how-to block ads
|
| | | | FAQ Revisions | Editors: skj  , Covenant , aryoba , Phraxos
Last modified on 2009-11-20 08:39:48
| |
|
|
50.1 PPPoE/PPPoA/DHCP·Sample Configuration on Real Network
·Configure router as DHCP client using external modem
·Configure router with integrated ADSL modem as DHCP client
·Configure ASA/PIX Firewall as DHCP client using external modem
·Quick Guide of Configuring Cisco router for PPPoE using external modem
·Walkthrough of Configuring Cisco Routers for ADSL PPPoE using external modem
·678 ADSL External Modem/Router
·678 on MSN DSL
·Configuring router with integrated ADSL modem running PPPoE
·Configure ASA/PIX Firewall as PPPoE client using external modem
·ADSL router configuration for PPPoA/PPPoE with NAT
·ADSL Router Sample Configuration running GRE
·Configuring router with integrated ADSL modem running PPPoA
·Generic PPPoA configuration w/ dynamic address
·Generic PPPoA/PPPoE/RFC1483 Bridging/RFC1483 Routing Guide
·Generic PPPoE configuration
·How can I configure broadband router with cable/dsl using static IP address
·Configure ASA/PIX Firewall using static IP address from ISP
·Setting Up Network With ISP WAN and Public IP Block subnets running NAT
| | | ISP used on the thread are SBC with PPPoE, Verizon (US) with PPPoE; Zen (UK) with PPPoA
»PPPoE configs required
Notes:
* Qwest uses PPPoA in certain area and uses PPPoE in others for xDSL services. When you are having Qwest as your DSL Internet provider, confirm with Qwest which PPP technology is used within your area.
* Verizon uses DHCP/Static in certain area and uses PPPoE in others for xDSL servers. When you are having Verizon as your DSL Internet provider, confirm with Verizon which technology is used within your area.
Non-PPPoE Static IP Verizon ADSL Sample Configuration (contributed by mannygib )
More Sample Configurations
The following link provides sample configurations for Cisco routers concerning PPPoE, PPPoA, and DHCP environment. Your network setup could be similar, different, or mixed. You may not even use the same router model as the sample configurations used. However the sample configurations can be considered generic. Go explore the link and see if you can answer your own question. Of course you can always post questions to the forum for further assistance. Have fun :)
Cisco website
Router Configuration Examples and TechNotes
Cisco 827 Router Configuration Frequently Asked Questions
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco
 feedback form
 feedback form
by aryoba
last modified: 2009-08-28 09:48:04 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them automatically. This means that the ISPs treat their subscriber's router as DHCP client.
When this is your case, then the following sample configuration is a good starting point to help you configure the router. Though the example uses 2514 router, the configuration applies to any router that uses or has two Ethernet interfaces for connection (one for WAN or facing the ISP, and another for LAN or facing your computers).
Typical network environment that might utilize following sample router configuration is as follows
* There is a modem in front of the router, which the modem connects to the ISP
* ISP is providing Public IP address to the router via DHCP
* The WAN interface (in this sample configuration, the Ethernet0) receives the ISP-provided Public IP address via DHCP process between the router and the ISP network.
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address
* All internal IP addresses are NAT/PAT-ed to the ISP-provided Public IP address (or to the Ethernet0 interface IP address)
* The router is also acting as DHCP server, which provide dynamic IP info for hosts behind the router
Note:
Keep in mind that there are two DHCP process on this sample configuration. One is between your ISP and the router, and another is between the router and machines within your LAN. Your ISP would hand out specific IP address (i.e. 1.1.1.1) where your router would hand out completely different IP address for internal usage.
As mentioned, this sample configuration uses Ethernet0 interface as the WAN interface that receives the ISP-provided Public IP address via DHCP process between the router and the ISP network. You can however use any available and possible interface on your router, either Ethernet1, FastEthernet0/0, or GigabitEthernet1/0. When you do not use the exact same interface as sample configuration showed, make sure that you make necessary adjustment to fit your configuration.
This sample router configuration assumes the followings
* Internal private IP subnet (for hosts behind the router): 192.168.1.0/24
* All of the hosts' gateway would be the router inside interface IP address: 192.168.1.1
* The IP address range of 192.168.1.31-192.168.1.254 would be available for DHCP pool client
* The IP address range of 192.168.1.2-192.168.1.30 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 4.2.2.5, 4.2.2.6, and 4.2.2.66 automatically as part of the dynamically assigned IP address process
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)
Note:
* The DNS server IP addresses used here are 4.2.2.5, 4.2.2.6, and 4.2.2.66 which may not reflect your ISP DNS server IP addresses. To match your ISP DNS server IP addresses, simply replace those IP addresses with your ISP DNS server IP addresses.
SAMPLE CONFIGURATION
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
!
ip subnet-zero
no ip finger
ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool insideDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 4.2.2.5 4.2.2.6 4.2.2.66
!
!
!
!
!
interface Ethernet0
description Facing the ISP (the WAN)
ip address dhcp
ip nat outside
!
interface Ethernet1
description Facing my LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
password 7 104308100F1E1C0C
logging synchronous
login
transport input none
line aux 0
password 7 082C4D4703100B10
login
line vty 0 4
password 7 050607062B45400E
login
!
end
Some DHCP discussions.
»[Config] my verizon DSL and cisco 2514 configuration
»[HELP] 2650XM Config for RR
Note:
* Watch the exclusion of the gateway of the last resort command (ip route 0.0.0.0 0.0.0.0). This command is not needed for dynamic public IP address assignment via DHCP since that's the whole point of using DHCP.
* Some ISP lock down IP address assigning mechanism off their IP address pool with certain MAC address. When this is the case, you may want to inform your ISP to replace the MAC address with the correct one (which is your router WAN interface MAC address) or "clone" MAC address from the working one into the router. Check out the following thread for illustration
»[help] 851W and ISP DHCP
feedback form
feedback form
by aryoba
last modified: 2009-09-28 10:05:49 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them automatically. This means that the ISPs treat their subscriber's router as DHCP client.
When this is your case, then the following sample configuration is a good starting point to help you configure the router. Typical network environment that might utilize following sample router configuration is as follows
* There is no (external) modem in front of the router that connects to the ISP
* The modem to the ISP would be internal within the router itself
* DSL line would go directly to the router internal modem
* ISP is providing Public IP address to the router via DHCP
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address
* The router could also be acting as DHCP server, which provide dynamic IP info for hosts behind the router
Note:
Keep in mind that when the router acts as DHCP server, there are two DHCP process on this sample configuration. One is between your ISP and the router, and another is between the router and machines within your LAN. Your ISP would hand out specific IP address (i.e. 1.1.1.1) where your router would hand out completely different IP address for internal usage.
Preliminary
DHCP client configuration for generic (dual-Ethernet) router or for ADSL router is basically the same. Specifically for ADSL router, you need to configure the DSL (ATM) interface, the BVI interface, and the IRB feature.
To go a bit technical, the ATM interface should be configured as point to point with the matching ISP VPI/VCI value. The reason behind it is that there is possibility of having multiple VPI/VCI values within the same ATM interface. By setting a sub-interface as point-to-point connection with specific VPI/VCI value, the ADSL modem will know how it correctly forwards traffic to proper path.
The next step is to tie point-to-point ATM interface to a specific BVI interface by setting them in the same broadcast domain. In this sample configuration, both the ATM interface and the BVI interface are in the same broadcast domain #1 (bridge group 1).
The reason behind such setup is following. There are two interfaces that deal with the DSL connection. One interface is the physical ATM interface where you physically connect phone cable into it. The other interface is the logical Layer-2/3 BVI interface that will do IP routing and switching. In other words, the BVI is handling the ISP and Internet IP routing connection.
Where logically the BVI is the WAN side, the LAN side is still the same which is the Ethernet interface. When your LAN needs to go out to the Internet, the router will send all necessary packets from the Ethernet interface to the BVI interface. Since BVI interface is only a logical interface and not a physical interface, the BVI will then look for its physical interface in order to forward the packets that need to go out to the Internet. The physical interface in question is the ATM interface.
