Solved

Cisco C881 Router Internet + DHCP setup

Posted on 2014-04-08
17
1,581 Views
Last Modified: 2014-07-16
hi all

i am trying to setup a Cisco C881 router to replace our old netgear.
the main reason for the change is that the netgear does not support a 172.16. IP range... dont know why but it just wouldnt accept the change. Its an old box so im not too surprised.

the device is outside our domain / firewall so it should be fairly straight forward to setup.
i have managed to get DHCP working as its assigning IPs correctly once  i plug a laptop in but the problem is that the internet is not flowing down into the ports.. so im not sure if theres a routing issue somewhere


the WAN port (port 4) has been configured with our public IP, subnet and NAT has been enabled.
looking at the GUI side of things it says that ports 0, 1, 2, 3 are all associated with the WAN port.


our network to get to the Cisco C881 router is this
ISP
-> 
LinkSys switch -> port 1 -> domain ->
                        -> port 2 (internet) -> Netgear (old internet connection) -> 
                        -> port 3 (internet) -> Cisco C881 -> 

Open in new window


as you can see the networking to get to the Cisco is basic, i am still to check the linksys switch to make sure that port 3 is communicating correctly and there is no mismatch



here is the current config of the C881 router

does anybody know what im missing?
or what i should try...


many thanks!



yourname#show run
Building configuration...

Current configuration : 3694 bytes
!
! Last configuration change at 07:55:13 UTC Tue Apr 8 2014 by XXXXXX
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3738690260
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3738690260
 revocation-check none
 rsakeypair TP-self-signed-3738690260
!
!
crypto pki certificate chain TP-self-signed-3738690260
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373338 36393032 3630301E 170D3134 30343036 32333439
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37333836
  39303236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D43D 30939C1C 35580A40 2B6D5CE4 075EE7C3 F98CCFC7 F964C5D6 EFEBFD32
  593E9CF2 5B392F6A 46E3C2BD 7B9F5890 678CC379 8228051D E3462969 33D46020
  151735A6 A59C15D2 E8D74CEA 94C213BF 716B8705 B7DE9644 ABB17752 064256D8
  00F73FF5 CD734B30 81C52CC9 91C6582E BB3B20F0 87C19538 5DC31902 922793CD
  FE270203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 144F2F16 450D9A22 E07327D8 1B15BC84 40F7A60B 10301D06
  03551D0E 04160414 4F2F1645 0D9A22E0 7327D81B 15BC8440 F7A60B10 300D0609
  2A864886 F70D0101 05050003 81810048 F9E207D8 D66EA0B3 4DC09439 572465D1
  6DA0C92C 220DDEEA D6653966 7CDFAB71 4EA8ABCA D3B09930 AC5A92E9 5A63764D
  6FEA67D2 BF5CC2EB 7E8819CF 04CAB4C3 DE5E1749 3D6320C7 256CDDA5 6F74777B
  9B11C806 2E261525 4A36C87C 5C74CE17 05E9544F 4740EA35 DC8B0F01 6EC829EF
  8C09ACDF 199C416A 660FE869 848CE9
        quit
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.16.0.1 172.16.0.10
ip dhcp excluded-address 172.16.0.1
!
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1
 lease 0 2
!
ip dhcp pool Name
 network 172.16.0.0 255.255.248.0
 default-router 172.16.0.1
 dns-server 8.8.8.8 8.8.4.4
 lease 0 0 30
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL181021H4
!
!
username name privilege 15 secret 4 BzixT6rsW1tGZJnkm6HWsZiHpRX/UGirZFeNeyKMDpQ
username name privilege 15 secret 4 dcNCgnaksTPU1LIdCcV.ez/dcg1yUiPZCjOg0NSHkRI
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address xxx.xx.xx.xxx 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH_LAN$
 ip address 172.16.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan255
 no ip address
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
access-list 199 permit ip any any
no cdp run
!
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
!
end
 

Open in new window

0
Comment
Question by:BakerSyd
  • 8
  • 5
  • 2
  • +2
17 Comments
 
LVL 11

Expert Comment

by:Miftaul
ID: 39987555
You access-list should define lan subnets as source and any as destination, otherwise any any wont catch interesting traffic.
Please change the acl
0
 

Author Comment

by:BakerSyd
ID: 39987572
hmm ok... so what should i change it to?

sorry im new to cisco configs, still learning my way around and how it all works..
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39987630
Remove the existing access-list 199 using
No access-list 199

And enter the below
Access-list 199 permit ip 172.16.0.0 0.0.0.0.7.255 any

I see two dhcp pool are configured. Also there is a vlan 255 without any ip address. How does the router know which interface is in which vlan. Dont we hardcode the interface to their respective access vlans.
0
 

Author Comment

by:BakerSyd
ID: 39987663
i have entered in the code as you suggested.

vlan 255 has now been removed as we dont need that.
the first dhcp pool was the default one
the second dhcp pool is the one i created.

should we remove the default one?

tried to ping 8.8.8.8 from the router but it did not reply.

current config file..






yourname#show run
Building configuration...

