Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Unable to configure Cisco 1861 Router to Comcast Static IP

Posted on 2013-06-21
8
Medium Priority
?
964 Views
Last Modified: 2013-07-29
I currently have a Cisco 1861 configured for L2L connection with an ASA. I was given a static IP address from comcast but when i configure my fa0/0 port with the static IP I can only ping to my gateway which is the p2p address of the comcast modem and nothing else. The only way I can ping outside (i.e. 4.2.2.2) addresses are to set up my fa0/0 interface as a dhcp client. I then receive a dhcp address (i.e. 10.1.x.x) address which I can't form the L2L tunnel with my ASA.
I've attached the configured below which is working to get internet access using the 10.1.x.x address but need the routable static IP of 50.x.x.x assigned by comcast.

The Static IP given is 50.100.200.25 (simulated static ip not actual)

ip dhcp excluded-address 10.1.1.0 10.1.1.10
!
ip dhcp pool ROUTER-POOL
   network 10.1.1.0 255.255.255.0
   domain-name router.com
   default-router 10.1.1.1
   dns-server x.x.x.x x.x.x.x
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
trunk group ALL_FXO
!
!
!
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 supplementary-service h450.12
 h323
!
voice class codec 10
 codec preference 1 g711ulaw
 codec preference 2 g729r8
!
!
!
!
voice-card 0
!
!
!
license feature c1861-srst-15u-upgrade
license udi pid C1861-SRST-F/K9 sn FXXXXXXX
license accept end user agreement
!
!
!
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx address 1.2.3.4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to Site-to Site 1.2.3.4
 set peer 1.2.3.4
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
!
!
!
interface FastEthernet0/0
 description Connection to Comcast
 ip address dhcp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
 h323-gateway voip interface
 h323-gateway voip bind srcaddr 10.1.2.12(***DHCP address assigned by Comcast Modem)
 !
!
interface FastEthernet0/1/0
 switchport voice vlan 2
 no cdp enable
 no mop enabled
 !
!
interface FastEthernet0/1/1
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/2
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/3
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/4
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/5
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/6
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/7
 switchport voice vlan 2
 no cdp enable
 !
!
interface FastEthernet0/1/8
 switchport voice vlan 2
 no cdp enable
 !
!
interface Vlan1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan2
 description VOIP vlan
 ip address 10.1.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
ip default-gateway 10.1.2.1 (gateway of the dhcp on comcast modem)
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list nat interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.1.2.1
!
ip access-list extended nat
 permit ip 10.1.1.0 0.0.0.255 any
 permit ip 10.1.2.0 0.0.0.255 any
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.4.1.0 0.0.0.255
access-list 100 permit ip 10.1.2.0 0.0.0.255 10.4.1.0 0.0.0.255
.

!
!
!
!
!
!
control-plane
 !
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
voice-port 0/0/2
!
voice-port 0/0/3
!
voice-port 0/1/0
 trunk-group ALL_FXO
 connection plar 2222
!
voice-port 0/1/1
 trunk-group ALL_FXO
 connection plar 3333
!
voice-port 0/1/2
 trunk-group ALL_FXO
 connection plar 4444
!
voice-port 0/1/3
 trunk-group ALL_FXO
!
voice-port 0/4/0
 auto-cut-through
 signal immediate
 input gain auto-control
 description Music On Hold Port
!
!
!
!
dial-peer voice 11 pots
 incoming called-number .
 direct-inward-dial
!
dial-peer voice 13 voip
 destination-pattern 79..
 progress_ind setup enable 3
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric
 no vad
!
dial-peer voice 12 pots
 destination-pattern 91..........
 progress_ind setup enable 3
 direct-inward-dial
 forward-digits 11
!
dial-peer voice 14 pots
 destination-pattern 9011T
 progress_ind setup enable 3
 direct-inward-dial
!
dial-peer voice 15 pots
 trunkgroup ALL_FXO
 destination-pattern 9T
 progress_ind setup enable 3
 direct-inward-dial
!
dial-peer voice 16 pots
 destination-pattern 9099
 no digit-strip
!
dial-peer voice 17 pots
 trunkgroup ALL_FXO
 preference 1
 destination-pattern 911
 progress_ind alert enable 8
 progress_ind progress enable 8
 forward-digits all
!
dial-peer voice 2222 voip
 destination-pattern 2222
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric h245-signal
 no vad
!
dial-peer voice 3333 voip
 destination-pattern 3333
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric h245-signal
 no vad
!
dial-peer voice 4444 voip
 destination-pattern 4444
 session target ipv4:10.4.1.15
 voice-class codec 10
 dtmf-relay h245-alphanumeric h245-signal
 no vad
!
!
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line vty 0 4
 password xxxxx
 login
 transport input all
!
no process cpu extended
no process cpu autoprofile hog
end
0
Comment
Question by:solarisjunkie
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 17

Expert Comment

by:James H
ID: 39266216
That is the problem with Comcast Gateway is that the static IP is assigned to that device and you are forced to use their DHCP for your router WAN.
What I have done is request a 5 block of IP's and set that IP to bypass their gateway (DMZ pass through, i believe) for a true public IP.
0
 
LVL 5

Expert Comment

by:jake77444
ID: 39266320
Comcast typically issues a SMC cable modem for businesses.  As Spartan_1337 led to, there is no way to disable NAT on this device to make it a passthrough to your router so you have to request a block of IPs and use one of those.  Not optimum, but I believe the only option if you have Comcast.
0
 

Author Comment

by:solarisjunkie
ID: 39266478
They've supposedly assigned a 50.100.200.26 to their modem and gave me the .25 so I can use, would I still need to get that block of IP's or go another route like a t1 circuit
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
LVL 5

Expert Comment

by:jake77444
ID: 39266550
That sounds about right then solarisjunkie.  Are you sure that you are configuring the correct mask(most likely 255.255.255.252)?  

I would check with Comcast to make sure their modem is configured correctly because if you are putting the .26 for ip, the correct mask, and .25 for the gateway on fa0/0 it should be working properly.
0
 

Author Comment

by:solarisjunkie
ID: 39268094
Indeed I put the /30 mask on and can ping the gateway but nothing else I.e. 4.2.2.2 or the DNS assigned 75.75.75.75 75.75.76.76. I thought it may have been the access list based on what I have that access list should be fine.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39268128
You need to change the default route on the 1861...

no ip default-gateway 10.1.2.1
no ip route 0.0.0.0 0.0.0.0 10.1.2.1


Then, either:

ip route 0.0.0.0 0.0.0.0 dhcp

-or-

ip route 0.0.0.0 0.0.0.0 50.100.200.26
0
 
LVL 17

Expert Comment

by:James H
ID: 39268129
If the subnet mask is .252 then you have only one usable IP address. I have dealt with this too many times and the only workaround is to get a block of usable IP's. You can change the subnet mask but those IP's are not configurable for your use and their gateway will not recognize or route that traffic. You don't want to double NAT your traffic so you really have no choice.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39268137
A /30 address is fine if you just want to PAT to inside hosts to publish services to the internet, etc.

If you're providing multiple web sites on the same port you can enable more than one site using host headers, so having one IP address isn't an issue.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question