Craig Walker
asked on
Cisco 887VA config issue.
Hi,
I'm not fully Cisco conversant but I have made a config that I found online and modified it to try and configure this router.
my issue is that I have the internal network side of things working ok but I can't seem to ping anything externally although I have the CD and PPP chap lights on which would indicate that I have successfully logged on to my ISP.
I'm thinking it's a bridging problem but as I said i'm not an in depth CCNA engineer unfortunately.
I have copied and pasted my config hopefully someone can shed some light on where i'm going wrong I know it's probably something simple that I've missed but I feel I may have messed around with the config that much that it maybe screwed up now.
Forgot to mention my ISP is BT broadband (residential).
To be honest this config may be too much for what I need I really only want to access the internet and connect a small switch for additional ports for other equipment I have so if I don't need it all just tell me what cut back.
-------------------------- ---------- ---------- --
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3233774123
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-32337 74123
revocation-check none
rsakeypair TP-self-signed-3233774123
!
!
crypto pki certificate chain TP-self-signed-3233774123
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323333 37373431 3233301E 170D3133 30393137 31333338
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32333337
37343132 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B254 C04208D2 ABF68D18 5B77C54E 7AE24FE2 6493A65E 3D67BDFA AC05CAAD
2209BE2E DC621CE2 5682517E 3CA06F61 0C0FC713 2C0F84D8 FEBBF5CC 81A6EF17
B768E110 C5FC6FB2 2750875C 7203BC16 39335314 CCF32034 5E042C2C 15F03FF1
1BDF97A0 DBA757F9 42783E39 6AF59906 ACA416B4 3EC1E4D5 C935799B 9167D1FC
AB850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1403A635 385A6809 603E2C4A FF6F439B 6995E393 A2301D06
03551D0E 04160414 03A63538 5A680960 3E2C4AFF 6F439B69 95E393A2 300D0609
2A864886 F70D0101 05050003 81810073 3157A85E 120A5B1D 6C25453C 0DFB0F82
9156EFF7 64E1A26B 4675C488 EF291E25 6C6C25CB 8CA95AB1 1FF6C2EB C12636D7
50E2B83C A87225B3 87AC7CE1 679B1801 49E4B859 4BED67E2 6783EFB6 A50CC616
C32228AD 625331FD 85361CEC 11E196E9 26D9638E 98D3235A 9D425AE8 1F06FEE0
D332ED58 E0504C61 03F8939E 1EEF55
quit
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name cannonz.dyndns.org
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name cannonz.dyndns.org
lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
license udi pid CISCO887VA-SEC-K9 sn FCZ160592RB
!
!
username sysop privilege 15 password 7 08254E455D4C5D14
!
!
!
!
controller VDSL 0
!
!
!
!
bridge irb
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address 192.168.3.1 255.255.255.0
!
interface Vlan10
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Vlan20
description Guest Network
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 20
bridge-group 20 spanning-disabled
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname bthomehub@btbroadband.com
ppp chap password 7 045A09055E731F
ppp pap sent-username bthomehub@btbroadband.com password 7 00051105550958
!
interface Dialer1
ip address negotiated
ip access-group Internet-inbound-ACL in
ip nat outside
ip inspect MYFW out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username bthomehub@btbroadband.com password 7 141610085D5679
ppp ipcp dns request
ppp ipcp address accept
!
interface BVI10
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI20
description Bridge to Guest Network
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip list 1
dialer-list 2 protocol ip permit
!
!
!
!
!
!
!
control-plane
!
bridge 10 route ip
bridge 20 route ip
!
line con 0
password 7 09484C024D504F11
line aux 0
line vty 0 4
password 7 070B23471A5C4106
transport input all
!
end
I'm not fully Cisco conversant but I have made a config that I found online and modified it to try and configure this router.
my issue is that I have the internal network side of things working ok but I can't seem to ping anything externally although I have the CD and PPP chap lights on which would indicate that I have successfully logged on to my ISP.
