14 Replies Latest reply: Feb 22, 2012 3:19 PM by Derrick B, CCENT RSS

    router configuration

    Derrick B, CCENT

      Hi all,

       

      Some of you may hae seen I am rebuilding my network, and I am working on a design. Unfortunatly, my cisco knowledge isnt as sharp as I thought it was. So, first things first, I am connecting a cable modem to a cisco router (1721) then to a pc.

       

      Currently NAT is turned off on the modem, It is supposedly in bridging mode, gets an IP address via dhcp and dhcp on the modem is on.

       

      The router is a 1721 with a WIC-4ESW. This is the current configuration.:

       

      service timestamps debug datetime msec

       

      service timestamps log datetime msec

       

      service password-encryption

       

      !

       

      hostname CROUTEX

       

      !

       

      boot-start-marker

       

      boot-end-marker

       

      !

       

      enable secret 5

       

      no aaa new-model

       

      ip cef

       

      !

       

      !

       

      !

       

      !

       

      no ip domain lookup

       

      ip domain name

       

      !

       

      multilink bundle-name authenticated

       

      !

       

      !

       

      !

       

      !

       

      !

       

      username password 7

       

      archive

       

      log config

       

        hidekeys

       

      !

       

      !

       

      !

       

      !

       

      !

       

      !

       

      !

       

      interface FastEthernet0

       

      description outside

       

      no ip address

       

      speed auto

       

      !

       

      interface FastEthernet1

       

      !

       

      interface FastEthernet2

       

      !

       

      interface FastEthernet3

       

      !

       

      interface FastEthernet4

       

      !

       

      interface Vlan1

       

      ip address 192.168.1.1 255.255.255.0

       

      !

       

      ip forward-protocol nd

       

      !

       

      !

       

      no ip http server

       

      no ip http secure-server

       

      !

       

      !

       

      !

       

      !

       

      control-plane

       

      !

       

      !

       

      line con 0

       

      exec-timeout 0 0

       

      logging synchronous

       

      line aux 0

       

      line vty 0 1

       

      exec-timeout 0 0

       

      password 7

       

      logging synchronous

       

      login local

       

      transport input ssh

       

      line vty 2 4

       

      login

       

      !

       

       

      Now a few things I know. I want to administer the device remotely via ssh from within the network. I gave vlan1 an ip address for this, on what is supposed to be the internal range. Is this correct?

       

      I know I need to give the external and internal interfaces ip addresses. From my research it appears that ethernet ports on a router cannot be configured with ip addresses like serial ports or whatnot. So I configured the vlan1 ip and assigned the inside interface (fa1) to vlan 1 (sw access vlan 1). Now I need to configure first the external port (fa0) that is coming from the modem, then NAT , and DHCP. I've looked at various articles and they give me a few commands, but I havent really gotten the information in the format I need it in. Can someone provide me with a breakdown step by step, and perhaps explinations on the way?

       

      This article is interesting, but it has information all over the place and I cant tell what information is what in some places. They should have made it a walkthrough, not just a config copy.

       

      http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a0080094be1.shtml

        • 1. Re: router configuration
          Paul Stewart  -  CCIE Security

          Regarding the four port esw, you can use vlan 1 as a routing interface and place the IP address there. Some versions also let you type "no switchport" under the respective esw port and use it just like any routed port.

           

          Different versions of code configure the DHCP client differently.  Mine is configured as follows

           

          int fa0/0

          ip address dhcp

           

          ip route 0.0.0.0 0.0.0.0 dhcp

           

          It is also worth noting that some form of NAT needs to be configured to.  If you want it to behave like a soho router you configure what cisco calls PAT.

           

          interface x (your outside interface)
          ip nat outside

           

          interface y (your inside interface)

          ip nat inside

           

          access-list 1 permit 192.168.1.0 0.0.0.0.255

           

          ip nat inside source list 1 interface x overload

          • 2. Re: router configuration
            Derrick B, CCENT

            doesnt appear to be working. The PC is getting 192.168.117.1 as an ip with no default gateway set. Also can you explain the last 2 commands? I understood the others. EDIT: If this is correct (http://www.techrepublic.com/article/configure-dhcp-on-a-cisco-router-or-switch/5690240), there are many more options I need to configure. I only have issue with the DNS settings. If im not mistaken, the ISP is setting the DNS via DHCP. how do I set that to DHCP or can I set it to a known DNS (i.e right now i am pluggd into the modem and can see the dns servers, can I plug those in?)

             

            Updated config:

            interface FastEthernet0

            description outside

            ip address dhcp

            ip nat outside

            ip virtual-reassembly

            speed auto

            !

            interface FastEthernet1

            !

            interface FastEthernet2

            !

            interface FastEthernet3

            !

            interface FastEthernet4

            !

            interface Vlan1

            ip address 192.168.1.1 255.255.255.0

            ip nat inside

            ip virtual-reassembly

            !

            ip forward-protocol nd

            ip route 0.0.0.0 0.0.0.0 dhcp

            !

