated
 no ip unreachables
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1436
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname <%hostname%>
 ppp chap password 0 <%password%>
 ppp pap sent-username <%username%> password 0 <%password%>
 ppp ipcp dns accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool pool1 192.168.0.0 192.168.0.254 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging trap debugging
logging 192.168.0.1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 55 permit 203.12.160.5
access-list 55 permit 172.29.0.3
access-list 55 permit 172.29.0.4
access-list 55 permit 172.29.0.10
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
snmp-server community tpgframe RO 55
snmp-server enable traps tty
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password cisco
 login local
 transport input telnet ssh
!
end
0
 
LVL 11

Expert Comment

by:naderz
ID: 39180271
ACL 1 is used to define who gets NATed out: in your case it is 192.168.0.0/24.
ACL 55 is used to allow snmp servers in the list.

I see an issue with your NAT statement:

 ip nat inside source list 1 interface Dialer0 overload

You need to change this to use Dialer1 interface:

 ip nat inside source list 1 interface Dialer1 overload

When leaving your network internal addresses are not NATed. Your testing directly from the router is successful because it uses the Dialer 1 interface's IP address; no NAT needed.

I think that should work.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
ID: 39180295
One other recommendation:

Since you Dialer 1 interface is configured for IP address negotiated, use:

ip route 0.0.0.0 0.0.0.0 dialer1 permanent

This way the default route remains intact even if the PPPoE session is brought down. Otherwise, incoming traffic may temporarily get affected in that case.
0
 

Author Comment

by:jpguillebaud
ID: 39182839
Hi Naderz, thank you that seems to have worked.  I am now able to do a TRACERT from my computer if I set the default gateway to the IP address of the Cisco router and the packets are now passing through the new internet line.  However, DNS resolution doesn't appear to be working currently.  Would you be able to tell me if there is anything I need to configure on the router to allow DNS requests/responses to pass through it?
0
 
LVL 11

Expert Comment

by:naderz
ID: 39182919
Well, for name resolution to work you need to point your PCs to a DNS server. Normally you have an internal DNS server that resolves all your internal addresses and is needed for Microsoft AD. Then for external names (e.g. yahoo.com) your internal DNS server will "forward" the request to a DNS server on the Internet that can resolve external names.

You need to make sure all that DNS configs are there. Who is your internal DNS server? What should be your external (e.g. your ISP's) DNS server? Then you go from there.
0
 

Author Comment

by:jpguillebaud
ID: 39183721
Hi Naderz, I have solved the DNS problem. All that was needed was this command:

ip dns server
0
 

Author Closing Comment

by:jpguillebaud
ID: 39183724
Thank you for your help. Everything is working perfectly now.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question