The Doctor
Vivaciti Broadband
Premium
join:2001-05-21
UK
clubs:
| 2811 uk ADSL (ppoa) config rouing problem
Hi,
Although a long term member of these boards, first time in the Cisco arena.
OK, got a problem, our inhouse Cisco guy is no longer with us, and I am trying with my limited skills to get this router working.
Router has 2 wic-1adsl inside.
The final goal would be to have 2 seperate dsl connections one on each wic with the traffic from atm 0/0 to route over fe0/0 and atm0/1 ro fe0/1
Both wan dsl connections should be set by isp with a /29 routed range on the LAN side (of course different ranges on both fe's)
Now before I try to get complicated, I wanted to start with just one connection, not it connects and we get IP assigned so I know PPP traffic is OK (I can see this remotley) although I am unable to ping at0/0 from internet and I also do not get any traffic routing from lan to wan or internet.
I have pulled down a few template configs and even tried SDM but all to no availe, so just before I take this router and drop it over a peir, could someone have a look and give me an idea what I am doing wrong.
As always thank you in advance.
!This is the running config of the router: 10.1.2.96
!----------------------------------------------------------------------------
!version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$m4Uo$WEcyOvZSPbfJuHd15ar9z/
enable password
!
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
!
!
ip cef
!
!
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
description Ethernet$ETH-LAN$
ip address 89.145.240.181 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 10.1.2.96 255.255.255.0
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password 0
ppp ipcp mask request
ppp ipcp address accept
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
!
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
end
--
Regards
Customer Services
»www.vivaciti.net |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
| Well theres a few bits missing that I can see:
* You have "ip nat outside" on the dialer interface, but which is the "ip nat inside" interface?
* Your NAT overload statement looks fine, but where is ACL 1 that tells it which subnets to NAT for?
To remedy this, I would probably do the following, assuming this is what you are trying to achieve:
* On Fa0/1 I would add "ip nat inside", since this interface seems to have private IPs on it
* I would remove your NAT overload statement and replace it with "ip nat inside source list 100 int Di0 overload"
* Add ACL 100 with the following rule "access-list 100 permit ip 10.1.2.0 0.0.0.255 any"
ACL 100 is part of the extended ACL range, and its a little more flexible as it allows you to specify source and destination IP's/subnets, I prefer this method for NAT but standard ACLs work just fine.
said by The Doctor  :so just before I take this router and drop it over a peir Dont do that, just send it to me instead.  |
|
The Doctor
Vivaciti Broadband
Premium
join:2001-05-21
UK
clubs: | reply to The Doctor
Should that be the same as I am not using NAT (public IP's on both sides) or would that still be classed as NAT? |
|
The Doctor
Vivaciti Broadband
Premium
join:2001-05-21
UK
clubs: | reply to The Doctor
Oh I see what your seeing, the int with the ptivate IP's is not the one we are using just yet (I was orig using that to configure it) but it should be public on both sides |
|
The Doctor
Vivaciti Broadband
Premium
join:2001-05-21
UK
clubs:
| reply to The Doctor
Just realised I have posted the old config not the running one, sorry for trouble, must have been having a blond moment.
Here is the correct config from the router:
!This is the running config of the router: 94.30.109.121
!----------------------------------------------------------------------------
!version 12.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname viv_dsl_2811
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ZD0u$9t5aM/Y4vk7DTqCOcQYEV0
enable password [a password]
!
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
no ip routing
!
!
no ip cef
!
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address xxx.xxx.109.121 255.255.255.248
no ip route-cache
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
no ip route-cache
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip route-cache
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [adsl username]
ppp chap password 0 [adsl password]
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
no ip http secure-server
!
!
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password [a password]
login
!
scheduler allocate 20000 1000
!
end
--
Regards
Customer Services
»www.vivaciti.net |
|
The Doctor
Vivaciti Broadband
Premium
join:2001-05-21
UK
clubs: | reply to The Doctor
Anyone got any ideas on this one? |
|
aryoba
Premium,MVM
join:2002-08-22
1 edit | Does your ISP assign second IP address outside of the /29 routed range? If that is the case, then your configuration should be fine.
When your ISP only assigns the /29 routed range, then you can't really assign the FastEthernet0/0 interface using IP address within the /29 routed range. The ISP expects the Dialer0 interface to have the IP address within the /29 routed range.
If you have to assign the FastEthernet0/0 interface using using IP address within the /29 routed range, then you need to have the router to do IRB (Integrated Routing Bridging) where both the FastEthernet0/0 and Dialer0 interfaces are within the same broadcast domain while maintaining routing in place. |
|
bigsy
join:2001-07-18
UK
| said by aryoba :When your ISP only assigns the /29 routed range, then you can't really assign the FastEthernet0/0 interface using IP address within the /29 routed range. The ISP expects the Dialer0 interface to have the IP address within the /29 routed range. In this case would ip unnumbered FastEthernet0/0 not work on the Dialer0 interface while allowing you to use an address from the /29 range on Fa0/0? |
|
The Doctor
Vivaciti Broadband
Premium
join:2001-05-21
UK
clubs: | reply to The Doctor
Hi,
It is a seperate IP for the dialer, (fixed IP) and the /29 is a seperate routed range. I can ping the lan side from the lan, and the wan side from the internet, but would seem that nothing is routing from wan to lan (or visa versa)?? |
|
aryoba
Premium,MVM
join:2002-08-22
1 edit | When you said there seemed nothing was routing from WAN to LAN, I believe you pinged from the router to your internal LAN IP segment (the 10.1.2.0/24)?