I'm thinking it's a bridging problem but as I said i'm not an in depth CCNA engineer unfortunately.
I have copied and pasted my config hopefully someone can shed some light on where i'm going wrong I know it's probably something simple that I've missed but I feel I may have messed around with the config that much that it maybe screwed up now.
Forgot to mention my ISP is BT broadband (residential).
To be honest this config may be too much for what I need I really only want to access the internet and connect a small switch for additional ports for other equipment I have so if I don't need it all just tell me what cut back.
--------------------------
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3233774123
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3233774123
!
!
crypto pki certificate chain TP-self-signed-3233774123
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323333 37373431 3233301E 170D3133 30393137 31333338
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32333337
37343132 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B254 C04208D2 ABF68D18 5B77C54E 7AE24FE2 6493A65E 3D67BDFA AC05CAAD
2209BE2E DC621CE2 5682517E 3CA06F61 0C0FC713 2C0F84D8 FEBBF5CC 81A6EF17
B768E110 C5FC6FB2 2750875C 7203BC16 39335314 CCF32034 5E042C2C 15F03FF1
1BDF97A0 DBA757F9 42783E39 6AF59906 ACA416B4 3EC1E4D5 C935799B 9167D1FC
AB850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1403A635 385A6809 603E2C4A FF6F439B 6995E393 A2301D06
03551D0E 04160414 03A63538 5A680960 3E2C4AFF 6F439B69 95E393A2 300D0609
2A864886 F70D0101 05050003 81810073 3157A85E 120A5B1D 6C25453C 0DFB0F82
9156EFF7 64E1A26B 4675C488 EF291E25 6C6C25CB 8CA95AB1 1FF6C2EB C12636D7
50E2B83C A87225B3 87AC7CE1 679B1801 49E4B859 4BED67E2 6783EFB6 A50CC616
C32228AD 625331FD 85361CEC 11E196E9 26D9638E 98D3235A 9D425AE8 1F06FEE0
D332ED58 E0504C61 03F8939E 1EEF55
quit
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name cannonz.dyndns.org
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name cannonz.dyndns.org
lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
license udi pid CISCO887VA-SEC-K9 sn FCZ160592RB
!
!
username sysop privilege 15 password 7 08254E455D4C5D14
!
!
!
!
controller VDSL 0
!
!
!
!
bridge irb
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address 192.168.3.1 255.255.255.0
!
interface Vlan10
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Vlan20
description Guest Network
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 20
bridge-group 20 spanning-disabled
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname bthomehub@btbroadband.com
ppp chap password 7 045A09055E731F
ppp pap sent-username bthomehub@btbroadband.com password 7 00051105550958
!
interface Dialer1
ip address negotiated
ip access-group Internet-inbound-ACL in
ip nat outside
ip inspect MYFW out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username bthomehub@btbroadband.com password 7 141610085D5679
ppp ipcp dns request
ppp ipcp address accept
!
interface BVI10
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI20
description Bridge to Guest Network
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip list 1
dialer-list 2 protocol ip permit
!
!
!
!
!
!
!
control-plane
!
bridge 10 route ip
bridge 20 route ip
!
line con 0
password 7 09484C024D504F11
line aux 0
line vty 0 4
password 7 070B23471A5C4106
transport input all
!
end
ASKER
Hi,
Firstly thanks for responding as I'm losing the plot here, I thought I was relatively IT orientated until I came up against the Cisco CLI wish it was as easy as DOS then I maybe get somewhere :(
1) I set this ip 192.168.3.1 within cisco SDM after putting on the original config through the console with putty as SDM kept flagging up errors in the LAN menu and I couldn't get out of that menu without putting something in other than 192.168.1 as it kept on saying I was overlapping with the BVI.
2) I have added the following dialer as requested but I don't know how to delete the ATM0.1 as it is still there after a wri mem and reload will this make much difference if so how do I delete it.
