Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Unable to configure Cisco 1861 Router to Comcast Static IP

Posted on 2013-06-21
8
930 Views
Last Modified: 2013-07-29
I currently have a Cisco 1861 configured for L2L connection with an ASA. I was given a static IP address from comcast but when i configure my fa0/0 port with the static IP I can only ping to my gateway which is the p2p address of the comcast modem and nothing else. The only way I can ping outside (i.e. 4.2.2.2) addresses are to set up my fa0/0 interface as a dhcp client. I then receive a dhcp address (i.e. 10.1.x.x) address which I can't form the L2L tunnel with my ASA.
I've attached the configured below which is working to get internet access using the 10.1.x.x address but need the routable static IP of 50.x.x.x assigned by comcast.

The Static IP given is 50.100.200.25 (simulated static ip not actual)

ip dhcp excluded-address 10.1.1.0 10.1.1.10
!
ip dhcp pool ROUTER-POOL
   network 10.1.1.0 255.255.255.0
   domain-name router.com
   default-router 10.1.1.1
   dns-server x.x.x.x x.x.x.x
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
trunk group ALL_FXO
!
!
!
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 supplementary-service h450.12
 h323
!
voice class codec 10
 codec preference 1 g711ulaw
 codec preference 2 g729r8
!
!
!
!
voice-card 0
!
!
!
license feature c1861-srst-15u-upgrade
license udi pid C1861-SRST-F/K9 sn FXXXXXXX
license accept end user agreement
!
!
!
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx address 1.2.3.4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to Site-to Site 1.2.3.4
 set peer 1.2.3.4
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
!
!
!
interface FastEthernet0/0
 description Connection to Comcast
 ip address dhcp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
 h323-gateway voip interface
 h323-gateway voip bind srcaddr 10.1.2.12(***DHCP address assigned by Comcast Modem)
 !
!
interface FastEthernet0/1/0
 switchport voice vlan 2
 no cdp enable
 no mop enabled
 !
!
interface FastEthernet0/1/1
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/2
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/3
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/4
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/5
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/6
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/7
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/8
 switchport voice vlan 2
 no cdp enable
 !
!
interface Vlan1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan2
 description VOIP vlan
 ip address 10.1.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
ip default-gateway 10.1.2.1 (gateway of the dhcp on comcast modem)
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list nat interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.1.2.1
!
ip access-list extended nat
 permit ip 10.1.1.0 0.0.0.255 any
 permit ip 10.1.2.0 0.0.0.255 any
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.4.1.0 0.0.0.255
access-list 100 permit ip 10.1.2.0 0.0.0.255 10.4.1.0 0.0.0.255
.

!
!
!
!
!
!
control-plane
 !
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
voice-port 0/0/2
!
voice-port 0/0/3
!
voice-port 0/1/0
 trunk-group ALL_FXO
 connection plar 2222
!
voice-port 0/1/1
 trunk-group ALL_FXO
 connection plar 3333
!
voice-port 0/1/2
 trunk-group ALL_FXO
 connection plar 4444
!
voice-port 0/1/3
 trunk-group ALL_FXO
!
voice-port 0/4/0
 auto-cut-through
 signal immediate
 input gain auto-control
 description Music On Hold Port
!
!
!
!
dial-peer voice 11 pots
 incoming called-number .
 direct-inward-dial
!
dial-peer voice 13 voip
 destination-pattern 79..
 progress_ind setup enable 3
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric
 no vad
!
dial-peer voice 12 pots
 destination-pattern 91..........
 progress_ind setup enable 3
 direct-inward-dial
 forward-digits 11
!
dial-peer voice 14 pots
 destination-pattern 9011T
 progress_ind setup enable 3
 direct-inward-dial
!
dial-peer voice 15 pots
 trunkgroup ALL_FXO
 destination-pattern 9T
 progress_ind setup enable 3
 direct-inward-dial
!
dial-peer voice 16 pots
 destination-pattern 9099
 no digit-strip
!
dial-peer voice 17 pots
 trunkgroup ALL_FXO
 preference 1
 destination-pattern 911
 progress_ind alert enable 8
 progress_ind progress enable 8
 forward-digits all
!
dial-peer voice 2222 voip
 destination-pattern 2222
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric h245-signal
 no vad
!
dial-peer voice 3333 voip
 destination-pattern 3333
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric h245-signal
 no vad
!
dial-peer voice 4444 voip
 destination-pattern 4444
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric h245-signal
 no vad
!
!
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line vty 0 4
 password xxxxx
 login
 transport input all
!
no process cpu extended
no process cpu autoprofile hog
end
0
Comment
Question by:solarisjunkie
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 39266216
That is the problem with Comcast Gateway is that the static IP is assigned to that device and you are forced to use their DHCP for your router WAN.
What I have done is request a 5 block of IP's and set that IP to bypass their gateway (DMZ pass through, i believe) for a true public IP.
0
 
LVL 5

Expert Comment

by:jake77444
ID: 39266320
Comcast typically issues a SMC cable modem for businesses.  As Spartan_1337 led to, there is no way to disable NAT on this device to make it a passthrough to your router so you have to request a block of IPs and use one of those.  Not optimum, but I believe the only option if you have Comcast.
0
 

Author Comment

by:solarisjunkie
ID: 39266478
They've supposedly assigned a 50.100.200.26 to their modem and gave me the .25 so I can use, would I still need to get that block of IP's or go another route like a t1 circuit
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 5

Expert Comment

by:jake77444
ID: 39266550
That sounds about right then solarisjunkie.  Are you sure that you are configuring the correct mask(most likely 255.255.255.252)?  

I would check with Comcast to make sure their modem is configured correctly because if you are putting the .26 for ip, the correct mask, and .25 for the gateway on fa0/0 it should be working properly.
0
 

Author Comment

by:solarisjunkie
ID: 39268094
Indeed I put the /30 mask on and can ping the gateway but nothing else I.e. 4.2.2.2 or the DNS assigned 75.75.75.75 75.75.76.76. I thought it may have been the access list based on what I have that access list should be fine.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39268128
You need to change the default route on the 1861...

no ip default-gateway 10.1.2.1
no ip route 0.0.0.0 0.0.0.0 10.1.2.1


Then, either:

ip route 0.0.0.0 0.0.0.0 dhcp

-or-

ip route 0.0.0.0 0.0.0.0 50.100.200.26
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 39268129
If the subnet mask is .252 then you have only one usable IP address. I have dealt with this too many times and the only workaround is to get a block of usable IP's. You can change the subnet mask but those IP's are not configurable for your use and their gateway will not recognize or route that traffic. You don't want to double NAT your traffic so you really have no choice.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39268137
A /30 address is fine if you just want to PAT to inside hosts to publish services to the internet, etc.

If you're providing multiple web sites on the same port you can enable more than one site using host headers, so having one IP address isn't an issue.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question