Solved

Problems configuring a Cisco SG 800 router for PPPoE

Posted on 2013-05-19
8
1,234 Views
Last Modified: 2013-05-21
We have recently had a PPPoE line installed in our office and we have connected it to a Cisco router (model SG 800). Unfortunately, we appear to configured the router incorrectly and would like assistance with this please.

I can successfully PING or TRACEROUTE to external hosts whenever I am on on the router console (via a Telnet session on my computer on the LAN side of the router), this suggests to me that the connection to the PPPoE line from the Cisco router is configured correctly. But, I am unable to make external IP connections from my PC if I assign the default gateway to be the IP address of the Cisco router.  This suggests to me that something needs configuring on the Cisco router to forward requests from its VLAN side to the Dialer1 interface.  

Below is the routing table in the Cisco router and the access-list:


SwitchIT#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 220.244.26.173 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 220.244.26.173
            is directly connected, Dialer1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, Vlan1
L        192.168.0.251/32 is directly connected, Vlan1
      220.244.26.0/32 is subnetted, 2 subnets
C        220.244.26.173 is directly connected, Dialer1
C        220.244.26.174 is directly connected, Dialer1
SwitchIT#
SwitchIT#show access-list
Standard IP access list 1
    10 permit 192.168.0.0, wildcard bits 0.0.0.255
Standard IP access list 55
    10 permit 203.12.160.5
    20 permit 172.29.0.3
    30 permit 172.29.0.4
    40 permit 172.29.0.10
SwitchIT#
0
Comment
Question by:jpguillebaud
  • 4
  • 4
8 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39180212
Please confirm the following:

1) Is 220.244.26.173 the IP address of your ISP's connection to you?
2) How are you applying ACLs 1 and 55?

3) Can you provide a scrubbed running-config? At lease the portions for the interface configuration and routing.
0
 

Author Comment

by:jpguillebaud
ID: 39180239
1) Yes that is the IP address of PE (provider edge) of the PPPoE service
2) I don't know how the ACLs have been applied. What commands are normally used to apply them?

3) Here's part of the running-config (I have removed our PPPoE credentials and replaced them with placeholders):

interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description Connection to TPG
 no ip address
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe-client dial-pool-number 10
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Vlan1
 description Cutomer LAN
 ip address 192.168.0.251 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer0
 no ip address
 no cdp enable
!
interface Dialer1
 description WAN Dialer
 mtu 1492
 ip address negotiated
 no ip unreachables
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1436
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname <%hostname%>
 ppp chap password 0 <%password%>
 ppp pap sent-username <%username%> password 0 <%password%>
 ppp ipcp dns accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool pool1 192.168.0.0 192.168.0.254 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging trap debugging
logging 192.168.0.1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 55 permit 203.12.160.5
access-list 55 permit 172.29.0.3
access-list 55 permit 172.29.0.4
access-list 55 permit 172.29.0.10
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
snmp-server community tpgframe RO 55
snmp-server enable traps tty
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password cisco
 login local
 transport input telnet ssh
!
end
0
 
LVL 11

Expert Comment

by:naderz
ID: 39180271
ACL 1 is used to define who gets NATed out: in your case it is 192.168.0.0/24.
ACL 55 is used to allow snmp servers in the list.

I see an issue with your NAT statement:

 ip nat inside source list 1 interface Dialer0 overload

You need to change this to use Dialer1 interface:

 ip nat inside source list 1 interface Dialer1 overload

When leaving your network internal addresses are not NATed. Your testing directly from the router is successful because it uses the Dialer 1 interface's IP address; no NAT needed.

I think that should work.
0
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
ID: 39180295
One other recommendation:

Since you Dialer 1 interface is configured for IP address negotiated, use:

ip route 0.0.0.0 0.0.0.0 dialer1 permanent

This way the default route remains intact even if the PPPoE session is brought down. Otherwise, incoming traffic may temporarily get affected in that case.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:jpguillebaud
ID: 39182839
Hi Naderz, thank you that seems to have worked.  I am now able to do a TRACERT from my computer if I set the default gateway to the IP address of the Cisco router and the packets are now passing through the new internet line.  However, DNS resolution doesn't appear to be working currently.  Would you be able to tell me if there is anything I need to configure on the router to allow DNS requests/responses to pass through it?
0
 
LVL 11

Expert Comment

by:naderz
ID: 39182919
Well, for name resolution to work you need to point your PCs to a DNS server. Normally you have an internal DNS server that resolves all your internal addresses and is needed for Microsoft AD. Then for external names (e.g. yahoo.com) your internal DNS server will "forward" the request to a DNS server on the Internet that can resolve external names.

You need to make sure all that DNS configs are there. Who is your internal DNS server? What should be your external (e.g. your ISP's) DNS server? Then you go from there.
0
 

Author Comment

by:jpguillebaud
ID: 39183721
Hi Naderz, I have solved the DNS problem. All that was needed was this command:

ip dns server
0
 

Author Closing Comment

by:jpguillebaud
ID: 39183724
Thank you for your help. Everything is working perfectly now.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now