To make sure the BVI interface know that its associating physical interface is the ATM interface, you need to put them in the same broadcast domain. This is where the "bridge group 1" command come in handy.
Since your router would have two interfaces (the ATM and BVI) in the same broadcast domain and would need to do proper IP routing between your ISP and your LAN, then you also need to configure the IRB feature. IRB is short for Integrated Routing Bridging. With IRB, your router is capable to act as a bridge (for the ATM and BVI interfaces) and as a router (for routing business between your ISP and your LAN).
This sample router configuration assumes the followings
* Internal private IP subnet (for hosts behind the router): 10.10.10.0/24
* All of the hosts' gateway would be the router inside interface IP address: 10.10.10.1
* The IP address range of 10.10.10.2 to 10.10.10.254 would be available for your LAN devices/hosts
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)
SAMPLE CONFIGURATION
Following is a sample configuration to set an ADSL router as the ISP's DHCP client.
!
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
bridge irb
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface ATM0
no ip address
no ip directed-broadcast
no atm ilmi-keepalive
bundle-enable
hold-queue 208 in
!
interface ATM0.35 point-to-point
no ip directed-broadcast
pvc 0/35
encapsulation aal5snap
!
bridge-group 1
!
!
interface BVI1
ip address dhcp
no ip directed-broadcast
ip nat outside
!
ip nat inside source list 1 interface BVI1 overload
ip classless
no ip http server
!
access-list 1 permit 10.10.10.0 0.0.0.255
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
password ****
login
!
scheduler max-task-time 5000
end
Please note that the pvc (vpi/vci) value used here in this sample configuration MUST BE MODIFIED to match your ISP vpi/vci's. Since only your ISP that know for sure what their own vpi/vci value, then you should ask your ISP which value they use.
Note:
* Watch the exclusion of the gateway of the last resort command (ip route 0.0.0.0 0.0.0.0). This command is not needed for dynamic public IP address assignment via DHCP since that's the whole point of using DHCP.
* Some ISP lock down handed-down IP address with certain MAC address. When this is the case, you may want to inform your ISP to replace the MAC address with the correct one (which is your router WAN interface MAC address) or "clone" MAC address from the working one into the router. Check out the following thread for illustration
»[help] 851W and ISP DHCP
Setup the router as DHCP server (handing out IP address to LAN hosts automatically)
Keep in mind that the above sample configuration assumes all of your LAN machines (i.e. computers, print servers) to have their associating IP address statically configured. When your computers are configured to receive IP address automatically (read: as DHCP clients), then you need to configure the router as the DHCP server to your LAN machines. The following is the needed configuration.
ip dhcp excluded-address 10.10.10.1 10.10.10.31
!
ip dhcp pool CLIENT
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 4.2.2.5 4.2.2.6 4.2.2.66
import all
With the above setup,
* The IP address range of 10.10.1.32-10.10.10.254 would be available for DHCP pool client
* The IP address range of 10.10.10.2-192.168.1.31 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 4.2.2.5, 4.2.2.6, and 4.2.2.66 automatically as part of the dynamically assigned IP address process
* These 4.2.2.5, 4.2.2.6, and 4.2.2.66 should be either your local DNS/WINS servers or ISP-provided DNS servers
feedback form
feedback form
by aryoba
last modified: 2008-06-04 12:41:43 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them automatically. This means that the ISPs treat their subscriber's router as DHCP client.
When this is your case, then the following sample configuration is a good starting point to help you configure the firewall. There are two sample configurations provided here, one is the PIX version and another is ASA version. Note that both configurations are identical.
Typical network environment that might utilize following sample PIX/ASA configuration is as follows
* There is a modem in front of the PIX/ASA, which the modem connects to the ISP
* ISP is providing Public IP address to the PIX/ASA via DHCP
* There is NAT/PAT in place on the PIX/ASA to translate internal IP addresses to the ISP-provided Public IP address
* The PIX/ASA is also acting as DHCP server to the local LAN, which provide dynamic IP info for hosts behind the PIX/ASA within the LAN
Note:
Keep in mind that there are two DHCP processes on this sample configuration. One is between your ISP and the PIX/ASA, and another is between the PIX/ASA and machines within your LAN. Your ISP would hand out specific WAN or Public IP address (i.e. 1.1.1.1) to the WAN interface of your PIX or ASA via ISP DHCP mechanism where your PIX/ASA would hand out completely different IP address for internal usage via PIX/ASA DHCP mechanism.
This sample PIX/ASA configuration assumes the followings
* Internal private IP subnet (for hosts behind the PIX): 10.0.0.0/24
* All of the hosts' gateway would be the PIX/ASA inside interface IP address: 10.0.0.1
* The IP address range of 10.0.0.30-10.0.0.254 would be available for DHCP pool client
* The IP address range of 10.0.0.2-10.0.0.29 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 68.87.64.196 and 68.87.66.196 automatically as part of the dynamically assigned IP address process
* When all hosts behind the PIX/ASA go out to the Internet, the hosts would be using the PIX/ASA outside interface IP address (which is the ISP-assigned Public IP address)
* Necessary ICMP packet coming from the Internet would be permitted to enter your LAN
SAMPLE CONFIGURATION
1. PIX
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
2. ASA
hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
feedback form
feedback form
by aryoba
last modified: 2008-12-11 08:57:38 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them using username and password. This means that the ISPs treat their subscriber's router as PPP client.
When this is your case, then the following sample configuration is a good starting point to help you configure the router. If your ISP requires you to use PPPoE for Internet access, the general idea is that you configure the router as PPPoE client to the ISP.
Following is the sample configuration using Cisco 2514 with IOS image version 12.3. Even though the example uses 2514 router, the configuration applies to any router that utilizes two ethernet interfaces for connection.
Typical network environment that might utilize following sample router configuration is as follows
* There is a modem in front of the router, which the modem connects to the ISP
* ISP is providing Public IP address to the router via PPPoE
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address
This sample router configuration assumes the followings
* Internal private IP subnet (for hosts behind the router): 10.10.10.0/24
* All of the hosts' gateway would be the router inside interface IP address: 10.10.10.1
* The IP address range of 10.10.10.2-10.10.10.254 would be available for hosts within your LAN
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)
* The router is not setup as DHCP server to LAN machines. You can check out the next PPP router sample configuration to illustrate of setting up a router as the DHCP server.
SAMPLE CONFIGURATION
version 12.3
no parser cache
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname Router
!
!
enable password xxxxxxxxxx
no aaa new-model
ip subnet-zero
ip cef
!
!!!!! Configure Router as PPPoE Client to the ISP
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!!!!!
!
!
!
interface Ethernet0
description My LAN Interface
ip address 10.10.10.1 255.255.255.0
!!!! When NAT/PAT occurs, this interface is the source candidate (inside local)
ip nat inside
!!!!
no ip mroute-cache
no cdp enable
!
interface Ethernet1
description Physical ADSL Interface (Facing the ISP)
no ip address
no ip mroute-cache
!!!! Ties this interface to the Dialer interface
pppoe enable
pppoe-client dial-pool-number 1
!!!!
no cdp enable
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
no cdp enable
!
interface Serial1
no ip address
no ip mroute-cache
shutdown
no cdp enable
!
interface Dialer1
description Logical ADSL Interface
ip address negotiated
ip mtu 1492
!!!! When NAT/PAT occurs, this interface is the destination candidate (inside global)
ip nat outside
!!!!
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
!!!!! Ties this logical interface to the proper physical interface
dialer pool 1
!!!!!
!!!!! Passing the protocol allowed by the "dialer-list" command
dialer-group 1
!!!!!
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp pap sent-username password
!!!! Default Gateway to the ISP
ppp ipcp route default
!
ppp ipcp dns request accept
ppp ipcp address accept
!
!!!! PAT subnets allowed by the ACL 10
ip nat inside source list 10 interface Dialer1 overload
!!!!
no ip http server
ip classless
!!!!
!
!
!!!! ACL 10 determines which subnet to be PATed
access-list 10 permit 10.10.10.0 0.0.0.255
!!!!
!!!! Determine which protocol to pass through
dialer-list 1 protocol ip permit
!!!!
no cdp run
!