-------------------------
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 0.0.0.0 0.0.0.0 Dialer1
-------------------------
3) When I setup with putty I never got a PPP chap light on my router so I went into cisco SDM and created a dialer with my logon details that then gave me a PPP authentication that's probably why there are two dialers.
4) The interface I am connected to is on the router is fe1.
5) my laptop IP is 192.168.1.100 and the gateway is 192.168.1.1
Please find attached my ipconfig.
ipconfig.docx
Firstly thanks for responding as I'm losing the plot here, I thought I was relatively IT orientated until I came up against the Cisco CLI wish it was as easy as DOS then I maybe get somewhere :(
1) I set this ip 192.168.3.1 within cisco SDM after putting on the original config through the console with putty as SDM kept flagging up errors in the LAN menu and I couldn't get out of that menu without putting something in other than 192.168.1 as it kept on saying I was overlapping with the BVI.
2) I have added the following dialer as requested but I don't know how to delete the ATM0.1 as it is still there after a wri mem and reload will this make much difference if so how do I delete it.
-------------------------
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 0.0.0.0 0.0.0.0 Dialer1
-------------------------
3) When I setup with putty I never got a PPP chap light on my router so I went into cisco SDM and created a dialer with my logon details that then gave me a PPP authentication that's probably why there are two dialers.
4) The interface I am connected to is on the router is fe1.
5) my laptop IP is 192.168.1.100 and the gateway is 192.168.1.1
Please find attached my ipconfig.
ipconfig.docx
Ok cool...
To answer questions...
1) Cisco routers normally communicate over vlan1, so its important that is setup correctly from a routing perspective - do you want multiple vlans? If not we can simplify all this by removing those vlans(10 and 20) and go back to basics...
2) To remove that you need to type this command in config mode
no ip route 0.0.0.0 0.0.0.0 ATM0.1
Basically by putting a 'no' in front of any command in cisco world means - remove this command, so do that cause having those 2 will cause issues...
3) Ok yes understand now, which means Dialer1 is the key one to use
4) This is in Vlan10 - from your laptop(with ip 192.168.1.100) can you ping 192.168.1.1?
Those BVI's - did you copy those from another config? I don't bump into BVI's much which is probably why I was confused, normally I setup a simple Vlan1 to the ip of the router and things work...
To test things do the above(remove ATM0.1 route line) and tell us can you ping your router(I'll assume you can to proceed)
Obviously if you can telnet to the router that's a good sign - from the router then ping to 8.8.8.8(after the config change) - can you get out?
Since PPP is coming up I think that means connection is good, so its now a routing issue probably
To answer questions...
1) Cisco routers normally communicate over vlan1, so its important that is setup correctly from a routing perspective - do you want multiple vlans? If not we can simplify all this by removing those vlans(10 and 20) and go back to basics...
2) To remove that you need to type this command in config mode
no ip route 0.0.0.0 0.0.0.0 ATM0.1
Basically by putting a 'no' in front of any command in cisco world means - remove this command, so do that cause having those 2 will cause issues...
3) Ok yes understand now, which means Dialer1 is the key one to use
4) This is in Vlan10 - from your laptop(with ip 192.168.1.100) can you ping 192.168.1.1?
Those BVI's - did you copy those from another config? I don't bump into BVI's much which is probably why I was confused, normally I setup a simple Vlan1 to the ip of the router and things work...
To test things do the above(remove ATM0.1 route line) and tell us can you ping your router(I'll assume you can to proceed)
Obviously if you can telnet to the router that's a good sign - from the router then ping to 8.8.8.8(after the config change) - can you get out?
Since PPP is coming up I think that means connection is good, so its now a routing issue probably
ASKER
ok
To put you in the picture basically at home just now i'm running a basic BT router which is temperament I though that I could configure the cisco router as it would be more reliable.
all i need is one fe port with internet access that i can then plug my 16port netgear switch into and run all my stuff that i have at home, I don't need any vpn's or additional vlan's or anything else just an internet connection on one port basically everything else will go through my switch.