Current configuration : 3658 bytes
!
! Last configuration change at 01:33:25 UTC Wed Apr 9 2014 by xxxxxx
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3738690260
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3738690260
 revocation-check none
 rsakeypair TP-self-signed-3738690260
!
!
crypto pki certificate chain TP-self-signed-3738690260
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373338 36393032 3630301E 170D3134 30343036 32333439
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37333836
  39303236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D43D 30939C1C 35580A40 2B6D5CE4 075EE7C3 F98CCFC7 F964C5D6 EFEBFD32
  593E9CF2 5B392F6A 46E3C2BD 7B9F5890 678CC379 8228051D E3462969 33D46020
  151735A6 A59C15D2 E8D74CEA 94C213BF 716B8705 B7DE9644 ABB17752 064256D8
  00F73FF5 CD734B30 81C52CC9 91C6582E BB3B20F0 87C19538 5DC31902 922793CD
  FE270203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 144F2F16 450D9A22 E07327D8 1B15BC84 40F7A60B 10301D06
  03551D0E 04160414 4F2F1645 0D9A22E0 7327D81B 15BC8440 F7A60B10 300D0609
  2A864886 F70D0101 05050003 81810048 F9E207D8 D66EA0B3 4DC09439 572465D1
  6DA0C92C 220DDEEA D6653966 7CDFAB71 4EA8ABCA D3B09930 AC5A92E9 5A63764D
  6FEA67D2 BF5CC2EB 7E8819CF 04CAB4C3 DE5E1749 3D6320C7 256CDDA5 6F74777B
  9B11C806 2E261525 4A36C87C 5C74CE17 05E9544F 4740EA35 DC8B0F01 6EC829EF
  8C09ACDF 199C416A 660FE869 848CE9
        quit
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.16.0.1 172.16.0.10
ip dhcp excluded-address 172.16.0.1
!
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1
 lease 0 2
!
ip dhcp pool name
 network 172.16.0.0 255.255.248.0
 default-router 172.16.0.1
 dns-server 8.8.8.8 8.8.4.4
 lease 0 0 30
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL181021H4
!
!
username name privilege 15 secret 4 BzixT6rsW1tGZJnkm6HWsZiHpRX/UGirZFeNeyKMDpQ
username name privilege 15 secret 4 dcNCgnaksTPU1LIdCcV.ez/dcg1yUiPZCjOg0NSHkRI
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address xxx.xx.xx.xxx 255.255.255.240
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
!
interface Vlan1
 description $ETH_LAN$
 ip address 172.16.0.1 255.255.248.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
access-list 199 permit ip 172.16.0.0 0.0.7.255 any
no cdp run
!
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
!
end

Open in new window

0
 
LVL 11

Assisted Solution

by:Miftaul
Miftaul earned 167 total points
ID: 39987752
Please check the attachment
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.16.0.1 172.16.0.10
ip dhcp excluded-address 172.16.0.1
Please remove the lines, they seem to be redundant
!
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1
 lease 0 2

!
The above is a redundant DHCP pool, we can remote

ip dhcp pool name
 network 172.16.0.0 255.255.248.0
 default-router 172.16.0.1
 dns-server 8.8.8.8 8.8.4.4
 lease 0 0 30
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address xxx.xx.xx.xxx 255.255.255.240
ip access-group 199 in
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
We are not applying ACL on the WAN interface, remove it.
!
interface Vlan1
 description $ETH_LAN$
 ip address 172.16.0.1 255.255.248.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
Change the default route to the next-hop IP address rather than using the exit interface. “ip route 0.0.0.0 0.0.0.0 Next-hop-IP”

!
access-list 199 permit ip 172.16.0.0 0.0.7.255 any
no cdp run
!
0
 

Assisted Solution

by:PChelper2014
PChelper2014 earned 166 total points
ID: 39987754
I think your problem is
Interface FastEthernet4
 ip address xxx.xx.xx.xxx 255.255.255.240
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100

It should be
ip access-group 199 out.
But this only will let 172.16.x.x to go out.