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end
A Walkthrough
»Cisco Forum FAQ »Walkthrough of Configuring Cisco Routers for ADSL PPPoE using external modem
Note:
For those of you who curious to learn more of the PPPoE client configuration on Cisco router, you may issue the ? (questions mark) command to find out the available protocol list to do the VPDN dial. As a headsup, the pppoe may not show when you issue the ?. However when you enter the pppoe command, the router will take it without problem. In other words, the pppoe protocol choice command may somewhat be hidden.
More PPPoE sample configuration
»Cisco Forum FAQ »Wireless Router Sample Configuration
Some discussion
»getting my hand wet over cisco!! please help
Troubleshooting
PPPoE Troubleshooting Guide from official Cisco website in case something goes wrong
Side Note:
Some might argue that the configuration only applies to dynamic ISP IP address assignment. That when using static, the command under interface Dialer1 is "ip address x.x.x.x x.x.x.x" instead of "ip address negotiated". However, you may have to use "ip address negotiated" on static IP address to make everything work (the VPN, public server access, etc.) in some cases.
Check out the following FAQ for more info
»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address
Tips:
To find out the DNS IP addresses from your ISP for you to use through the ppp ipcp dns request accept, run debug ppp packet and terminal monitor commands. Watch the scrolling lines during this debug, especially regarding the IP address for the router and the DNS IP addresses. Once you see the DNS IP addresses from one of the scrolling lines, you can stop the debug and monitoring by issuing undebug ppp packet and terminal no monitor commands.
feedback form
feedback form
by aryoba
last modified: 2009-08-27 10:50:56 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
For a quick guide and some network topology, check out the following FAQ
»Cisco Forum FAQ »Quick Guide of Configuring Cisco router for PPPoE using external modem
This FAQ serves as a basic walk through of the above FAQ in order to provide deeper descriptions in configuring any Cisco routers running IOS with two ethernet interfaces for ADSL. For more info, check out the above FAQ.
First we will need to build the VPDN group so we will be able to add our dialer after we configure the Ethernet interface we will use for the WAN connection.
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#vpdn enable
router(config)#vpdn-group 1
router(config-vpdn)#request-dialin
router(config-vpdn)#protocol pppoe
router(config-vpdn)#exit
Now we configure one Ethernet interface for use as our WAN interface.
router(config)#interface Ethernet1
router(config-if)#description ADSL WAN Interface
router(config-if)#no ip address
router(config-if)#no ip redirects
router(config-if)#no ip unreachables
router(config-if)#no ip proxy-arp
router(config-if)#no ip mroute-cache
router(config-if)#pppoe enable
router(config-if)#no cdp enable
router(config-if)#exit
Now to add your Dialer interface:
router(config)#interface Dialer1
router(config-if)#description ADSL WAN Dialer
router(config-if)#ip address negotiated
router(config-if)#no ip unreachables
router(config-if)#ip nat outside
router(config-if)#encapsulation ppp
router(config-if)#no ip mroute-cache
router(config-if)#dialer pool 1
router(config-if)#dialer-group 1
router(config-if)#no cdp enable
At this point you will need to find out what type of authentication your ISP requires. When you run into problems with this (ISP says one thing, it's actually something else...), you are suggested to turn on the debug ppp packet option to view low level packet output. Generally you will need to either use CHAP or PAP authentication. In some cases ISP requires both type of authentication. Following is how to set both up.
router(config-if)#ppp authentication chap callin
router(config-if)#ppp chap hostname ispusername
You want to make sure that username is whatever your ISP requires. Some ISP like the full e-mail address and some just need the username. You may receive a letter or email regarding this info. Consult your ISP if you are unsure. Following is the setup.
router(config-if)#ppp chap password isppassword
router(config-if)#ppp pap sent-username ispusername password isppassword
You can see with PAP as opposed to chap you input your username and password all at once in one command.
Note that the Dialer1 interface is part of dialer group 1. This dialer group controls the Layer-3 protocol traffic that go over the Layer-2 PPP encapsulation. For this dialer group control, you need to specify which Layer-3 protocols the Dialer1 interface is allowed to pass through over the Layer-2 PPP. In this case, you want to pass IP protocols. Following is the setup.
router(config-if)#exit
router(config)#dialer-list 1 protocol ip permit
Another problem you may experience with many providers making constant changes to their network is with packet fragmentation from PCs with MTUs set too high. Many people on BBR suggest setting MTU size and tweaking each machine for optimal broadband settings, but the Cisco IOS allows you to perform traffic shaping on your Dialer interface that will correct this problem.
Feel free to read the following
Troubleshooting MTU Size in PPPoE Dialin Connectivity
for additional information about adjusting Maximum Segment (MSS) sizes on your equipment.
Now you configure the other Ethernet interface for use as the LAN interface:
router(config)#interface Ethernet0
router(config-if)#description ADSL LAN Interface
When adding the IP address you can pretty much put whatever on there as long as the rest of the NAT setup matches. Format is ip address and the subnet mask.
router(config-if)#ip address 10.10.10.1 255.255.255.0
router(config-if)#no ip redirects
router(config-if)#no ip unreachables
router(config-if)#no ip proxy-arp
router(config-if)#ip nat inside
router(config-if)#no ip mroute-cache
router(config-if)#no cdp enable
router(config-if)#exit
Now you're done with the actual LAN/WAN setup. The next steps are just to add a few more parts to get everything working.
We add our access-list for NAT:
router(config)#access-list 10 permit 10.10.10.0 0.0.0.255
And disable CDP:
router(config)#no cdp run
And add our NAT source list:
router(config)#ip nat inside source list 10 interface Dialer1 overload
Turn on CIDR routing:
router(config)#ip classless
And finally add our default route to the internet. There are two ways of doing so. One (the correct way) is to let PPP negotiation process determine the default gateway IP address. To do so, enter the following commands.
router(config)#interface Dialer1
router(config-if)#shutdown
router(config-if)#ppp ipcp route default
router(config-if)#no shutdown
router(config-if)#exit
On some IOS images, the ppp ipcp command is not supported unfortunately. When this applies to you, then you have no choice to either upgrade the IOS image that support the command or to use the following command.
router(config)#ip route 0.0.0.0 0.0.0.0 Dialer1
When your router IOS image does support ppp ipcp command, then following commands are suggested to be entered under the Dialer1 interface in addition to the ppp ipcp route default command.
ppp ipcp dns request accept
ppp ipcp address accept
to have the router receives ISP DNS IP addresses and WAN IP address through the PPP process. Note that these two commands are not requirements since the router can still do network functionality even without these two commands present.
After setting the default route, you should have a basic connection built and running. You will probably want to add a little more in the way of security such as setting vty, console, and enable passwords, as well as disabling any unnecessary services on the router and adding name servers, time servers, etc.
feedback form
feedback form
by amethyst1x edited by aryoba
last modified: 2009-10-21 16:22:36 | | | OK fist we are going to start with PPP.
Note that any users on a DSL line using PPPoE would not be able to use PPP will get on that later...
Here is an example configuration for a Cisco 678 DMT.
First we are going to logging in to the command console here are the steps...
1* Connect the cable to the back of the router in the MGNT port and then to the back of your computer to COM 1.
2* Open Hyper Terminal and create a new connection, set it as follows, 1: Name the connection Cisco, 2: Ignore the first three fields and in the third "Connect using" set it to COM1. Click ok.
3* Set Bits per second to 38400, Data Bits 8, parity none, Stop Bits 1, Flow control None. click ok.
Then your Hyper Terminal Session screen will pop up. Hit Enter.
5* User Access Verification
Password: Is the next thing that appears. If this is a new router hit enter. Otherwise enter the password and hit enter.
6* cbos> appears. Type enable and hit enter.
7* enter the exec password then enter or hit enter if a new router.
8* cbos# appears. You are now in "Enable" mode and can setup your DSL router!
