Cisco → [help] 851W and ISP DHCP

I have configured my 851W but it refuses to pick up an IP address from my ISP's DHCP server.

I dredged with Google and found other people asking similar questions, but none had solutions posted.

It's probably something in my configuration, since I'm extremely new to Cisco and IOS.

Here's my config:

Current configuration : 9198 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco851W
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ???????????????????????
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM sip
ip inspect name SDM_MEDIUM sip-tls
ip tcp synwait-time 10
no ip bootp server
ip domain name wtbhome.net
ip name-server 192.168.0.2
ip name-server 71.242.0.12
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
!
username tborland privilege 15 secret 5 ??????????????
!
!
!
bridge irb
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid wtbhome
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 0014550F0356020D182E181C5B4950
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
no dot11 extension aironet
no cdp enable
bridge-group 1
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 192.168.0.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip any any log
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 103 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

I think you will find it is because access-list 102 doesnt permit the DHCP response back into your router.

Try adding the following line, but make sure it is added before the "deny ip any any" line:

access-list 102 permit udp any any eq bootps
 

Easiest way to do it is to take a copy of your existing access-list, add the new rule, "no" the existing access-list, then paste the new one back in.

I was just editing a file to include what you suggested and I noticed that I already have a line in the access list that reads:

access-list 102 permit udp any any eq bootps

and it is several lines before the line

access-list 102 deny ip any any log

Am I misunderstanding something here or should that be working?

Sailing_Nut,

Replace ACL 102 under WAN interface with ACL 101 and see if it works. Here is the step

configure terminal
interface FastEthernet4
no ip access-group 102 in
ip access-group 101 in
end
copy running-config startup-config

Unfortunately no luck with switching the ACL.

If you think I would be best defaulting the router and starting again, I can do that. I've been thrashing about with SDM and the command line and it's possible that I've got some built up junk that's messing things up.

If I rebuild, I think it would be best to stay away from SDM because it seems to do lots of things that one might not intend. I'll just need some guidance in building the firewall rules.

Thanks!

After applying the ACL 101, did you reset the WAN interface?

Something like shut/no shut or reload the router would do.
No need to wipe out the entire config ..... at least not yet ....

By resetting the interface, the router will reinitialize DHCP session with your ISP. See if your router can have the IP address then.

I had previously used SDM to take the interface down and back up.

I just tried the shut / no shut and that did not seem to work either. But, just to be sure I'm doing it right. I enterd these commands:

configuration terminal
int fa4
shut
no shut
end

Did I get it right?

Yup, it was the right command ...

Btw, do you have Static IP plan with your ISP?

You may want to confirm with the ISP if they use a system that lock down MAC address into their system. When they do, then you need to confirm that they have the correct WAN interface MAC address. Your correct WAN interface MAC address should be the one on the show interface FastEthernet4.

Would "access-list 103 deny ip any any" be a factor here?

Jay

I have a dynamic IP with my ISP.

I don't know 100% that they do not lock down the MAC address for asssigning IP addresses, but I do know that I currently have the Verizon supplied Actiontec router and that I also was able to get a crappy Linksys WRV200 router to work. The poor performance of the WRV200 is what spurred my purchase of the 851W

You could "borrow" the Linksys WAN interface MAC address and implement it into the 851W WAN interface; and see if it works. Here is how to implement the MAC address.

configure terminal
interface FastEthernet4
mac-address [LINKSYS WAN INTERFACE MAC ADDRESS]
shutdown
no shutdown
end

Note that the Linksys must never be within the same broadcast domain as the Cisco to make the borrowing works.

I highly doubt that the MAC cloning will solve the problem.

The 851W will be the 4th router that I have used with this connection (only used one at a time)

Verizon supplied an Actiontec MI424-WR router that I am currently using. I have also gotten 2 seperate Linksys routers to pick up an IP from Verizon.

The 851W is the only one that will not get an IP from Verizon. (I never colned MAC addresses on any of the other routers)

OK, I'm totally in shock, but when I cloned the MAC of my Actiontec router, the 851W got assigned an IP! It's so strange because I never cloned the MAC address on either of the Linksys routers I tried.

Now it seems that the 851W is a bit slow on my connection. When I ran a speed test, I only got about 8Mb/s from my 15Mb/s connection. Any suggestions on how to improve that?

Aha! So your ISP (Verizon?) does lock down your WAN router interface MAC address ....

The Linksys router was probably running some non-compliance RFC code that could somehow "go around" the MAC address lock down. Typically consumer-grade routers like Linksys are behaving so.

Well, at least now you can connect using your 851W router even you feel it is slow. One thing I can think of is the application inspection. When you notice, your router inspects a lot of application traffic; especially those that are running over HTTP like IM. If you like to experiment, you can try to remove the inspection and see if your connection is running faster.

Thanks for the help.

I was amazed when it worked, but I was glad I followed your suggestion!

I'll work on taking out the application inspection. I put a fair amount of stuff in there that I probably will never use. I kind of want the paranoid route to start with.