Setup Cisco 1921 K9 Router

Hi Experts,
I want support in configuring a new Cisco 1921 K9 Router. I bought this router two days back to replace linksys router which was provided by the ISP. I have to replace Linksys Router because we have upgraded Internet to 300 Mbps from 100 Mbps. I have setup this router in a test lab with basic settings with one Port with private IP and the WAN Port with DHCP (In Production WAN Connection is PPoE) and configured the NAT also. But it is not working. Below is the running config of the router.

Building configuration...

Current configuration : 5346 bytes
!
! Last configuration change at 04:39:58 UTC Sat Mar 3 2018 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ABCD
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1
!
!
!
ip domain name abcd.com
ip name-server 8.8.8.8
ip name-server 4.2.2.2
no ipv6 cef
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-550796933
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-550796933
 revocation-check none
 rsakeypair TP-self-signed-550796933
!
!
crypto pki certificate chain TP-self-signed-550796933
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    480B33AF F9916BED 3DF321D7 9CD387D3 114D14A4 97DAF759 30F051FD 41709EFF
  ECF0C5C5 9BA542A2 6563004B 08
        quit
license udi pid CISCO1921/K9
!
!
username admin privilege 15 secret 5
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address dhcp hostname ABC-Router
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp ipcp dns request
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source list 199 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 199 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS


Here are the Cisco IOS commands.


username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco


Replace <myuser> and <mypassword> with the username and password you want
to use.


IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end



Thanks
Syed
alrashideenAsked:
Who is Participating?
 
JustInCaseConnect With a Mentor Commented:
interface GigabitEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
!
! There should not be 3 equally cost default routes (Change costs or remove default routes that you don't need).
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
! since there is no ACL 100 and the way nat statements are written my guess would be:
!
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
no ip route 0.0.0.0 0.0.0.0 Dialer0
!
! natting access list can't be permit ip any any - it will not be functional as it is written
!
no access-list 199
access-list 199 permit ip 192.168.0.0 0.0.255.255 any
access-list 199 permit ip 172.16.0.0 0.15.255.255 any
access-list 199 permit ip 10.0.0.0 0.255.255.255 any
!
no ip nat inside source list 100 interface GigabitEthernet0/0 overload
!
! if you want router to be DHCP server for your local hosts
!
ip dhcp pool SomePool
 network x.x.x.x y.y.y.y
 default-router zzz.z.z
 dns-server 8.8.8.8
0
 
alrashideenAuthor Commented:
Hi Predrag,

Thanks for the support. Yes it is working in the test lab. Right now the WAN interface is being assigned IP from Local DHCP Server but this i have to change to PPoE and also the access list.

access-list 199 permit ip 192.168.0.0 0.0.255.255 any

Can you please tell me how it will be done.


Thanks
0
 
JustInCaseConnect With a Mentor Commented:
MTU for PPPoE is 1492 (PPPoE header - 6 bytes and PPP Protocol ID - 2 bytes) and requires often also mss to be adjusted
interface dialer 0
 ip mtu 1492
 ip tcp adjust-mss 1452

interface Dialer0
 ip address negotiated <--- will negotiate IP address on Dialer interface.
from some experience with default route on some routers typically the best result is achieved by default route configured as
ip route 0.0.0.0 0.0.0.0 dhcp

Regarding configuring correctly Dialer interface, dialer pool and dialer group you need to know neighboring router parameters (connection parameters should be provided to you).
Configuration example
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
alrashideenAuthor Commented:
Many Thanks Predrag,

I will configure router according and test connecting it in Production.
0
 
alrashideenAuthor Commented:
Hi,
I am still facing issue with the router. The issue is i can reach internet from the router but not from the LAN. below is the configuration of the router.


Building configuration...