Here is a list of commands that will get up up and running if your ISP set you up with a dynamic IP address.
set nvram erase
write
reboot
Get back into the "enable" mode as you did above.
set password enable ~Make up a password~
set password exec ~Make up a password~ I use the same password I did above, easier to remember
set ppp restart enabled
set ppp wan0-0 ipcp 0.0.0.0
set ppp wan0-0 dns 0.0.0.0
set ppp wan0-0 login ( Supplied by your ISP )
set ppp wan0-0 password ( Supplied by your ISP )
set nat enable
set nat timeout udp 3600 ( for online gaming )
set nat timeout icmp 3600 ( for online gaming )
set dhcp server enable
set int wan0-0 disable
write
set int wan0-0 vpi 0 ( Supplied by your ISP )
set int wan0-0 vci 35 ( Supplied by your ISP )
set int wan0-0 enable
set ppp wan0-0 subnet 0.0.0.0
set web disable ( Code Red Virus Deterrent!)
set web port 8081 ( Code Red Virus Deterrent!)
set web remote 255.255.255.255 ( Code Red Virus Deterrent!)
write
reboot
You are finished! Close Hyper Terminal and you should be able to connect to the Internet!
Note:
On CBOS 2.4.6 and up you do not have to set the web disable because these burnability is address...
But for double security you can still disable it ;)
Also the VPI/VCI vary upon ISP so you might want to call your ISP and ask them what is there VPI/VCI. The one I posted above is for SBC.
Now here are the steps for PPP if you have a Cisco 678 CAP.
1* Connect the cable to the back of the router in the MGNT port and then to the back of your computer to COM 1.
2* Open Hyper Terminal and create a new connection, set it as follows, 1: Name the connection Cisco, 2: Ignore the first three fields and in the third "Connect using" set it to COM1. Click ok.
3* Set Bits per second to 38400, Data Bits 8, parity none, Stop Bits 1, Flow control None. click ok.
Then your Hyper Terminal Session screen will pop up. Hit Enter.
5* User Access Verification
Password: Is the next thing that appears. If this is a new router hit enter. Otherwise enter the password and hit enter.
6* cbos> appears. Type enable and hit enter.
7* enter the exec password then enter or hit enter if a new router.
8* cbos# appears. You are now in "Enable" mode and can setup your DSL router!
set nvram erase
write
reboot
Get back into the "enable" mode as you did above.
set password enable ~Make up a password~
set password exec ~Make up a password~ I use the same password I did above, easier to remember
set ppp restart enabled
set ppp wan0-0 ipcp 0.0.0.0
set ppp wan0-0 dns 0.0.0.0
set ppp wan0-0 login ( Supplied by your ISP )
set ppp wan0-0 password ( Supplied by your ISP )
set nat enable
set nat timeout udp 3600 ( for online gaming )
set nat timeout icmp 3600 ( for online gaming )
set dhcp server enable
set web disable ( Code Red Virus Deterrent!)
set web port 8081 ( Code Red Virus Deterrent!)
set web remote 255.255.255.255 ( Code Red Virus Deterrent!)
write
reboot
You are finished! Close Hyper Terminal and you should be able to connect to the Internet
And you are done :)
Now to bridge mode :)
To any DSL ISP that uses PPPoE these is the only option you only have to use with these modem because the Cisco 678 does not uses PPPoE for authentication.
So you will need a router or a Hardware Firewall to handle the PPPoE for you.
1* Connect the cable to the back of the router in the MGNT port and then to the back of your computer to COM 1.
2* Open Hyper Terminal and create a new connection, set it as follows, 1: Name the connection Cisco, 2: Ignore the first three fields and in the third "Connect using" set it to COM1. Click ok.
3* Set Bits per second to 38400, Data Bits 8, parity none, Stop Bits 1, Flow control None. click ok.
Then your Hyper Terminal Session screen will pop up. Hit Enter.
5* User Access Verification
Password: Is the next thing that appears. If this is a new router hit enter. Otherwise enter the password and hit enter.
6* cbos> appears. Type enable and hit enter.
7* enter the exec password then enter or hit enter if a new router.
8* cbos# appears. You are now in "Enable" mode and can setup your DSL router!
set nvram erase
write
reboot
Get back into the "enable" mode as you did above.
set password enable ~Make up a password~
set password exec ~Make up a password~ I use the same password I did above, easier to remember.
set bridging rfc1483 enable
write
reboot
enable
set client dhcp enable or (disable if your going to do dhcp from firewall)
write
set int wan0-0 disable
write
set int wan0-0 vpi 0 ( Supplied by your ISP )
set int wan0-0 vci 35 ( Supplied by your ISP )
set int wan0-0 enable
set web disable ( Code Red Virus Deterrent!)
set web port 8081 ( Code Red Virus Deterrent!)
set web remote 255.255.255.255 ( Code Red Virus Deterrent!)
write
reboot
You are finished! Close Hyper Terminal and you should be able to connect to the Internet
These will get you going in no time :)
Good Luck.
feedback form
feedback form
by XCOM edited by aryoba
last modified: 2005-11-12 07:52:15 | | | The following configuration is courtesy of dh_supreme and may be found in its original format in this thread.
set nvram erase
set password exec (whatever password u desire)
write
set ppp wan0-0 dns 0.0.0.0
set ppp wan0-0 ipcp 0.0.0.0
set ppp wan0-0 login (keycode1@msndsl.net here)
set ppp wan0-0 password (keycode2 here)
set dhcp server enable
set nat enable
set int wan0-0 close
set int wan0-0 vpi 0
set int wan0-0 vci 32
set int wan0-0 open
set ppp restart enable
write
reboot
set nat entry delete all
set nat entry add 10.0.0.2 1-22 0.0.0.0 1-22 tcp
set nat entry add 10.0.0.2 1-22 0.0.0.0 1-22 udp
set nat entry add 10.0.0.2 24-65535 0.0.0.0 24-65535 tcp
set nat entry add 10.0.0.2 24-65535 0.0.0.0 24-65535 udp
write
reboot
I set my nat to forward all ports except 23.
I then use the nat in my router to control what ports are open and where they can go.
feedback form
feedback form
by Covenant edited by aryoba
last modified: 2005-11-12 07:52:34 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them using username and password. This means that the ISPs treat their subscriber's router as PPP client.
When this is your case, then the following sample configuration is a good starting point to help you configure the router. If your ISP requires you to use PPPoE for Internet access, the general idea is that you configure the router as PPPoE client to the ISP.
Following is the sample configuration using Cisco 827 with IOS image version of 12.1. Even though the example uses 827 router, the configuration applies to any router that utilizes ATM/DSL interface to ISP connection and Ethernet interface for LAN connection.
Typical network environment that might utilize following sample router configuration is as follows
* There is a no modem in front of the router
* The router has integrated DSL/ATM modem, which would connect to the ISP
* ISP acknowledges the router Public IP address via PPPoE
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address
This sample router configuration assumes the followings
* The Ameritech (SBC/AT&T) uses 0/35 as the VPI/VCI which may not reflect your ISP VPI/VCI value. Confirm with your ISP regarding the value.
* Internal private IP subnet (for hosts behind the router): 10.10.10.0/24
* All of the hosts' gateway would be the router inside interface IP address: 10.10.10.1
* The IP address range of 10.10.10.2-10.10.10.254 would be available for hosts within your LAN
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)
* The router does not act as DHCP server; hence it is either static IP address assignment is required to all hosts, or there is a separate DHCP server dynamically assign IP addresses to all hosts
* The outside interface IP address is statically assigned in addition of PPP configuration. If your ISP requires you to have dynamically-assigned IP address, then you can simply issue ip address negotiated command instead. Check out following notes for this specific issue.
Notes:
* This sample configuration assumes that you have a Static Public IP address services from the ISP. This static Public IP address is noted on the ip address 69.33.10.11 255.255.255.0 command under the interface Dialer1 configuration
* When you have Dynamic Public IP address services from your ISP, then you should not have ip address 69.33.10.11 255.255.255.0 command under the interface Dialer1 configuration and ip route 0.0.0.0 0.0.0.0 [ISP DEFAULT GATEWAY IP ADDRESS] command under the global configuration. Instead you implement ip address negotiated and ppp ipcp route default commands under the interface Dialer1 configuration
The sample configuration then should look like the following from the interface Dialer1 down to the end
* Note that the ppp ipcp route default command might not be supported on some IOS images. When this is your case, then you either upgrade the router IOS image or implement ip route 0.0.0.0 0.0.0.0 Dialer1 command under the global configuration as a replacement
Without upgrading the IOS image, the sample configuration then should look like the following from the interface Dialer1 down to the end
* Some Static Public IP address services do require ip address negotiated command under the interface Dialer1 configuration and ip route 0.0.0.0 0.0.0.0 Dialer1 command under the global configuration to make it work. Check out the following FAQ for details
»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address
Preface
Here is a guaranteed working config for anyone using Ameritech ADSL for their circuit provider and Megapath.net for ISP. It took 2 calls 2 cisco and weeks of fighting with ISP tech support, but I learned a valuable lesson about ADSL PPPoE specifically.