Yes the BVI's were part of the config i altered but i didn't want to remove them just in case i needed them but i will be quite willing to remove anything that's not needed as it does seem a bit overkill for what i need, (back to basics suits me.)
I've removed the ATM0.1 now and done a wri mem and a reload then done a sh run and it's now gone.
Tried to ping 8.8.8.8 after a reload but got a timeout also double checked i still had a ip of 192.168.1.1 and tried to ping 192.168.1.1 and that was fine.
Still have my carrier detect and PPP chap lights on.
To put you in the picture basically at home just now i'm running a basic BT router which is temperament I though that I could configure the cisco router as it would be more reliable.
all i need is one fe port with internet access that i can then plug my 16port netgear switch into and run all my stuff that i have at home, I don't need any vpn's or additional vlan's or anything else just an internet connection on one port basically everything else will go through my switch.
Yes the BVI's were part of the config i altered but i didn't want to remove them just in case i needed them but i will be quite willing to remove anything that's not needed as it does seem a bit overkill for what i need, (back to basics suits me.)
I've removed the ATM0.1 now and done a wri mem and a reload then done a sh run and it's now gone.
Tried to ping 8.8.8.8 after a reload but got a timeout also double checked i still had a ip of 192.168.1.1 and tried to ping 192.168.1.1 and that was fine.
Still have my carrier detect and PPP chap lights on.
Ok, should have asked for this as well sorry
On cisco run this command
sh ip int brief
Post output here so we can see - want to see if you are obtaining an external ip from BT - that will then tell us whether its a routing issue or a connection issue...
I'll look over the config again to see if there's anything I missed in the meantime...
On cisco run this command
sh ip int brief
Post output here so we can see - want to see if you are obtaining an external ip from BT - that will then tell us whether its a routing issue or a connection issue...
I'll look over the config again to see if there's anything I missed in the meantime...
ASKER
Yes it would appear that Dialer0 has a wan ip address.
audvid#sh ip int brief
Interface IP-Address OK? Method Status Prot ocol
ATM0 unassigned YES NVRAM up up
ATM0.1 unassigned YES unset up up
BVI10 192.168.1.1 YES NVRAM down down
BVI20 192.168.2.1 YES NVRAM down down
Dialer0 86.146.82.15 YES IPCP up up
Dialer1 unassigned YES NVRAM up up
Ethernet0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Vlan1 192.168.3.1 YES NVRAM down down
Vlan10 unassigned YES unset down down
Vlan20 unassigned YES unset down down
audvid#sh ip int brief
Interface IP-Address OK? Method Status Prot ocol
ATM0 unassigned YES NVRAM up up
ATM0.1 unassigned YES unset up up
BVI10 192.168.1.1 YES NVRAM down down
BVI20 192.168.2.1 YES NVRAM down down
Dialer0 86.146.82.15 YES IPCP up up
Dialer1 unassigned YES NVRAM up up
Ethernet0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Vlan1 192.168.3.1 YES NVRAM down down
Vlan10 unassigned YES unset down down
Vlan20 unassigned YES unset down down
Lovely...so I made a mistake - I said Dialer1 was probably the correct one...
Do this now
no ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer0
So that's 2 commands - one to delete the Dialer1 route and one to create the Dialer0 route
Then you should be able to ping 8.8.8.8 - I hope ;)
Do this now
no ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer0
So that's 2 commands - one to delete the Dialer1 route and one to create the Dialer0 route
Then you should be able to ping 8.8.8.8 - I hope ;)
ASKER
Waaahhhaaayyy
I can ping 8.8.8.8.
I can ping 8.8.8.8.
ASKER
No can't ping either from command prompt but can still ping router ok.
No problem...I see more mistakes
Remove from the Dialer1 interface this - ip nat outside
So command
no ip nat outside
Switch to Dialer0 interface and put in
ip nat outside
Then test with ping to ip and dns name
Also in global config add
ip name-server 208.67.222.222
ip name-server 208.67.220.220
That will allow it to do dns lookups...
