Solved

Unable to configure Cisco 1861 Router to Comcast Static IP

Posted on 2013-06-21
8
914 Views
Last Modified: 2013-07-29
I currently have a Cisco 1861 configured for L2L connection with an ASA. I was given a static IP address from comcast but when i configure my fa0/0 port with the static IP I can only ping to my gateway which is the p2p address of the comcast modem and nothing else. The only way I can ping outside (i.e. 4.2.2.2) addresses are to set up my fa0/0 interface as a dhcp client. I then receive a dhcp address (i.e. 10.1.x.x) address which I can't form the L2L tunnel with my ASA.
I've attached the configured below which is working to get internet access using the 10.1.x.x address but need the routable static IP of 50.x.x.x assigned by comcast.

The Static IP given is 50.100.200.25 (simulated static ip not actual)

ip dhcp excluded-address 10.1.1.0 10.1.1.10
!
ip dhcp pool ROUTER-POOL
   network 10.1.1.0 255.255.255.0
   domain-name router.com
   default-router 10.1.1.1
   dns-server x.x.x.x x.x.x.x
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
trunk group ALL_FXO
!
!
!
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 supplementary-service h450.12
 h323
!
voice class codec 10
 codec preference 1 g711ulaw
 codec preference 2 g729r8
!
!
!
!
voice-card 0
!
!
!
license feature c1861-srst-15u-upgrade
license udi pid C1861-SRST-F/K9 sn FXXXXXXX
license accept end user agreement
!
!
!
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx address 1.2.3.4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to Site-to Site 1.2.3.4
 set peer 1.2.3.4
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
!
!
!
interface FastEthernet0/0
 description Connection to Comcast
 ip address dhcp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
 h323-gateway voip interface
 h323-gateway voip bind srcaddr 10.1.2.12(***DHCP address assigned by Comcast Modem)
 !
!
interface FastEthernet0/1/0
 switchport voice vlan 2
 no cdp enable
 no mop enabled
 !
!
interface FastEthernet0/1/1
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/2
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/3
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/4
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/5
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/6
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/7
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/8
 switchport voice vlan 2
 no cdp enable
 !
!
interface Vlan1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan2
 description VOIP vlan
 ip address 10.1.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
ip default-gateway 10.1.2.1 (gateway of the dhcp on comcast modem)
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list nat interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.1.2.1
!
ip access-list extended nat
 permit ip 10.1.1.0 0.0.0.255 any
 permit ip 10.1.2.0 0.0.0.255 any
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.4.1.0 0.0.0.255
access-list 100 permit ip 10.1.2.0 0.0.0.255 10.4.1.0 0.0.0.255
.

!
!
!
!
!
!
control-plane
 !
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
voice-port 0/0/2
!
voice-port 0/0/3
!
voice-port 0/1/0
 trunk-group ALL_FXO
 connection plar 2222
!
voice-port 0/1/1
 trunk-group ALL_FXO
 connection plar 3333
!
voice-port 0/1/2
 trunk-group ALL_FXO
 connection plar 4444
!
voice-port 0/1/3
 trunk-group ALL_FXO
!
voice-port 0/4/0
 auto-cut-through
 signal immediate
 input gain auto-control
 description Music On Hold Port
!
!
!
!
dial-peer voice 11 pots
 incoming called-number .
 direct-inward-dial
!
dial-peer voice 13 voip
 destination-pattern 79..
 progress_ind setup enable 3
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric
 no vad
!
dial-peer voice 12 pots
 destination-pattern 91..........
 progress_ind setup enable 3
 direct-inward-dial
 forward-digits 11
!
dial-peer voice 14 pots
 destination-pattern 9011T
 progress_ind setup enable 3
 direct-inward-dial
!
dial-peer voice 15 pots
 trunkgroup ALL_FXO
 destination-pattern 9T
 progress_ind setup enable 3
 direct-inward-dial
!
dial-peer voice 16 pots
 destination-pattern 9099
 no digit-strip
!
dial-peer voice 17 pots
 trunkgroup ALL_FXO
 preference 1
 destination-pattern 911
 progress_ind alert enable 8
 progress_ind progress enable 8
 forward-digits all
!
dial-peer voice 2222 voip
 destination-pattern 2222
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric h245-signal
 no vad
!
dial-peer voice 3333 voip
 destination-pattern 3333
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric h245-signal
 no vad
!
dial-peer voice 4444 voip
 destination-pattern 4444
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric h245-signal
 no vad
!
!
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line vty 0 4
 password xxxxx
 login
 transport input all
!
no process cpu extended
no process cpu autoprofile hog
end
0
Comment
Question by:solarisjunkie
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
That is the problem with Comcast Gateway is that the static IP is assigned to that device and you are forced to use their DHCP for your router WAN.
What I have done is request a 5 block of IP's and set that IP to bypass their gateway (DMZ pass through, i believe) for a true public IP.
0
 
LVL 5

Expert Comment

by:jake77444
Comment Utility
Comcast typically issues a SMC cable modem for businesses.  As Spartan_1337 led to, there is no way to disable NAT on this device to make it a passthrough to your router so you have to request a block of IPs and use one of those.  Not optimum, but I believe the only option if you have Comcast.
0
 

Author Comment

by:solarisjunkie
Comment Utility
They've supposedly assigned a 50.100.200.26 to their modem and gave me the .25 so I can use, would I still need to get that block of IP's or go another route like a t1 circuit
0
 
LVL 5

Expert Comment

by:jake77444
Comment Utility
That sounds about right then solarisjunkie.  Are you sure that you are configuring the correct mask(most likely 255.255.255.252)?  

I would check with Comcast to make sure their modem is configured correctly because if you are putting the .26 for ip, the correct mask, and .25 for the gateway on fa0/0 it should be working properly.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:solarisjunkie
Comment Utility
Indeed I put the /30 mask on and can ping the gateway but nothing else I.e. 4.2.2.2 or the DNS assigned 75.75.75.75 75.75.76.76. I thought it may have been the access list based on what I have that access list should be fine.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
You need to change the default route on the 1861...

no ip default-gateway 10.1.2.1
no ip route 0.0.0.0 0.0.0.0 10.1.2.1


Then, either:

ip route 0.0.0.0 0.0.0.0 dhcp

-or-

ip route 0.0.0.0 0.0.0.0 50.100.200.26
0
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
If the subnet mask is .252 then you have only one usable IP address. I have dealt with this too many times and the only workaround is to get a block of usable IP's. You can change the subnet mask but those IP's are not configurable for your use and their gateway will not recognize or route that traffic. You don't want to double NAT your traffic so you really have no choice.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
Comment Utility
A /30 address is fine if you just want to PAT to inside hosts to publish services to the internet, etc.

If you're providing multiple web sites on the same port you can enable more than one site using host headers, so having one IP address isn't an issue.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
Transparency shows that a company is the kind of business that it wants people to think it is.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now