This is from the mouth of Cisco, "If you have ADSL running PPPoE and run into problems resolving DNS, adjust your MTU on your ethernet interface using the command ip tcp adjust-mss 1452. This is because PPPoE requires more bits in the header packet than any other type of circuit." It was news to me, but the minute we adjusted the MTU all my problems were fixed.
So with that in mind, here is a 100% working config from my 827 ADSL router. Hope this lesson I learned helps someone out in the future!!!!
SAMPLE CONFIGURATION
1. Earlier IOS Version
Thanks to sanchito75 for this post leading to this FAQ.
2. IOS Version 12.4
Note:
All PPPoE-related commands on earlier IOS version apply to the IOS version 12.4. However only some of those commands may show during the show running-config command deployment since in IOS version 12.4, some PPPoE commands are no longer needed. Following is the final result of entering earlier IOS version PPPoE commands on routers running IOS version 12.4 image.
Tips:
To find out the DNS IP addresses from your ISP for you to use through the ppp ipcp dns request accept, run debug ppp packet and terminal monitor commands. Watch the scrolling lines during this debug, especially regarding the IP address for the router and the DNS IP addresses. Once you see the DNS IP addresses from one of the scrolling lines, you can stop the debug and monitoring by issuing undebug ppp packet and terminal no monitor commands.
feedback form
feedback form
by nozero edited by aryoba
last modified: 2009-08-27 10:51:27 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them automatically with username and password. This means that the ISPs treat their subscriber's router as PPP client.
When this is your case, then the following sample configuration is a good starting point to help you configure the firewall. Typical network environment that might utilize following sample PIX/ASA configuration is as follows
* There is a modem in front of the PIX/ASA, which the modem connects to the ISP
* ISP is providing Public IP address to the PIX/ASA via PPPoE
* There is NAT/PAT in place on the PIX/ASA to translate internal IP addresses to the ISP-provided Public IP address
* The PIX/ASA is also acting as DHCP server to local LAN, which provide dynamic IP info for hosts behind the PIX/ASA within the LAN
This sample PIX/ASA configuration assumes the followings
* Internal private IP subnet (for hosts behind the PIX/ASA): 10.0.0.0/24
* All of the hosts' gateway would be the PIX/ASA inside interface IP address: 10.0.0.1
* The IP address range of 10.0.0.30-10.0.0.254 would be available for DHCP pool client
* The IP address range of 10.0.0.2-10.0.0.29 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 68.87.64.196 and 68.87.66.196 automatically as part of the dynamically assigned IP address process
* When all hosts behind the PIX/ASA go out to the Internet, the hosts would be using the PIX/ASA outside interface IP address (which is the ISP-assigned Public IP address)
* Necessary ICMP packet coming from the Internet would be permitted to enter your LAN
SAMPLE CONFIGURATION
1. PIX
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname [ENTER ISP USERNAME HERE]
vpdn group pppoex ppp authentication chap (or PAP, depends on your ISP settings)
vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
2. ASA
hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1492
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname [ENTER ISP USERNAME HERE]
vpdn group pppoex ppp authentication chap (or PAP, depends on your ISP settings)
vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
MTU Setting Notes:
* Typical Ethernet connection uses 1500 bytes MTU
* PPPoE uses a 8 bytes overhead MTU, therefore there is only a 1492 bytes MTU left for data
* PPPoE process takes place on the outside interface where the PIX/ASA is connecting to the ISP
* There is just regular Ethernet connection on the inside interface where the PIX/ASA is connecting to the inside LAN
* The 1492 bytes MTU should only take place on the outside interface and keep 1500 bytes MTU on the inside interface
Field Notices:
* PIX 501 firewall running version 6.3 refuses to accept the "ip address ... pppoe" command if the outside interface has been named anything other than "outside" (i.e. named as "ext"). In order to execute this command, you need to rename the interface name to "outside" (with the "nameif" command), and then issue the "ip address outside pppoe" command
feedback form
feedback form
by aryoba
last modified: 2008-12-23 08:49:33 | | | Note: the steps here are only for the purpose of getting connected to your ISP. Other issues like security and features are not inclusive. They are where you enter your details. You will need to edit this for your use.
PPPoA
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface ethernet 0
router(config)#no ip http server
Router(config-if)#ip address 10.10.10.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface dialer 0
If you are assigned a static IP by your ISP, then follow this command
Router(config-if)#ip address [YOUR IP ADDRESS ASSIGNED BY ISP] [SUBNET MASK]
If you are assigned a dynamic IP address by your ISP, then follow this command
Router(config-if)#ip address negotiated
Continue with the rest of command
Router(config-if)#ip nat outside
Router(config-if)#encapsulation ppp
Router(config-if)#dialer pool 1
Router(config-if)#ppp pap sent-username password
Router(config-if)#exit
Router(config)#interface atm 0
Router(config-if)#pvc
Router(config-if-atm-vc)#en aal5mux ppp dialer
Router(config-if-atm-vc)#dialer pool-member 1
Router(config-if-atm-vc)#no shutdown
Router(config-if)#exit
Router(config)#ip nat inside source list 1 interface dialer 0 overload
If you are assigned a static IP by your ISP, then follow this command
Router(config)#ip route 0.0.0.0 0.0.0.0
If you are assigned a dynamic IP address by your ISP, then follow this command
Router(config)#ip route 0.0.0.0 0.0.0.0 dialer 0
Continue with the rest of command
Router(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Router(config)#exit
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#
PPPoE
!
!
!
!
Configuration for PPPoE with NAT
Note: Pls note that the steps here are only for the purpose of getting connected with your ISP. Other issues like security and features are not inclusive. They are where you enter your details
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no ip http server
Router(config)#vpdn enable
Router(config)#vpdn-group ppoe
Router(config-vpdn)#request-dialin
Router(config-vpdn-req-in)#protocol pppoe
Router(config-vpdn-req-in)#exit
Router(config-vpdn)#exit
Router(config)#interface ethernet0
Router(config-if)#ip address 10.10.10.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface atm0
Router(config-if)#pvc
Router(config-if)#no shutdown
Router(config-if-atm-vc)#pppoe-client dial-pool-number 1
Router(config-if-atm-vc)#exit
Router(config-if)#exit
Router(config)#int dialer 1
f you are assigned a static IP by your ISP, then follow this command
Router(config-if)#ip address [YOUR IP ADDRESS ASSIGNED BY ISP] [SUBNET MASK]
If you are assigned a dynamic IP address by your ISP, then follow this command
Router(config-if)#ip address negotiated
Continue with the rest of command
Router(config-if)#ip mtu 1492
Router(config-if)#ip nat outside
Router(config-if)#dialer pool 1
Router(config-if)#ppp authentication pap callin
Router(config-if)#ppp pap sent-username password
Router(config-if)#exit
Router(config)#ip nat inside source list 1 interface dialer 1 overload
Router(config)#ip classless
If you are assigned a static IP by your ISP, then follow this command
Router(config)#ip route 0.0.0.0 0.0.0.0
If you are assigned a dynamic IP address by your ISP, then follow this command
Router(config)#ip route 0.0.0.0 0.0.0.0 dialer 1
Continue with the rest of command
Router(config)#no ip http server
Router(config)#access-list 1 permit 10.10.10.1 0.0.0.255
Router(config)#exit
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#
This FAQ provided by member sanchito75
feedback form
feedback form
by nozero edited by aryoba
last modified: 2007-12-31 09:07:06 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
Here is a working configuration for a Cisco 1720 router for a UK ADSL ISP as PPPoA client. The 1720 is fitted with 48MB DRAM/16MB FLASH and running IOS 12.3(1).
