Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Problems configuring a Cisco SG 800 router for PPPoE

Posted on 2013-05-19
8
Medium Priority
?
1,275 Views
Last Modified: 2013-05-21
We have recently had a PPPoE line installed in our office and we have connected it to a Cisco router (model SG 800). Unfortunately, we appear to configured the router incorrectly and would like assistance with this please.

I can successfully PING or TRACEROUTE to external hosts whenever I am on on the router console (via a Telnet session on my computer on the LAN side of the router), this suggests to me that the connection to the PPPoE line from the Cisco router is configured correctly. But, I am unable to make external IP connections from my PC if I assign the default gateway to be the IP address of the Cisco router.  This suggests to me that something needs configuring on the Cisco router to forward requests from its VLAN side to the Dialer1 interface.  

Below is the routing table in the Cisco router and the access-list:


SwitchIT#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 220.244.26.173 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 220.244.26.173
            is directly connected, Dialer1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, Vlan1
L        192.168.0.251/32 is directly connected, Vlan1
      220.244.26.0/32 is subnetted, 2 subnets
C        220.244.26.173 is directly connected, Dialer1
C        220.244.26.174 is directly connected, Dialer1
SwitchIT#
SwitchIT#show access-list
Standard IP access list 1
    10 permit 192.168.0.0, wildcard bits 0.0.0.255
Standard IP access list 55
    10 permit 203.12.160.5
    20 permit 172.29.0.3
    30 permit 172.29.0.4
    40 permit 172.29.0.10
SwitchIT#
0
Comment
Question by:jpguillebaud
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39180212
Please confirm the following:

1) Is 220.244.26.173 the IP address of your ISP's connection to you?
2) How are you applying ACLs 1 and 55?

3) Can you provide a scrubbed running-config? At lease the portions for the interface configuration and routing.
0
 

Author Comment

by:jpguillebaud
ID: 39180239
1) Yes that is the IP address of PE (provider edge) of the PPPoE service
2) I don't know how the ACLs have been applied. What commands are normally used to apply them?

3) Here's part of the running-config (I have removed our PPPoE credentials and replaced them with placeholders):

interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description Connection to TPG
 no ip address
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe-client dial-pool-number 10
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Vlan1
 description Cutomer LAN
 ip address 192.168.0.251 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer0
 no ip address
 no cdp enable
!
interface Dialer1
 description WAN Dialer
 mtu 1492
 ip address negotiated
 no ip unreachables
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1436
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname <%hostname%>
 ppp chap password 0 <%password%>
 ppp pap sent-username <%username%> password 0 <%password%>
 ppp ipcp dns accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool pool1 192.168.0.0 192.168.0.254 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging trap debugging
logging 192.168.0.1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 55 permit 203.12.160.5
access-list 55 permit 172.29.0.3
access-list 55 permit 172.29.0.4
access-list 55 permit 172.29.0.10
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
snmp-server community tpgframe RO 55
snmp-server enable traps tty
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password cisco
 login local
 transport input telnet ssh
!
end
0
 
LVL 11

Expert Comment

by:naderz
ID: 39180271
ACL 1 is used to define who gets NATed out: in your case it is 192.168.0.0/24.
ACL 55 is used to allow snmp servers in the list.

I see an issue with your NAT statement:

 ip nat inside source list 1 interface Dialer0 overload

You need to change this to use Dialer1 interface:

 ip nat inside source list 1 interface Dialer1 overload

When leaving your network internal addresses are not NATed. Your testing directly from the router is successful because it uses the Dialer 1 interface's IP address; no NAT needed.

I think that should work.
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 
LVL 11

Accepted Solution

by:
naderz earned 2000 total points
ID: 39180295
One other recommendation:

Since you Dialer 1 interface is configured for IP address negotiated, use:

ip route 0.0.0.0 0.0.0.0 dialer1 permanent

This way the default route remains intact even if the PPPoE session is brought down. Otherwise, incoming traffic may temporarily get affected in that case.
0
 

Author Comment

by:jpguillebaud
ID: 39182839
Hi Naderz, thank you that seems to have worked.  I am now able to do a TRACERT from my computer if I set the default gateway to the IP address of the Cisco router and the packets are now passing through the new internet line.  However, DNS resolution doesn't appear to be working currently.  Would you be able to tell me if there is anything I need to configure on the router to allow DNS requests/responses to pass through it?
0
 
LVL 11

Expert Comment

by:naderz
ID: 39182919
Well, for name resolution to work you need to point your PCs to a DNS server. Normally you have an internal DNS server that resolves all your internal addresses and is needed for Microsoft AD. Then for external names (e.g. yahoo.com) your internal DNS server will "forward" the request to a DNS server on the Internet that can resolve external names.

You need to make sure all that DNS configs are there. Who is your internal DNS server? What should be your external (e.g. your ISP's) DNS server? Then you go from there.
0
 

Author Comment

by:jpguillebaud
ID: 39183721
Hi Naderz, I have solved the DNS problem. All that was needed was this command:

ip dns server
0
 

Author Closing Comment

by:jpguillebaud
ID: 39183724
Thank you for your help. Everything is working perfectly now.
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question