Remove from the Dialer1 interface this - ip nat outside
So command
no ip nat outside
Switch to Dialer0 interface and put in
ip nat outside
Then test with ping to ip and dns name
Also in global config add
ip name-server 208.67.222.222
ip name-server 208.67.220.220
That will allow it to do dns lookups...
ASKER
I can ping www.google.com & www.bt.com from console but not from command prompt.
I also done a trace on the bt ip addy and its definitely right.
I also done a trace on the bt ip addy and its definitely right.
So you can ping only from the Cisco and not the laptop is that what you mean?
How did you do a 'trace'? You mean a tracert? From laptop? Like
tracert 8.8.8.8
What does that show from laptop?
After running that do this command on the router
sh ip nat tr
Do you see anything in the nat translation table?
How did you do a 'trace'? You mean a tracert? From laptop? Like
tracert 8.8.8.8
What does that show from laptop?
After running that do this command on the router
sh ip nat tr
Do you see anything in the nat translation table?
ASKER
No I done a trace www.bt.com on the router which traced the route through the uk.
Tracert show nothing but a time out from laptop with 8.8.8.8, checked 192.168.1.1 to make sure I was still connected ok.
Sh ip nat tr show nothing but another audvid# like its waiting for another entry :(
Do u want me to post my config again in case there is something I've missed. ?
Tracert show nothing but a time out from laptop with 8.8.8.8, checked 192.168.1.1 to make sure I was still connected ok.
Sh ip nat tr show nothing but another audvid# like its waiting for another entry :(
Do u want me to post my config again in case there is something I've missed. ?
Yes please...
Your router is def connected since its getting an ip...so its now a nat thing I think...post updated config for refreshed view cheers
Your router is def connected since its getting an ip...so its now a nat thing I think...post updated config for refreshed view cheers
ASKER
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3233774123
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-32337 74123
revocation-check none
rsakeypair TP-self-signed-3233774123
!
!
crypto pki certificate chain TP-self-signed-3233774123
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323333 37373431 3233301E 170D3133 30393137 31333338
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32333337
37343132 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B254 C04208D2 ABF68D18 5B77C54E 7AE24FE2 6493A65E 3D67BDFA AC05CAAD
2209BE2E DC621CE2 5682517E 3CA06F61 0C0FC713 2C0F84D8 FEBBF5CC 81A6EF17
B768E110 C5FC6FB2 2750875C 7203BC16 39335314 CCF32034 5E042C2C 15F03FF1
1BDF97A0 DBA757F9 42783E39 6AF59906 ACA416B4 3EC1E4D5 C935799B 9167D1FC
AB850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1403A635 385A6809 603E2C4A FF6F439B 6995E393 A2301D06
03551D0E 04160414 03A63538 5A680960 3E2C4AFF 6F439B69 95E393A2 300D0609
2A864886 F70D0101 05050003 81810073 3157A85E 120A5B1D 6C25453C 0DFB0F82
9156EFF7 64E1A26B 4675C488 EF291E25 6C6C25CB 8CA95AB1 1FF6C2EB C12636D7
50E2B83C A87225B3 87AC7CE1 679B1801 49E4B859 4BED67E2 6783EFB6 A50CC616
C32228AD 625331FD 85361CEC 11E196E9 26D9638E 98D3235A 9D425AE8 1F06FEE0
D332ED58 E0504C61 03F8939E 1EEF55
quit
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name cannonz.dyndns.org
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name cannonz.dyndns.org
lease 4
!
!
ip cef
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
license udi pid CISCO887VA-SEC-K9 sn FCZ160592RB
!
!
username sysop privilege 15 password 7 08254E455D4C5D14
!
!
!
!
controller VDSL 0
!
!
!