It also has, obviously, a WIC-1ADSL module and a WIC-2T (not currently used).
In the configuration is also included an example of how to build 3 GRE tunnels to remote sites and how to synchronize the router clock with a NTP time source.
I hope someone will find this of use.
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1720
!
enable password 7 xxxxxxxx
!
username xxxxxxx@dslgateb.xxxxxxxx.co.uk password 7 xxxxxxxx
username xxxxxxx password 7 xxxxxxx
memory-size iomem 25
ip subnet-zero
!
!
ip name-server 193.xxx.xxx.xxx
ip name-server 194.xxx.xxx.xxx
ip name-server 194.xxx.xxx.xxx
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
xsm
xsm vdm
xsm edm
xsm history vdm
xsm history edm
!
interface Loopback0
description +++ Always Up Interface +++
ip address 10.10.10.10 255.255.255.255
!
interface Tunnel0
description +++ IP GRE VPN TO Office1 +++
ip address 192.168.xxx.2 255.255.255.252
tunnel source 213.xxx.xxx.76
tunnel destination 213.xxx.xxx.114
tunnel key 123abc
!
interface Tunnel1
description ++++ IP GRE VPN To Office2 ++++
ip address 192.168.xxx.9 255.255.255.252
tunnel source 213.xxx.xxx.76
tunnel destination 213.xxx.xxx.113
tunnel key 123abc
!
interface Tunnel2
description ++++ IP GRE VPN To Office3 ++++
ip address 192.xxx.xxx.13 255.255.255.252
tunnel source 213.xxx.xxx.76
tunnel destination 80.xxx.xxx.xxx
tunnel key 123abc
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface FastEthernet0
description +++ Connection To LAN +++
ip address 192.168.30.1 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
!
interface Dialer0
description +++ Connection To ISP ADSL +++
ip address 213.xxx.xxx.76 255.255.255.0
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxx@dslgateb.xxxxxxx.co.uk
ppp chap password 7 xxxxxxxx
ppp pap sent-username xxxxxxx@dslgateb.xxxxxxx.co.uk password 7 xxxxxxx
!
router eigrp 1
redistribute connected
network 10.0.0.0
network 192.168.xxx.0
network 192.168.xxx.0
network 213.xxx.xxx.0
no auto-summary
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.10 443 interface Dialer0 443
ip nat inside source static tcp 10.10.10.10 23 interface Dialer0 23
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http secure-server
!
!
access-list 1 permit any
!
banner motd ^C
****************************
* WARNING BANNER *
****************************
WARNING - authorized users only
The owner and any subsidiary companies, has proprietary rights
over this system and data. Unauthorized access is unlawful and may
result in disciplinary action and/or legal proceedings.
Access to this system is monitored.
^C
!
line con 0
line aux 0
line vty 0 4
exec-timeout 60 0
password 7 xxxxxxx
login local
transport input telnet
!
ntp clock-period 17179651
ntp server 128.2.129.21
!
end
Cisco1720#
feedback form
feedback form
by Domwilko edited by aryoba
last modified: 2007-12-31 09:25:23 | | | The sample configuration provided in the thread should work with any Cisco router with integrated ADSL modem running PPPoA; such as 827, 837, 857, 877, and on.
Since the configuration is coming from ISP UK Zen customer, some parameters might not work for your ISP (i.e. the VPI/VCI or PVC value). As with any ISP connection using ADSL, please confirm the ISP DSL signaling and VPI/VCI values.
More Sample Configuration
Configuring a Cisco 827 Router Using PPPoA With CHAP and PAP
http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a008009411c.shtml
Some discussion
»Anyone successfully using a Cisco 877 with Qwest?
Tips:
To find out the DNS IP addresses from your ISP for you to use through the ppp ipcp dns request accept, run debug ppp packet and terminal monitor commands. Watch the scrolling lines during this debug, especially regarding the IP address for the router and the DNS IP addresses. Once you see the DNS IP addresses from one of the scrolling lines, you can stop the debug and monitoring by issuing undebug ppp packet and terminal no monitor commands.
feedback form
feedback form
by aryoba
last modified: 2009-08-27 10:51:58 | | | Please note this is taken from the Cisco website and can be found in its original form at Cisco DSL Router - PPPoA with a Dynamic IP Address.
Also note that the comments tag "!!" are comments appended by myself and in no way constitute comments made by Cisco. The person who posted this is not liable for any network problems or any damage caused by configuring their router to the following specification. If in doubt, ask the Cisco forum for any advice.
Type exactly as shown (except the comments which are shown with a preceding "!" or "!!")
Substitute the items in () with your own configuration.
!--- Comments contain explanations and additional information.
!!-- Comments contain explanations and additional information.
service timestamps debug datetime msec
service timestamps log datetime msec
ip subnet-zero
!
ip dhcp excluded-address (ip address of ethernet0)
ip dhcp pool (dhcp pool name)
network (ip network address of ethernet0) (subnet mask)
default-router (ip address of ethernet0)
dns-server (ip address of dns server)
!
!! The DHCP configuration above is optional and it allows your router to assign
!! ip address within the specified range that you input. If you have a server
!! on the network which will do that, then omit it. Note that within the ip
!! dhcp excluded-address you may also put down the ip address of your switch
!! and other devices which require a static ip address.
!! A network address is the network portion of an IP address, ex. for a class C
!! ip address of 192.168.1.1 it would be 192.168.1.0.
!! Add the DNS servers of your ISP (ring them or check their website to get it)
!! and you may put in a whole list if you so desire as they are sure to have
!! many.
interface ethernet0
no shut
ip address (ip address) (subnet mask)
ip nat inside
no ip directed-broadcast
!
!! The ip nat inside statement (3 lines above this) is optional and it allows
!! the sharing of the dynamic public IP address of the Dialer interface.
interface atm0
no shut
no ip address
no ip directed-broadcast
no ip mroute-cache
pvc (vpi/vci)
encapsulation aal5mux ppp dialer
dialer pool-member 1
!--- Common PVC values supported by ISPs are 0/35 or 8/35.
!--- Confirm your PVC values with your ISP.
!
interface dialer1
ip address negotiated
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer pool 1
ppp chap hostname (username)
ppp chap password (password)
ppp pap sent-username (username) password (password)
!
!! Again only input the statement ip nat outside (7 lines above this) if you
!! want to configure NAT.
ip nat inside source list 1 interface dialer1 overload
!--- If you have a pool (a range) of public IP addresses provided
!--- by your ISP, you can use a NAT Pool. Replace
!--- ip nat inside source list 1 interface dialer1 overload
!--- with the following two configuration statements:
!--- ip nat inside source list 1 pool (nat pool name) overload
!--- ip nat pool (nat pool name) (first ip address) (last ip address)
!--- netmask (subnet mask)
!--- If Internet users require access to an internal server, you can
!--- add the following static NAT configuration statement:
!--- ip nat inside source static tcp (inside ip address of server) {80 or 25}
!--- (outside well-known ip address of server) {80 or 25} extendable
!--- Note: TCP port 80 (HTTP/web) and TCP port 25 (SMTP/mail) are used
!--- for this example. You can open other TCP or UDP ports, if needed.
!
!! Again use the above 3 paragraphs of configuration statements if you want to
!! configure NAT because your ISP has provided you with additional IP address
!! and if you want users to have access to internal servers (web or email
!! servers).
ip classless
ip route 0.0.0.0 0.0.0.0 dialer1
access-list 1 permit (ip network address of ethernet0) (wildcard mask)
!--- In this configuration, access-list 1 defines a standard access list
!--- permitting the addresses that NAT will translate. For example, if
!--- your private IP network was 10.10.10.0, configuring
!--- access-list 1 permit 10.10.10.0 0.0.0.255 would allow NAT to translate
!--- packets with source addresses between 10.10.10.0 and 10.10.10.255.
!
end
feedback form
feedback form
by Covenant edited by aryoba
last modified: 2009-01-13 14:35:22 | | | For the splash page for PPPoE:
PPPoE Online Form
There is an online form for you to fill in the details that would be required for you to successfully configure your router. You should be able to get the details required from your ISP.