Or try this

Leave ip access-group 199 in

Modify
access-list 199 permit ip 172.16.0.0 0.0.7.255 any
to this
Access-list 199 permit tcp any any established
Deny all

This will only let traffic in if traffic was initiated from inside.

Hope this helps,
0
 

Author Comment

by:BakerSyd
ID: 39987772
appreciate your time in helping me sort this out... i will try what you suggest and get back to you soon with how it all went..


thanks again!
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39987974
Man, dont change the access-list. the Access-list 199 is for Network Address Translation purpose, not for the purpose of applying it to any interface.

Take out the "ip access-group 199 in" completely.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:BakerSyd
ID: 39990383
yeah we left the access list as

access-list 199 permit ip 172.16.0.0 0.0.7.255 any


i will go and remove ip access-group 199 in
what does this do?


also, we changed the IP number of our the WAN port to something else and the internet started working... so im not entirely sure which of these changes have actually fixed the problem.

something we will have to investigate... not sure why the other IP wasnt working


i will post up the updated config shortly...
0
 

Author Comment

by:BakerSyd
ID: 39990467
here is our current config

how secure is this config?
is there anything else we need to do to make sure this is setup correctly?


yourname#show run
Building configuration...

Current configuration : 3453 bytes
!
! Last configuration change at 01:11:27 UTC Thu Apr 10 2014 by xxxxxx
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3738690260
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3738690260
 revocation-check none
 rsakeypair TP-self-signed-3738690260
!
!
crypto pki certificate chain TP-self-signed-3738690260
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373338 36393032 3630301E 170D3134 30343036 32333439
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37333836
  39303236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D43D 30939C1C 35580A40 2B6D5CE4 075EE7C3 F98CCFC7 F964C5D6 EFEBFD32
  593E9CF2 5B392F6A 46E3C2BD 7B9F5890 678CC379 8228051D E3462969 33D46020
  151735A6 A59C15D2 E8D74CEA 94C213BF 716B8705 B7DE9644 ABB17752 064256D8
  00F73FF5 CD734B30 81C52CC9 91C6582E BB3B20F0 87C19538 5DC31902 922793CD
  FE270203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 144F2F16 450D9A22 E07327D8 1B15BC84 40F7A60B 10301D06
  03551D0E 04160414 4F2F1645 0D9A22E0 7327D81B 15BC8440 F7A60B10 300D0609
  2A864886 F70D0101 05050003 81810048 F9E207D8 D66EA0B3 4DC09439 572465D1
  6DA0C92C 220DDEEA D6653966 7CDFAB71 4EA8ABCA D3B09930 AC5A92E9 5A63764D
  6FEA67D2 BF5CC2EB 7E8819CF 04CAB4C3 DE5E1749 3D6320C7 256CDDA5 6F74777B
  9B11C806 2E261525 4A36C87C 5C74CE17 05E9544F 4740EA35 DC8B0F01 6EC829EF
  8C09ACDF 199C416A 660FE869 848CE9
        quit
!
!
!
ip dhcp excluded-address 172.16.0.1 172.16.0.10
!
ip dhcp pool Name
 network 172.16.0.0 255.255.248.0
 default-router 172.16.0.1
 dns-server 8.8.8.8 8.8.4.4
 lease 0 0 30
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL181021H4
!
!
username name privilege 15 secret 4 BzixT6rsW1tGZJnkm6HWsZiHpRX/UGirZFeNeyKMDpQ
username name privilege 15 secret 4 dcNCgnaksTPU1LIdCcV.ez/dcg1yUiPZCjOg0NSHkRI
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address xxx.xx.xx.xxx 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH_LAN$
 ip address 172.16.0.1 255.255.248.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
access-list 199 permit ip 172.16.0.0 0.0.7.255 any
no cdp run
!
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
!
end

Open in new window

0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39990740
There is little to no security in your configuration. Hardening a Cisco router is actually a two step process

a) Secured access to router on Console, VTY and HTTPS access.
 
1. "no service password-encryption" - only if you are using enable password.
2. Allowing telnet on Line VTY
3. "access-class 23 in" there is not acl called 23
4. "ip http server" - You are allowing http access to the router?

b) Disabled unneeded services.

1. CDP is still running on WAN interface

2. Disable Proxy-arp, Directed-broadcast and Redirects on WAN port

SecureRouter(config)#int fe4
SecureRouter(config-if)#no ip mask-reply
SecureRouter(config-if)#no ip directed-broadcast
SecureRouter(config-if)#no ip redirects
SecureRouter(config-if)#no cdp enable

3. disable finger, source route on the router

SecureRouter(config)#no ip domain-lookup
SecureRouter(config)#no service finger
SecureRouter(config)#no service tcp-small-servers
SecureRouter(config)#no service udp-small-servers
SecureRouter(config)#no ip bootp server
SecureRouter(config)#no ip source-route
0
 

Author Comment

by:BakerSyd
ID: 39990852
ok cool, thanks for the info... ill look into all this and get back to you once ive made the changes.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39993825
I actually think it's just a default route problem.  Your route statement says forward everything out of Fa4, but that might not be enough to get traffic to hit the upstream router.

