|
[help] 851W and ISP DHCPI have configured my 851W but it refuses to pick up an IP address from my ISP's DHCP server.
I dredged with Google and found other people asking similar questions, but none had solutions posted.
It's probably something in my configuration, since I'm extremely new to Cisco and IOS.
Here's my config:
Current configuration : 9198 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Cisco851W ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 ??????????????????????? ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! aaa session-id common ! resource policy ! clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ip subnet-zero no ip source-route ! ! ip cef ip inspect log drop-pkt ip inspect name SDM_MEDIUM appfw SDM_MEDIUM ip inspect name SDM_MEDIUM cuseeme ip inspect name SDM_MEDIUM dns ip inspect name SDM_MEDIUM ftp ip inspect name SDM_MEDIUM h323 ip inspect name SDM_MEDIUM https ip inspect name SDM_MEDIUM icmp ip inspect name SDM_MEDIUM imap reset ip inspect name SDM_MEDIUM pop3 reset ip inspect name SDM_MEDIUM rcmd ip inspect name SDM_MEDIUM realaudio ip inspect name SDM_MEDIUM rtsp ip inspect name SDM_MEDIUM esmtp ip inspect name SDM_MEDIUM sqlnet ip inspect name SDM_MEDIUM streamworks ip inspect name SDM_MEDIUM tftp ip inspect name SDM_MEDIUM tcp ip inspect name SDM_MEDIUM udp ip inspect name SDM_MEDIUM vdolive ip inspect name SDM_MEDIUM sip ip inspect name SDM_MEDIUM sip-tls ip tcp synwait-time 10 no ip bootp server ip domain name wtbhome.net ip name-server 192.168.0.2 ip name-server 71.242.0.12 ip ssh time-out 60 ip ssh authentication-retries 2 ! appfw policy-name SDM_MEDIUM application im aol service default action allow alarm service text-chat action allow alarm server permit name login.oscar.aol.com server permit name toc.oscar.aol.com server permit name oam-d09a.blue.aol.com application im msn service default action allow alarm service text-chat action allow alarm server permit name messenger.hotmail.com server permit name gateway.messenger.hotmail.com server permit name webmessenger.msn.com application http strict-http action allow alarm port-misuse im action reset alarm port-misuse p2p action reset alarm port-misuse tunneling action allow alarm application im yahoo service default action allow alarm service text-chat action allow alarm server permit name scs.msg.yahoo.com server permit name scsa.msg.yahoo.com server permit name scsb.msg.yahoo.com server permit name scsc.msg.yahoo.com server permit name scsd.msg.yahoo.com server permit name cs16.msg.dcn.yahoo.com server permit name cs19.msg.dcn.yahoo.com server permit name cs42.msg.dcn.yahoo.com server permit name cs53.msg.dcn.yahoo.com server permit name cs54.msg.dcn.yahoo.com server permit name ads1.vip.scd.yahoo.com server permit name radio1.launch.vip.dal.yahoo.com server permit name in1.msg.vip.re2.yahoo.com server permit name data1.my.vip.sc5.yahoo.com server permit name address1.pim.vip.mud.yahoo.com server permit name edit.messenger.yahoo.com server permit name messenger.yahoo.com server permit name http.pager.yahoo.com server permit name privacy.yahoo.com server permit name csa.yahoo.com server permit name csb.yahoo.com server permit name csc.yahoo.com ! username tborland privilege 15 secret 5 ?????????????? ! ! ! bridge irb ! ! interface Null0 no ip unreachables ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ ip address dhcp ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip inspect SDM_MEDIUM out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable ! interface Dot11Radio0 no ip address ! encryption mode ciphers tkip ! encryption vlan 1 mode ciphers tkip ! ssid wtbhome vlan 1 authentication open authentication key-management wpa wpa-psk ascii 7 0014550F0356020D182E181C5B4950 ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no dot11 extension aironet no cdp enable bridge-group 1 ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no snmp trap link-status no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description Internal Network no ip address ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 description Bridge to Internal Network ip address 192.168.0.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1412 ! ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet4 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface FastEthernet4 overload ! logging trap debugging access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit udp any eq bootps any eq bootpc access-list 101 deny ip 192.168.0.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip any any access-list 102 remark auto generated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip 192.168.0.0 0.0.0.255 any access-list 102 permit icmp any any echo-reply access-list 102 permit icmp any any time-exceeded access-list 102 permit icmp any any unreachable access-list 102 deny ip 10.0.0.0 0.255.255.255 any access-list 102 deny ip 172.16.0.0 0.15.255.255 any access-list 102 deny ip 192.168.0.0 0.0.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 deny ip host 255.255.255.255 any access-list 102 deny ip any any log access-list 103 remark VTY Access-class list access-list 103 remark SDM_ACL Category=1 access-list 103 permit ip 192.168.0.0 0.0.0.255 any access-list 103 deny ip any any no cdp run ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 103 in transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end |
|
TomS_Git-r-done MVM join:2002-07-19 London, UK |
TomS_
MVM
2007-Nov-15 3:15 am
I think you will find it is because access-list 102 doesnt permit the DHCP response back into your router. Try adding the following line, but make sure it is added before the "deny ip any any" line: access-list 102 permit udp any any eq bootps
Easiest way to do it is to take a copy of your existing access-list, add the new rule, "no" the existing access-list, then paste the new one back in. |
|
|
I was just editing a file to include what you suggested and I noticed that I already have a line in the access list that reads:
access-list 102 permit udp any any eq bootps
and it is several lines before the line
access-list 102 deny ip any any log
Am I misunderstanding something here or should that be working? |
|
|
aryoba
MVM
2007-Nov-15 11:22 am
Sailing_Nut,
Replace ACL 102 under WAN interface with ACL 101 and see if it works. Here is the step
configure terminal interface FastEthernet4 no ip access-group 102 in ip access-group 101 in end copy running-config startup-config |
|
|
Unfortunately no luck with switching the ACL.