Once that is done, print it out or make a note of the details and scroll down to the bottom, and click New DSL Configuration.
On the next page, you must choose from the two options, whether your router OR PC will be the PPPoE client.
Click on the relevant link.
Cisco DSL Router is the PPPoE Client
If you click on the The Cisco DSL Router router is the PPPoE client, you will be taken to another page, which asks you whether your IP is dynamic or static.
Click on the relevant link and you will be taken to the page that you requested.
If you have not configured a Cisco router before, click on the last word in the sentence. Note that the link here is NOT active, its only to show you the sentence:
The above link can usually be found in the second paragraph after the hard rule at the top.
The PC is the PPPoE client
If you clicked on the The PC is the PPPoE client, you will be taken to the configuration page straight away.
To access the step-by-step guide, find the link as described above in The Cisco DSL Router router is the PPPoE client section.
For the splash page for PPPoA:
PPPoA Online Form
There is an online form for you to fill in the details that would be required for you to successfully configure your router. You should be able to get the details from your ISP.
Once that is done, print it out or make a note of the details and scroll down to the bottom, and click New DSL Configuration.
You will be taken to another page, which asks you whether your IP is dynamic or static.
Click on the relevant link, and it will take you to a sample configuration output.
To access the step-by-step guide, find the link as described above in The Cisco DSL Router router is the PPPoE client section.
For the splash page for RFC1483 Bridging:
RFC1483 Bridging Implementations
You must select one of the Bridging options on show before you can proceed further.
RFC1483 Bridging with IRB
There is an online form for you to fill in the details that would be required for you to successfully configure your router. You should be able to get the details from your ISP.
Once that is done, print it out or make a note of the details and scroll down to the bottom, and click New DSL Configuration.
You will be taken to another page, which asks you whether your IP is dynamic or static.
Click on the relevant link, and it will take you to a sample configuration output.
To access the step-by-step guide, find the link as described above in The Cisco DSL Router router is the PPPoE client section.
RFC1483 Pure Bridging
There is an online form for you to fill in the details that would be required for you to successfully configure your router. You should be able to get the details from your ISP.
It will take you to a sample configuration output.
To access the step-by-step guide, find the link as described above in The Cisco DSL Router router is the PPPoE client section.
For the splash page for RFC1483 Routing:
RFC1483 Routing Online Form
The splash page for RFC1483 Routing is the online form for you to fill in the details that would be required for you to successfully configure your router. You should be able to get the details from your ISP.
Once that is done, print it out or make a note of the details and scroll down to the bottom, and click New DSL Configuration.
You will be taken to another page, which asks you whether you are assigned a single IP address or a block of static IP addresses.
Click on the relevant link, and it will take you to a sample configuration output.
To access the step-by-step guide, find the link as described above in The Cisco DSL Router router is the PPPoE client section.
TROUBLESHOOTING:
To troubleshoot your existing configuration, go to the relevant splash screen and you will find a link called Troubleshooting my existing DSL connection link under the link titled New DSL Configuration.
Alternatively follow the link New DSL Configuration and when you reach the configuration example output page, scroll down and click on the Troubleshooting ? link where the ? is the name of the configuration example you have chosen.
By: Rhodium_UK and LoneBandit
The person(s) who posted this FAQ is/are not liable for any network problems or any damage caused by configuring their router to the following specification. If in doubt, ask the Cisco forum/TAC for any advice.
feedback form
feedback form
by Covenant edited by aryoba
last modified: 2009-01-13 14:51:02 | | | Here is a simple PPPoE configuration I had created for a friend using a cisco 806, I believe the ISP was Earthlink, but I don't remember for sure.
!
! Last configuration change at 22:55:44 EST Sun Feb 10 2002
! NVRAM config last updated at 22:55:55 EST Sun Feb 10 2002
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot system flash:c806-k9osy6-mz.122-4.YA.bin
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip dhcp excluded-address 10.1.1.1
!
ip dhcp pool LOCALPOOL
import all
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
!
ip ssh time-out 120
ip ssh authentication-retries 3
vpdn enable
!
vpdn-group office
request-dialin
protocol pppoe
!
!
!
!
interface Ethernet0
description Inside interface facing private network
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1492
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
description Outside interface talking PPPoE
no ip address
ip nat outside
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username password 7
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 10.1.1.0 0.0.0.255 log
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
no cdp run
route-map nonat permit 10
match ip address 102
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 0 0
password 7
login
!
scheduler max-task-time 5000
ntp clock-period 17176001
ntp server
end
feedback form
feedback form
by PA23 edited by aryoba
last modified: 2005-11-12 07:54:06 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
For some broadband Internet connections such as cable and DSL and business-grade Internet connections using T1/E1 or faster, the ISPs inform their customers (subscribers) to set their router to specifically set IP address into their router. This means that the subscriber's router is set to use static IP address to connect to the Internet.
When this is your case, then the following sample configuration is a good starting point to help you configure the router. Following is a quite secure sample configuration that is running on a 1605r model. However this sample configuration may be implemented to any routers that has at least dual Ethernet ports.
This sample configuration really works best with a static IP. There are xxx's which is your given IP. There are yyy's, which that's your given subnet. If you have any questions about this, please feel free to contact me at bradley.walter@verizon.net.
Typical network environment that might utilize following sample router configuration is as follows
* There is a modem in front of the router, which the modem connects to the ISP
* ISP is providing Public IP address to the router statically
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address
This sample router configuration assumes the followings
* Internal private IP subnet (for hosts behind the router): 192.168.1.0/24
* All of the hosts' gateway would be the router inside interface IP address: 192.168.1.1
* The IP address range of 192.168.1.2-192.168.1.254 would be available for hosts within your LAN
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)
SAMPLE CONFIGURATION
foo-gw#show running-config
Building configuration...
Current configuration:
!
version 12.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname Router
!
logging buffered 16000 debugging
logging console critical
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username admin password 7 xxxxxxxxxxxxxxxxxx !sets user login to "admin".
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable DF 2000
no ip finger
no ip bootp server
no ip domain-lookup
ip domain-name foo.com !change these four lines to fit your needs
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
clock timezone GMT 0
!
!
!
interface Ethernet0
description Connection to internet.
ip address xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy !IP and Subnet
ip access-group 115 in
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ip nat outside
no ip route-cache
no cdp enable
!
interface Ethernet1
description Connection to Lan.
ip address 192.168.1.1 255.255.255.0
ip access-group 116 in
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no ip route-cache
no cdp enable
!
ip nat inside source list 1 interface Ethernet0 overload
!
!the next three lines are a few port maps to show you how to map to external ports to internal servers, here, mail is mapped to mail server, and web is mapped to web server.
!