!
bridge irb
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address 192.168.3.1 255.255.255.0
!
interface Vlan10
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Vlan20
description Guest Network
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 20
bridge-group 20 spanning-disabled
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname bthomehub@btbroadband.com
ppp chap password 7 045A09055E731F
ppp pap sent-username bthomehub@btbroadband.com password 7 00051105550958
!
interface Dialer1
ip address negotiated
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username bthomehub@btbroadband.com password 7 141610085D5679
ppp ipcp dns request
ppp ipcp address accept
!
interface BVI10
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI20
description Bridge to Guest Network
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip list 1
dialer-list 2 protocol ip permit
!
!
!
!
!
!
!
control-plane
!
bridge 10 route ip
bridge 20 route ip
!
line con 0
password 7 09484C024D504F11
line aux 0
line vty 0 4
password 7 070B23471A5C4106
transport input all
!
end
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3233774123
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3233774123
!
!
crypto pki certificate chain TP-self-signed-3233774123
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323333 37373431 3233301E 170D3133 30393137 31333338
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32333337
37343132 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B254 C04208D2 ABF68D18 5B77C54E 7AE24FE2 6493A65E 3D67BDFA AC05CAAD
2209BE2E DC621CE2 5682517E 3CA06F61 0C0FC713 2C0F84D8 FEBBF5CC 81A6EF17
B768E110 C5FC6FB2 2750875C 7203BC16 39335314 CCF32034 5E042C2C 15F03FF1
1BDF97A0 DBA757F9 42783E39 6AF59906 ACA416B4 3EC1E4D5 C935799B 9167D1FC
AB850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1403A635 385A6809 603E2C4A FF6F439B 6995E393 A2301D06
03551D0E 04160414 03A63538 5A680960 3E2C4AFF 6F439B69 95E393A2 300D0609
2A864886 F70D0101 05050003 81810073 3157A85E 120A5B1D 6C25453C 0DFB0F82
9156EFF7 64E1A26B 4675C488 EF291E25 6C6C25CB 8CA95AB1 1FF6C2EB C12636D7
50E2B83C A87225B3 87AC7CE1 679B1801 49E4B859 4BED67E2 6783EFB6 A50CC616
C32228AD 625331FD 85361CEC 11E196E9 26D9638E 98D3235A 9D425AE8 1F06FEE0
D332ED58 E0504C61 03F8939E 1EEF55
quit
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name cannonz.dyndns.org
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name cannonz.dyndns.org
lease 4
!
!
ip cef
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
license udi pid CISCO887VA-SEC-K9 sn FCZ160592RB
!
!
username sysop privilege 15 password 7 08254E455D4C5D14
!
!
!
!
controller VDSL 0
!
!
!
!
bridge irb
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address 192.168.3.1 255.255.255.0
!
interface Vlan10
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Vlan20
description Guest Network
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 20
bridge-group 20 spanning-disabled
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname bthomehub@btbroadband.com
ppp chap password 7 045A09055E731F
ppp pap sent-username bthomehub@btbroadband.com password 7 00051105550958
!
interface Dialer1
ip address negotiated
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username bthomehub@btbroadband.com password 7 141610085D5679
ppp ipcp dns request
ppp ipcp address accept
!
interface BVI10
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI20
description Bridge to Guest Network
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip list 1
dialer-list 2 protocol ip permit
!
!
!
!
!
!
!
control-plane
!
bridge 10 route ip
bridge 20 route ip
!
line con 0
password 7 09484C024D504F11
line aux 0
line vty 0 4
password 7 070B23471A5C4106
transport input all
!
end
Ah.....I see this
ip nat inside source list 1 interface Dialer1 overload
Should be Dialer0, issue these commands
no ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 1 interface Dialer0 overload
Should do the trick this time ;)
ip nat inside source list 1 interface Dialer1 overload
Should be Dialer0, issue these commands
no ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 1 interface Dialer0 overload
Should do the trick this time ;)
ASKER
still the same athough i can ping 8.8.8.8 now from laptop but can't ping anything else externally only internal.
but can ping externally on console/putty.
but can ping externally on console/putty.
Good, that means nat is now working...
Ok last thing I can think of - dns is missing from your DHCP pool
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name cannonz.dyndns.org
lease 4
Add
dns-server 208.67.222.222
dns-server 208.67.220.220
Add those to the pool and things should work I think...