If you think I would be best defaulting the router and starting again, I can do that. I've been thrashing about with SDM and the command line and it's possible that I've got some built up junk that's messing things up.
If I rebuild, I think it would be best to stay away from SDM because it seems to do lots of things that one might not intend. I'll just need some guidance in building the firewall rules.
Thanks! |
|
|
aryoba
MVM
2007-Nov-15 11:47 am
After applying the ACL 101, did you reset the WAN interface? Something like shut/no shut or reload the router would do. No need to wipe out the entire config ..... at least not yet .... By resetting the interface, the router will reinitialize DHCP session with your ISP. See if your router can have the IP address then. |
|
|
I had previously used SDM to take the interface down and back up.
I just tried the shut / no shut and that did not seem to work either. But, just to be sure I'm doing it right. I enterd these commands:
configuration terminal int fa4 shut no shut end
Did I get it right? |
|
|
aryoba
MVM
2007-Nov-15 12:29 pm
Yup, it was the right command ... Btw, do you have Static IP plan with your ISP? You may want to confirm with the ISP if they use a system that lock down MAC address into their system. When they do, then you need to confirm that they have the correct WAN interface MAC address. Your correct WAN interface MAC address should be the one on the show interface FastEthernet4. |
|
|
to Sailing_Nut
Would "access-list 103 deny ip any any" be a factor here?
Jay |
|
|
I have a dynamic IP with my ISP.
I don't know 100% that they do not lock down the MAC address for asssigning IP addresses, but I do know that I currently have the Verizon supplied Actiontec router and that I also was able to get a crappy Linksys WRV200 router to work. The poor performance of the WRV200 is what spurred my purchase of the 851W |
|
|
aryoba
MVM
2007-Nov-15 1:47 pm
You could "borrow" the Linksys WAN interface MAC address and implement it into the 851W WAN interface; and see if it works. Here is how to implement the MAC address.
configure terminal interface FastEthernet4 mac-address [LINKSYS WAN INTERFACE MAC ADDRESS] shutdown no shutdown end
Note that the Linksys must never be within the same broadcast domain as the Cisco to make the borrowing works. |
|
|
I highly doubt that the MAC cloning will solve the problem.
The 851W will be the 4th router that I have used with this connection (only used one at a time)
Verizon supplied an Actiontec MI424-WR router that I am currently using. I have also gotten 2 seperate Linksys routers to pick up an IP from Verizon.
The 851W is the only one that will not get an IP from Verizon. (I never colned MAC addresses on any of the other routers) |
|
|
Sailing_Nut |
OK, I'm totally in shock, but when I cloned the MAC of my Actiontec router, the 851W got assigned an IP! It's so strange because I never cloned the MAC address on either of the Linksys routers I tried.
Now it seems that the 851W is a bit slow on my connection. When I ran a speed test, I only got about 8Mb/s from my 15Mb/s connection. Any suggestions on how to improve that? |
|
|
aryoba
MVM
2007-Nov-16 9:11 am
Aha! So your ISP (Verizon?) does lock down your WAN router interface MAC address .... The Linksys router was probably running some non-compliance RFC code that could somehow "go around" the MAC address lock down. Typically consumer-grade routers like Linksys are behaving so. Well, at least now you can connect using your 851W router even you feel it is slow. One thing I can think of is the application inspection. When you notice, your router inspects a lot of application traffic; especially those that are running over HTTP like IM. If you like to experiment, you can try to remove the inspection and see if your connection is running faster. |
|
|
Thanks for the help.
I was amazed when it worked, but I was glad I followed your suggestion!
I'll work on taking out the application inspection. I put a fair amount of stuff in there that I probably will never use. I kind of want the paranoid route to start with. |
|