ip nat inside source static tcp 192.168.1.160 110 24.229.10.4 110 extendable
ip nat inside source static tcp 192.168.1.160 25 24.229.10.4 25 extendable
ip nat inside source static tcp 192.168.1.150 80 24.229.10.4 80 extendable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 115 deny ip xxx.xxx.xxx.0 0.0.0.63 any
access-list 115 deny ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 deny ip 10.0.0.0 0.255.255.255 any
access-list 115 deny ip 0.0.0.0 0.255.255.255 any
access-list 115 deny ip 172.16.0.0 0.15.255.255 any
access-list 115 deny ip 192.168.0.0 0.0.255.255 any
access-list 115 deny ip 192.0.2.0 0.0.0.255 any
access-list 115 deny ip 169.254.0.0 0.0.255.255 any
access-list 115 deny ip 255.0.0.0 0.255.255.255 any
access-list 115 deny ip 224.0.0.0 15.255.255.255 any
access-list 115 deny ip any host 24.229.10.63
access-list 115 deny ip any host 24.229.10.0
access-list 115 deny tcp any any eq 135
access-list 115 deny tcp any any eq 137
access-list 115 deny tcp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 1023
access-list 115 deny tcp any any range 1025 1029
access-list 115 deny tcp any any range 1433 1434
access-list 115 deny tcp any any eq 2745
access-list 115 deny tcp any any eq 3127
access-list 115 deny tcp any any eq 5554
access-list 115 deny tcp any any eq 6129
access-list 115 deny tcp any any eq 9898
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny udp any any eq 445
access-list 115 deny icmp any any echo
access-list 115 deny icmp any any redirect
access-list 115 deny icmp any any mask-request
access-list 115 permit ip any xxx.xxx.xxx.0 0.0.0.63
access-list 115 permit icmp any xxx.xxx.xxx.0 0.0.0.63
access-list 116 deny ip host 192.168.1.1 host 192.168.1.1
access-list 116 deny ip 10.0.0.0 0.255.255.255 any
access-list 116 deny ip 172.16.0.0 0.15.255.255 any
access-list 116 deny ip 192.0.2.0 0.0.0.255 any
access-list 116 deny ip 169.254.0.0 0.0.255.255 any
access-list 116 deny ip any 10.0.0.0 0.255.255.255
access-list 116 deny ip any 172.16.0.0 0.15.255.255
access-list 116 deny ip any 192.0.2.0 0.0.0.255
access-list 116 deny ip any 169.254.0.0 0.0.255.255
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any source-quench
access-list 116 deny icmp 192.168.1.0 0.0.0.255 any
access-list 116 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
banner motd ^C
|-----------------------------------------------------------------|
| This system is for the use of authorized users only. |
| Individuals using this computer system without authority, or in |
| excess of their authority, are subject to having all of their |
| activities on this system monitored and recorded by system |
| personnel. |
| |
| In the course of monitoring individuals improperly using this |
| system, or in the course of system maintenance, the activities |
| of authorized users may also be monitored. |
| |
| Anyone using this system expressly consents to such monitoring |
| and is advised that if such monitoring reveals possible |
| evidence of criminal activity, system personnel may provide the |
| evidence of such monitoring to law enforcement officials. |
|-----------------------------------------------------------------|
^C
!
line con 0
transport input none
line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxxxx
transport input telnet
!
end
Some discussion
»Ok setting up a 2801 NAT problem
feedback form
feedback form
by sortofageek edited by aryoba
last modified: 2009-09-25 08:53:01 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
For some broadband Internet connections such as cable and DSL and business-grade Internet connections using T1/E1 or faster, the ISPs inform their customers (subscribers) to set their firewall to specifically set IP address into their firewall. This means that the subscriber's firewall is set to use static IP address to connect to the Internet.
When this is your case, then the following sample configuration is a good starting point to help you configure the firewall. Typical network environment that might utilize following sample PIX/ASA configuration is as follows
* There is a modem in front of the PIX/ASA, which the modem connects to the ISP
* ISP is providing Public IP address to the PIX/ASA statically
* There is NAT/PAT in place on the PIX/ASA to translate internal IP addresses to the ISP-provided Public IP address
* The PIX/ASA is also acting as DHCP server to local LAN, which provide dynamic IP info for hosts behind the PIX/ASA within the LAN
This sample PIX/ASA configuration assumes the followings
* Internal private IP subnet (for hosts behind the PIX/ASA): 10.0.0.0/24
* All of the hosts' gateway would be the PIX/ASA inside interface IP address: 10.0.0.1
* The IP address range of 10.0.0.30-10.0.0.254 would be available for DHCP pool client
* The IP address range of 10.0.0.2-10.0.0.29 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 68.87.64.196 and 68.87.66.196 automatically as part of the dynamically assigned IP address process
* When all hosts behind the PIX/ASA go out to the Internet, the hosts would be using the PIX/ASA outside interface IP address (which is the ISP-assigned Public IP address)
* Necessary ICMP packet coming from the Internet would be permitted to enter your LAN
SAMPLE CONFIGURATION
Assuming you receive a static IP address from ISP as 1.1.1.2 and the ISP default gateway is 1.1.1.1; here is the sample configuration.
1. PIX
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
2. ASA
hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
Note:
Should you decide to run Internet-accessible servers behind the PIX/ASA, you can check out the following FAQ for sample configurations.
»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)
feedback form
feedback form
by aryoba
last modified: 2008-12-11 08:57:14 | | | In dedicated Internet connection (i.e. T1/E1 or DS3/E3) and some xDSL plans, you may receive two different subnets from your ISP. One is for the WAN connection between your network and ISP.
In dedicated Internet connection plan using T1/E1 or faster circuit, typically the WAN subnet is in the form of /30 network since the circuit you have is point-to-point type. Note that it is possible to have the WAN subnet in the form of subnet larger than /30, especially when you have the xDSL plan.
Another subnet you receive from ISP is your Public IP Block. This block could be in the form of /29, /28, or /27 network; depending on which plan or subnet you choose to have.
There will be a router that connects to your ISP. This router has two Layer-3 interfaces. One interface should face your ISP and another interface should face your network.
You plan to have a Private network that uses Private IP addresses (i.e. 10.0.0.0/24, 172.16.1.0/24, or 192.168.4.0/24). Therefore there must be NAT/PAT in place within your network between the Private IP addresses and the Public IP Block assigned by your ISP.
Your objective is to find the suitable network setup using these IP blocks you receive from your ISP. You have several scenarios to choose to setup such network.
For the discussion sake, let's say you have the following subnets from your ISP
WAN IP Subnet: 1.1.1.0/30, where you have 1.1.1.2/30 for your WAN IP address and 1.1.1.1/30 as the ISP gateway
Public IP Block: 2.2.2.0/24
and you plan to use 192.168.0.0/24 as your Private subnet. Following are the scenarios.
Scenario 1: The router does NAT/PAT
In this scenario, there is a switch behind the router to connect to the Private LAN. The router inside (E0/0) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.
You set the router to assign 2.2.2.1 as the Public PAT IP address to all Private LAN hosts. You may later assign other IP addresses within your Public IP Block to other devices such as servers and VPN Concentrator.
Router configuration
Following is sample configuration when there are multiple LAN interfaces on the router. Note that there are no NAT process take place between Ethernet0/0 and Ethernet0/1 interfaces since NAT process takes place only when the traffic traverse interfaces with ip nat inside command on one interface and ip nat outside command on other interface.
Router configuration
Typically you implement this scenario when there is no dedicated firewall to do NAT/PAT. When you do have dedicated firewall, then you may want to implement one of the next scenarios.
Scenario 2: There is a firewall behind the router that does NAT/PAT
In this scenario, you have a PIX Firewall as the dedicated firewall gear that sits behind the router. You have a crossover cable connecting the router E0/0 and the PIX e0 interfaces to make a point-to-point connection. This point-to-point connection has 192.168.1.0/30 subnet
There is a switch behind the PIX to connect to the Private LAN. The PIX inside (e1) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.
You set the PIX to assign 2.2.2.1 as the Public PAT IP address to all Private LAN hosts. You may later assign other IP addresses within your Public IP Block to other devices such as servers and VPN Concentrator.
Router configuration
PIX Firewall configuration
Typically you implement this scenario when there are no other physical devices directly behind the router but the firewall.
More Sample Configuration regarding dedicated firewall behind an Internet router
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN
Scenario 3: There is a firewall behind the router that does NAT/PAT and does IPSec VPN tunnel
In this scenario, you have a PIX Firewall as the dedicated firewall gear that sits behind the router. You have a crossover cable connecting the router E0/0 and the PIX e0 interfaces to make a point-to-point connection.
There is a switch behind the PIX to connect to the Private LAN. The PIX inside (e1) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.
You set the PIX to assign 2.2.2.3 as the Public PAT IP address to all Private LAN hosts. You set the PIX outside interface as 2.2.2.2 which will be the VPN Concentrator IP address. You can later assign other IP addresses within your Public IP Block to other devices such as servers. Check out the following FAQ for more info on running servers with ASA or PIX Firewall.
»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)
Router configuration
PIX Firewall configuration
This is an alternate scenario when there is a possibility to connect other devices behind the router other than the firewall. In addition, this might be the preferred scenario when the firewall acts also as VPN Concentrator. Check out the following FAQ for more info in setting up ASA or PIX Firewall as both Internet firewall and VPN Concentrator.
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator
feedback form
feedback form
by aryoba
last modified: 2009-03-23 09:29:21 |
|