Did you get a default gateway or router address from your ISP when they assigned the /28?  If so try setting the default route...

ip route 0.0.0.0 0.0.0.0 x.x.x.x

Can you ping 8.8.8.8 from the router itself?

The 199 ACL was fine as it was - it was catching all IP addresses and applying to NAT, so it's unlikely an ACL issue.  Similarly it was allowing everything in to Fa4 so norhing would be dropped.
0
 

Author Comment

by:BakerSyd
ID: 40005689
ok so weve got it working with the following config
looks pretty good so far... DHCP is working well and we can now browse the internet

are there any other services that we should consider disabling that are not needed ?
or maybe something we should enable ?

we'd like to make sure this is as secure as possible... keeping in mind that this is purely for our staff to be able to access internet outside the domain.

thanks for all your help with this so far!


yourname#show run
Building configuration...

Current configuration : 3560 bytes
!
! Last configuration change at 00:54:57 UTC Fri Apr 11 2014 by xxxxx
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3738690260
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3738690260
 revocation-check none
 rsakeypair TP-self-signed-3738690260
!
!
crypto pki certificate chain TP-self-signed-3738690260
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373338 36393032 3630301E 170D3134 30343036 32333439
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37333836
  39303236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D43D 30939C1C 35580A40 2B6D5CE4 075EE7C3 F98CCFC7 F964C5D6 EFEBFD32
  593E9CF2 5B392F6A 46E3C2BD 7B9F5890 678CC379 8228051D E3462969 33D46020
  151735A6 A59C15D2 E8D74CEA 94C213BF 716B8705 B7DE9644 ABB17752 064256D8
  00F73FF5 CD734B30 81C52CC9 91C6582E BB3B20F0 87C19538 5DC31902 922793CD
  FE270203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 144F2F16 450D9A22 E07327D8 1B15BC84 40F7A60B 10301D06
  03551D0E 04160414 4F2F1645 0D9A22E0 7327D81B 15BC8440 F7A60B10 300D0609
  2A864886 F70D0101 05050003 81810048 F9E207D8 D66EA0B3 4DC09439 572465D1
  6DA0C92C 220DDEEA D6653966 7CDFAB71 4EA8ABCA D3B09930 AC5A92E9 5A63764D
  6FEA67D2 BF5CC2EB 7E8819CF 04CAB4C3 DE5E1749 3D6320C7 256CDDA5 6F74777B
  9B11C806 2E261525 4A36C87C 5C74CE17 05E9544F 4740EA35 DC8B0F01 6EC829EF
  8C09ACDF 199C416A 660FE869 848CE9
        quit
no ip source-route
!
!
!
ip dhcp excluded-address 172.16.0.1 172.16.0.10
!
ip dhcp pool xxxxxx
 network 172.16.0.0 255.255.248.0
 default-router 172.16.0.1
 dns-server 8.8.8.8 8.8.4.4
 lease 0 0 30
!
!
!
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL181021H4
!
!
username xxxxx privilege 15 secret 4 BzixT6rsW1tGZJnkm6HWsZiHpRX/UGirZFeNeyKMDpQ
username xxxxx privilege 15 secret 4 dcNCgnaksTPU1LIdCcV.ez/dcg1yUiPZCjOg0NSHkRI
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address xxx.xx.xx.xxx 255.255.255.240
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 description $ETH_LAN$
 ip address 172.16.0.1 255.255.248.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
access-list 199 permit ip 172.16.0.0 0.0.7.255 any
no cdp run
!
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
!
end

Open in new window

0
 

Accepted Solution

by:
jeremy-spencer earned 167 total points
ID: 40042167
You need to change this:
ip route 0.0.0.0 0.0.0.0 FastEthernet4

To:
ip route 0.0.0.0 0.0.0.0 gateway.ip

When you specify an interface as a default route, it relies on proxy arp to forward the packets to the default gateway. This means the router will send an ARP request for every destination internet address and place it in the ARP table. This will cause a massive arp table and high CPU and memory problems.
0
 

Author Comment

by:BakerSyd
ID: 40199725
resolved

thanks for all your help.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40199939
I believe I suggested doing that in my post?!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now