I'm away for the night, hopefully this will get you working...if not then on your nic settings on your laptop go into the TCP/IP properties and setup static dns server settings with those 2 ip's above - that will bypass the DHCP settings from the router and allow you to browse etc...but the above commands should get you connected fully I think
Ok last thing I can think of - dns is missing from your DHCP pool
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name cannonz.dyndns.org
lease 4
Add
dns-server 208.67.222.222
dns-server 208.67.220.220
Add those to the pool and things should work I think...
I'm away for the night, hopefully this will get you working...if not then on your nic settings on your laptop go into the TCP/IP properties and setup static dns server settings with those 2 ip's above - that will bypass the DHCP settings from the router and allow you to browse etc...but the above commands should get you connected fully I think
ASKER
Hi,
Couldn't figure out how to add dns-server to router when i tried at the conf t it didn't accept it as though i was in the wrong directory and should be in a sub directory or something.?
tried the other option you said adding the dns setting to my nic and that worked fine :)
but would really like to have dhcp running on the router as it's too much hassle setting everything manually.
At least i'm seeing some light at the end of the tunnel now i will look more into it tomorrow as like yourself I have finished for now and it's now midnight at my end so i'm not thinking straight i will sleep on it.
I will catch up tomorrow if i can't resolve it.
Thanks again for your help
Couldn't figure out how to add dns-server to router when i tried at the conf t it didn't accept it as though i was in the wrong directory and should be in a sub directory or something.?
tried the other option you said adding the dns setting to my nic and that worked fine :)
but would really like to have dhcp running on the router as it's too much hassle setting everything manually.
At least i'm seeing some light at the end of the tunnel now i will look more into it tomorrow as like yourself I have finished for now and it's now midnight at my end so i'm not thinking straight i will sleep on it.
I will catch up tomorrow if i can't resolve it.
Thanks again for your help
Yes, you need to be in the DHCP pool area to add it...
conf t
ip dhcp pool vlan10
dns-server 208.67.222.222
dns-server 208.67.220.220
You need each of those commands to get it right...once you get that you'll then need to either reboot the laptop/pc to get a refreshed ip address, or disable your nic on laptop and re-enable to get a new address...once you do that you should be ok
conf t
ip dhcp pool vlan10
dns-server 208.67.222.222
dns-server 208.67.220.220
You need each of those commands to get it right...once you get that you'll then need to either reboot the laptop/pc to get a refreshed ip address, or disable your nic on laptop and re-enable to get a new address...once you do that you should be ok
ASKER
Sorry about the delayed response but after placing the final piece of the puzzle into the config I connected my switch and wap and tested all internal devices to check if they could see the outside world... And they could including my sons xbox (which was a major bonus a you know how kids love xblive)
Thanks again for all your help I can't thank you enough.
One final last point I've done a wri mem will this be enough if I get a power failure or will
I have to copy running-config to startup-config and also will all the extra stuff in the config I'm using cause me any hassle later on down the line..?
Thanks again for all your help I can't thank you enough.
One final last point I've done a wri mem will this be enough if I get a power failure or will
I have to copy running-config to startup-config and also will all the extra stuff in the config I'm using cause me any hassle later on down the line..?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent can't praise the help I got enough, I was walked through it step by step and eventually got a fix. A++
Thanks again
Thanks again
1) Vlan1 - has ip of 192.168.3.1 - but no interfaces are in Vlan1...
2) ip route 0.0.0.0 0.0.0.0 ATM0.1 - this should be ip route 0.0.0.0 0.0.0.0 Dialer1
3) I see 2 Dialer interfaces? Dialer1 looks like its semi complete...
4) Which interface is connected to your lan? Fe0/1/2/3? Cause some are in Vlan10 and others in Vlan20...
5) When connected with a laptop/pc what ip address do you get?
Can you provide the output of
ipconfig /all
from your connected laptop/pc?