Current configuration : 5859 bytes
!
! Last configuration change at 21:49:23 GMT Sun Mar 4 2018 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ARDT
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone GMT 4 0
!
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1
!
!
!
ip domain name abc.com
ip name-server 8.8.8.8
ip name-server 4.2.2.2
no ipv6 cef
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-550796933
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-550796933
 revocation-check none
 rsakeypair TP-self-signed-550796933
!
!
crypto pki certificate chain TP-self-signed-550796933
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35353037 39363933 33301E17 0D313430 36313632 32343734
  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3535 30373936
  39333330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  91B50989 02538C5B A379F0E5 DC96E997 D3C1DD46 42362CED 64991AC8 5A92C13F
  F7C6C05F 3101C960 99466009 0879C39C 29EAF665 B4B6B519 656E04F6 FE8E12A0
  9718A1C2 BB0C23E3 DA073E0A DA7BC5AC 49630D14 DD135410 BA002B46 394D9CC3
  27F725FD 0ECBB98E ABB64A8A 57309EE5 08D1B40F 78DFBFAF D23664EB EA5D0E99
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 1680144C 2BF09A1A 995CE403 064A0519 1FE25274 4A456B30 1D060355
  1D0E0416 04144C2B F09A1A99 5CE40306 4A05191F E252744A 456B300D 06092A86
  4886F70D 01010505 00038181 000A079D 25382B3D 831A5D6C BF8E5256 35C6E8A7
  792068B0 3E00FAE3 291F3C9D 86F0352A 3B2E45EC 273E433D C04B9152 693E549C
  289D83CA AF8CAEC3 EC49C68C 7364EA15 AD121F81 3EB5190D 6048CA99 FAF9131C
  480B33AF F9916BED 3DF321D7 9CD387D3 114D14A4 97DAF759 30F051FD 41709EFF
  ECF0C5C5 9BA542A2 6563004B 08
        quit
license udi pid CISCO1921/K9 sn FGL182520SL
!
!
username admin privilege 15 secret 5 $1$j
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description PrimaryWANDesc_ETISALAT
 no ip address
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 2
!
interface Dialer1
 description PrimaryWANDesc_ETISALAT_GigabitEthernet0/1
 no ip address
 ip nat outside
 ip virtual-reassembly in
!
interface Dialer2
 description PrimaryWANDesc_ETISALAT_GigabitEthernet0/1
 mtu 1492
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1412
 dialer pool 2
 dialer-group 2
 ppp mtu adaptive
 ppp authentication pap callin
 ppp pap sent-username abc password 0
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 199 interface GigabitEthernet0/1 overload
ip nat inside source list nat-list interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
!
access-list 199 permit ip 192.168.0.0 0.0.255.255 any
access-list 199 permit ip 172.16.0.0 0.15.255.255 any
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS


Here are the Cisco IOS commands.


username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco


Replace <myuser> and <mypassword> with the username and password you want
to use.


IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server asia.pool.ntp.org source GigabitEthernet0/1
!
end


Thanks
0
 
JustInCaseConnect With a Mentor Commented:
I am not sure why you are using mss size 1412 and mtu size 1452 (mss = mtu - 40 <-- so it does not feet into calculation)
Typically if there is no additional protocols like encryption mtu = 1492 and mss = 1452

Problem is NAT, you did not create ACL nat-list. :)
if ACL 199 is configured according to your needs you can use that one, or you need to create ACL nat-list for traffic to be natted.

no ip nat inside source list 199 interface GigabitEthernet0/1 overload
no ip nat inside source list nat-list interface Dialer2 overload
!
ip nat inside source list 199 interface dialer2 overload

Open in new window

0
 
alrashideenAuthor Commented:
After correcting the MTU and NAT Policies, i am able to reach the internet from inside the LAN.  One more thing i need to ask, we have  internal server 172.16.1.111 which is being accessed from outside on Port 8443, i need to configure the port forwarding on this router. How can i do this?


Thanks
0
 
JustInCaseConnect With a Mentor Commented:
It should be something like this (It could be IOS version dependent) if you are keeping the same port on outside interface and server.
ip nat source static tcp 172.16.1.111  8443 interface dialer2 8443

Open in new window

0
 
JustInCaseCommented:
Solution was confirmed, but the Author did not close question
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.