            !

            no ip http server

            no ip http secure-server

            ip nat inside source list 1 interface FastEthernet1 overload

            !

            access-list 1 permit 192.168.1.0 0.0.0.255

            • 3. Re: router configuration
              Scott Morris - CCDE/4xCCIE/2xJNCIE

              You could always use a known DNS server like 8.8.8.8...  Or you could look at what is provided by your ISP and figure that even if your IP changes, the DNS servers will most likely not change!  So just use them.

               

              But yes, you'll likely want DHCP on your own router, or a local machine to handle things, as the SPs DHCP server will not be set to grant IP addresses to your systems other than the directly attached ones.

               

              The last two commands he has will allow NAT of your internal IPs to the outside interface IP (given by SP) to access the internet.  It has an ACL on there to limit NAT only to the devices in that particular subnet.

               

              HTH,

               

              Scott

              • 4. Re: router configuration
                Derrick B, CCENT

                I tried using the ISP DNS servers, no joy but I have a feeling that DNS is my issue. I wish had some way to determine where the issue is.

                • 5. Re: router configuration
                  Scott Morris - CCDE/4xCCIE/2xJNCIE

                  When you say "issue" what do you mean?

                   

                  Can you ping someplace using an IP but not a name?  (that indicates DNS rather than transport)

                   

                  What does "show ip nat translation" show on your router?  You should have entries from your PCs going out.

                   

                  Scott

                  • 6. Re: router configuration
                    Derrick B, CCENT

                    I swear this place needs a "keep me logged in" button.

                     

                    Anyay, when connected to the router I am unable to get off the local lan, no internet access. I am able to ping the internal interface of vlan1, but not the external interface with the supposed ISP IP, or any external ip or url.

                    • 7. Re: router configuration
                      ESummers

                      I don't want to interfere in Scott and Paul's troubleshooting, but I wanted to confirm something from your original post.

                       

                      Can you confirm that the cable modem is truly bridging, and passing through the ISP-assigned IP address to your router's external interface?  Your OP noted:

                       

                      "Currently NAT is turned off on the modem, It is supposedly in bridging mode, gets an IP address via dhcp and dhcp on the modem is on."

                       

                      This seems to indicate that your cable modem is pulling and holding the ISP-assigned IP address, so you must be getting multiple public IPs for your router to also get an ISP-assigned IP.  Also, you would not need DHCP enabled on the cable modem unless for some reason this is required to pass-through the public IP to the router.  If your cable modem is assigning a private IP to your router external interface, and the cablem modem NAT functionality is also disabled, that would explain part of the issue.

                       

                      Can you verify the IP address being assigned to the router's external interface (show interface fa0)? 

                       

                      Also, I noticed a possible typo:

                      "ip nat inside source list 1 interface FastEthernet1 overload"

                       

                      That should be:

                      ip nat inside source list 1 interface FASTETHERNET0 overload

                       

                      Best of luck,

                      Ed

                      • 8. Re: router configuration
                        Derrick B, CCENT

                        Well I can say that my modem has a few options, NAPT which is apparently the version of NAT that the ISP uses, when turned on, I can have multiple hosts on my network, when its off, only 1. The modem also has a Rg PassThrough option I see is required to be turned on for bridging... Anyway, finally, I tryed turning off the DHCP option, but I assume the router wasnt able to pull an ip without it. i'll give it another shot.

                         

                        Also something I noted, when I used dhcp, and nat on the router, the routing table is empty, not even a default route, though it is specified in the configuration as being provided via dhcp if I remember correctly?

                         

                        I'll post an updated config shortly.

                        • 9. Re: router configuration
                          Derrick B, CCENT

                          !

                           

                          no aaa new-model

                           

                          ip cef

                           

                          !

                           

                          !

                           

                          no ip dhcp use vrf connected

                           

                          !

                           

                          ip dhcp pool pool

                           

                             domain-name stormnet.local

                           

                             dns-server 8.8.8.8 4.4.4.4

                           

                          !

                           

                          !

                           

                          no ip domain lookup

                           

                          ip domain name stormnet.local

                           

                          !

                           

                          multilink bundle-name authenticated

                           

                          !

                           

                          !

                           

                          !

                           

                          !

                           

                          !

                           

                          username password 7

                           

                          archive

                           

                          log config

                           

                            hidekeys

                           

                          !

                           

                          !

                           

                          !

                           

                          !

                           

                          !

                           

                          !

                           

                          !