As TomS_ mentioned, there has to be some NAT mechanism in place between the internal LAN IP segment and the Internet. This NAT mechanism could take place on the router or on NAT device behind the router.
Should you choose to do the NAT on separate device behind the router, then you could use a firewall that is capable of doing NAT (typical NAT device). In addition, there will be some static routes needed on the router and the firewall to make sure routing between WAN and LAN is in place.
Note that your current router configuration is pretty much set for using separate NAT device such as a firewall behind the router to do the NAT. You just need to add some static routes on the router and the firewall and specify which LAN IP segment to be NAT-ed to the one of the IP address within the router's FastEthernet0/0 interface (within the /29 routed range).
When there is no firewall to use (and you don't plan to implement one), then the only choice is to implement NAT on the router. Should you choose this avenue, then you need to reconfigure the router with different approach.
Following is list of sample configurations available at this forum's FAQ
»Cisco Forum FAQ »Setting Up Network With ISP WAN and Public IP Block subnets running NAT
The FAQ shows you how to configure the router and firewall (in this case, a PIX Firewall) should you decide to use a separate firewall as the NAT device. The FAQ also shows you how to configure the router should you decide to use the router as the NAT device (no firewall in place). |
|
The Doctor
Vivaciti Broadband
Premium
join:2001-05-21
UK
clubs:
| reply to The Doctor
Oh OK, I think I see. There will be a firewall hanging off the LAN side, but for the moment, I have my own test PC set with the IP .122 with a mask of .248 and gateway of .121 and asumed that this would allow me to ping the router and allow the router to route the ICMP packet out of the wan interface to an ip and return it.
But from what you are saying this is wrong? (If I understand you correctly) so would it not be the same for PC or firewall setup the same (PC is only in look with public IPs for testing)
Karl
--
Regards
Customer Services
»www.vivaciti.net |
|
aryoba
Premium,MVM
join:2002-08-22
| said by The Doctor :Oh OK, I think I see. There will be a firewall hanging off the LAN side, but for the moment, I have my own test PC set with the IP .122 with a mask of .248 and gateway of .121 and asumed that this would allow me to ping the router and allow the router to route the ICMP packet out of the wan interface to an ip and return it. For testing purposes, such setup should be fine. Your test PC should be able to go out to the Internet.
said by The Doctor :But from what you are saying this is wrong? (If I understand you correctly) so would it not be the same for PC or firewall setup the same (PC is only in look with public IPs for testing) Karl The test setup is not wrong, it is just different network design. The key difference is that there is no need to do NAT since the PC uses Public IP address directly. When there are machines that use Private IP address (such as 10.1.2.97), then there must be NAT mechanism in place before traffic hits the Internet since Private IP address will not be Internet route-able. |
|
The Doctor
Vivaciti Broadband
Premium
join:2001-05-21
UK
clubs:
| reply to The Doctor
Hi,
Yes thats what I though (thought I had it all wrong) so in the lab setup there is no reason why it should not work?
Should the gateway on test pc point to the router lan IP or WAN IP? as at the moment it is pointing to the LAN IP (and still not getting any traffic out) |
|
aryoba
Premium,MVM
join:2002-08-22
| From the router configuration, the network setup should be fine. You might want to set both router LAN interface, PC, and switch between router and PC (if any) to have speed/duplex setting as auto/auto since obviously having speed/duplex setting as auto/half is incorrect. |
|
The Doctor
Vivaciti Broadband
Premium
join:2001-05-21
UK
clubs:
| reply to The Doctor
OK, I will change that in the config
although now I have it in console and getting loads of:
%Error opening tftp://255.255.255.255/network-confg (Timed out)
%Error opening tftp://255.255.255.255/cisconet.cfg (Timed out)
errors, although can't see where these are being set from??
--
Regards
Customer Services
»www.vivaciti.net |
|
ladino
join:2001-02-24
USA | Enter the following commands to get rid of those messages
config t
no service config
do wr
! |
|
The Doctor
Vivaciti Broadband
Premium
join:2001-05-21
UK
clubs:
| Thank you to everyone who helpded, we found out the problem, the dialer was using PPPoE instead of PPPoA andway it's up and I have some routing, although doing more testing now.
Is there a command to allow icmp, I can ping out of the router to bbc and stuff, but a tracrt gives no results and when I try to ping the WAN interface I get no responce (good for production but would like to be able to ping for testing)
What would the command be to be able to allow icmp?
Cheers again for all your help.
--
Regards
Customer Services
»www.vivaciti.net |
|