                           

                          interface Loopback0

                           

                          no ip address

                           

                          shutdown

                           

                          !

                           

                          interface FastEthernet0

                           

                          description outside

                           

                          ip address dhcp

                           

                          ip nat outside

                           

                          ip virtual-reassembly

                           

                          speed auto

                           

                          !

                           

                          interface FastEthernet1

                           

                          !

                           

                          interface FastEthernet2

                           

                          !

                           

                          interface FastEthernet3

                           

                          !

                           

                          interface FastEthernet4

                           

                          !

                           

                          interface Vlan1

                           

                          description inside

                           

                          ip address 192.168.1.1 255.255.255.0

                           

                          ip nat inside

                           

                          ip virtual-reassembly

                           

                          !

                           

                          ip forward-protocol nd

                           

                          ip route 0.0.0.0 0.0.0.0 dhcp

                           

                          !

                           

                          !

                           

                          no ip http server

                           

                          no ip http secure-server

                           

                          ip nat inside source list 1 interface FastEthernet0 overload

                           

                          !

                           

                          !

                           

                          !

                           

                          !

                           

                          control-plane

                           

                          With this configuration, the pc does not get an ip automaticly. If I manually set it to for instance 192.168.1.2, I can ping 1.1 (the internal interface), but still cant reach the external interface.(interestingly enough, with this config, I can see the ISP under my defualt gateway... I dont know whats up with that, but I cannot ping it)

                           

                          show ip route:

                           

                          Gateway of last resort is not set

                           

                          C    192.168.1.0/24 is directly connected, Vlan1

                           

                          show ip nat translations:

                           

                          nothing.

                          • 10. Re: router configuration
                            Derrick B, CCENT

                            Okay all, almost got this working. im going to most as close to a full config as I can, i can ping almost everywhere now, except the default gateway...

                             

                            no ip dhcp use vrf connected

                            !

                            ip dhcp pool pool

                               network 192.168.1.0 255.255.255.0

                               domain-name stormnet.local

                               dns-server 209.18.47.61 209.18.47.62

                               default-router 24.88.73.221

                               lease 7

                            !

                            !

                            no ip domain lookup

                            ip domain name stormnet.local

                            !

                            multilink bundle-name authenticated

                            !

                            !

                            !

                            !

                            !

                            username password 7

                            archive

                            log config

                              hidekeys

                            !

                            !

                            !

                            !

                            !

                            !

                            !

                            interface Loopback0

                            no ip address

                            shutdown

                            !

                            interface FastEthernet0

                            description outside

                            ip address 24.88.73.221 255.255.248.0

                            ip nat outside

                            ip virtual-reassembly

                            speed auto

                            !

                            interface FastEthernet1

                            !

                            interface FastEthernet2

                            !

                            interface FastEthernet3

                            !

                            interface FastEthernet4

                            !

                            interface Vlan1

                            description inside

                            ip address 192.168.1.1 255.255.255.0

                            ip nat inside

                            ip virtual-reassembly

                            !

                            ip forward-protocol nd

                            ip route 0.0.0.0 0.0.0.0 24.88.72.1

                            !

                            !

                            no ip http server

                            no ip http secure-server

                            ip nat inside source list 1 interface FastEthernet0 overload

                            !

                            !

                            !

                            !

                            control-plane

                            !

                            !

                            line con 0

                            exec-timeout 0 0

                            logging synchronous

                            line aux 0

                            • 11. Re: router configuration
                              ESummers

                              Which "default gateway" can the PC not ping? If the PCs are on the same subnet as your vlan1, your "default router" statement should be 192.168.1.1 (in your dhcp pool).  The hosts need a default gateway that is on the same network as they are (as the purpose is to help them reach other networks).

                               

                              ***Note:  Consider changing your user (sephiroth) password. The encryption on those passwords is reversible, and now both the password and your current public IP has been posted.

                               

                              Best of luck,

                              Ed

                              • 12. Re: router configuration
                                Derrick B, CCENT

                                Thanks for the heads up, the pw isnt used elsewhere, but ill change it right away.

                                 

                                Anyway, The pc (and the router) cannot ping the default gateway as specified by the isp 24.88.72.1

                                • 13. Re: router configuration
                                  ESummers

                                  Gotcha.  With that, I wouldn't worry so much AS LONG AS you have connectivity to other devices on "the Internet".  Your ISP may just be filtering ICMP/ping on that device.  We generally maintain a short list of "known-pingable" public addresses for this purpose, as several installers have wasted time trying to ping a device that filtered pings. 

                                   

                                  As long as your traffic is getting out, probably no issue there.

                                  • 14. Re: router configuration
                                    Derrick B, CCENT

                                    Negative, in this case there is no network connectivity and I cant ping it. I can however ping it if I connect my PC directly to the modem.