Hi Ian,

The restriction with CCA is that it only supports the configuration of PPPoE over ADSL.  This could very well be your issue.

To configure PPPoA using the SR520 CLI, use something like the following:

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer0

ip address negotiated

ip access-group 101 in  ! << Firewall access list

ip mtu 1452

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

encapsulation ppp

load-interval 30

dialer pool 1

no cdp enable

ppp chap hostname <>

ppp chap password <>

ppp pap sent-username <> password <>

ppp ipcp dns request accept

ppp ipcp route default

ppp ipcp address accept

!

You should find that this works if you are using most of the UK ADSL services. 

If you happen to be using a Kingston ADSL service, then change the PVC value from 0/38 to 1/50.

Cheers

Andy

Andrew,

Many thanks for getting back to me about this and sorry for the delay in replying - due to the Christmas break.

I've just got back in today and have tried the configuration you suggest but, unfortunately, with no luck (ie no connection). At least I don't think I'm having any luck. I can't say I'm terribly clear how to query the device's status, either with the CLI or the CCA.

I noticed that, by default, an interface ATM0.1 was showing in my config. You made no mention of that and so I tried clearing it (no inter atm0.1, followed by saving config and restarting). However that doesn't seem to have allowed the unit to connect either.

How can I get some meaningful diagnostics about what's going on? I'm used to some sort of log showing connection attempts and the outcome.

I'm very much at sea here. I badly need some sort of support manual. I got the unit on the understanding that it was configurable with the CCA, and that does not appear to be the case.

Can you point me to some documentation that will give me the background I need to use the CLI with some confidence?

Cheers, Ian.

Hi Ian,

There are a number of show commands that you could use.  For example, "show dsl interface atm 0" will show the status of the actual DSL connection.  In the first couple of lines hopefully you will see the following if the DSL link is good:

Modem Status:    Showtime (DMTDSL_SHOWTIME)

Next layer up is ATM, so you could use "show atm interface atm 0".  For a good connection, you should see something like:

Interface ATM0:

AAL enabled:  AAL5   AAL2, Maximum VCs: 10, Current VCCs: 1

VCIs per VPI: 1024,

Max. Datagram Size: 4528

PLIM Type: ADSL - 1020Kbps Upstream, DMT, TX clocking: LINE

411446 input, 142476 output, 11837201 IN fast, 10302856 OUT fast

Avail bw = 1020

Config. is ACTIVE

Next layer is IP (over PPP), where you can use "show ip interface dialer 0".  Here you should look for the following in the first couple of lines:

"Dialer0 is up, line protocol is up".    This should be followed by an IP address when things are working correctly.

Try those commands - you can search cisco.com for more information on them - let me know which ones don't look right on your system.

Feel free to send me your configuration if you like.  (If you want to post the config here, make sure that you delete any personal/password information first)

Cheers

Andy

Andrew,

Really appreciate your help with this. I have now succeeded in connecting to our ISP. Wonderful!

I need now to set up some outgoing filtering (by IP address) and am perusing the sec_cr_book.pdf document for help with this. It's certainly more difficult than reading the back of cereal packets.

I thought that I had worked out how to set up some port forwarding using entries of the form:

     ip nat inside source static tcp interface Dialer0

but it doesn't seem to be working.

All that I'm trying to do, if it isn't already obvious, is direct all traffic arriving from outside on a particular port to a particular server on the LAN, eg port 25 to the mail server. I've discovered turning debug (of various things) on and that's proving helpful, but I haven't yet worked out how to find out what's happening to all my incoming SMTP.

I'll labour on but, as ever, any tips would me much appreciated.

Cheers, Ian.

Hi Ian,

Good news on the ISP connection.  Now that you have that configured, you *may* be able to use CCA again (just don't change the WAN interface configuration!).

Always make sure that you save your configurations though:

To save configuration use "copy run start" but also to keep a local reference version, you can copy a configuration to flash memory too: "copy run flash:myconfig.cfg".

The are a few things to bear in mind for the configurations you mention above:

NAT:  Make sure that you have "ip nat inside" configured on your inside interfaces and "ip nat outside" configured on the WAN (Dialer 0).  Traffic allowed to use the NAT function (and access the internet) is controlled using the

"ip nat inside source list 1 interface Dialer0 overload" global command.  The "1" here specifies the access list that defines the eligible local hosts - i.e. "access-list 1 permit 192.168.75.0 0.0.0.255".

You mention that you want to use port forwarding - the command you reference above should work just fine.  However, it has to work in conjunction with your firewall configuration.  For example, if you wish to forward mail traffic from the Internet in to your local network, you'd have a port forward for port 25 and a firewall permit statement for port 25 traffic.  (Imagine the traffic having to get through the firewall before it can be treated by the port forward feature).

Configuring the firewall will depend on whether you are using the Zone Based or CBAC firewall feature.  I think that CCA uses Zone Based firewall.  CBAC essentially uses Access Control Lists applied to interfaces using the interface access-group command.

Cheers

Andy

Andy,

Once again, very many thanks for the continued support. It is invaluable.

Yes, my NAT config seems to be in order, according to your instructions, but it's very reassuring to know that this is the case.

With regard to the firewall, once again I'm afraid, the CCA tends only to lead to the tearing out of hair. Depending on its mood at the time, it sometimes reports that 'the firewall is not configured' and other times that it is (security level == low, by default), but, in any case, it's difficult to see how to configure it at all since the only control is a slider with what seem to be 3 preset security levels (low, medium and high). Highly granular it is not. Or am I just not looking in the right place? I'm in Security - Firewall and DMZ.

I'm moving away from any idea of using the CCA altogether and think that I'd be happier configuring the firewall from the command line. Given what you already know about what I'm trying to do, which approach would you recommend and can you point me in the direction of some more information?

Thanks, Ian.

Hi Ian,

What else were you planning to configure for the firewall?  It's true that the CCA controls are pretty simple, but in many cases this is sufficient for straight forward Internet access devices.  CCA will manage the detail of opening the necessary holes in the firewall for port forwarding that you configure.

Now this is not to say that you don't have more advanced requirements, in which case, using the command line might be your only option.

If you just want a simple set up that will block unsolicited incoming traffic and allow you to direct SMTP towards your mail server, CCA is probably going to be fine.  If you use one of the firewall settings that enable inspection, you might still want to use CLI to remove esmtp inspection as I have seen issues with that in the past.

If you'd feel happier with CLI, that is your choice (I can't make personal recommendations for you)

Cheers

Andy

Andy,

Thanks for getting back.

You'd said previously that, as well as setting up port forwarding, I'd need to put permit statements in for the firewall (presumably for each forwarded port).

Unless I'm getting the wrong end of the stick, now you're saying something a bit different.

I'd be happy if the CCA would handle the firewall setup but, as I said, the port forwarding didn't seem to be working before which suggests the CCA wasn't doing this at that time. How would I persuade it to now?

And why does it sometimes tell me my firewall isn't configured and other times tell me it is? I'm finding it very difficult software to trust.

Where do I start with configuring the firewall with the CLI? Is there some sort of manual entry on this?

Thanks, Ian.

Hi Ian,

Yes, if using CLI, you'd need to allow inbound mail (for example) through the firewall for it to then be forwarded to your mail server.  CCA should deal with all this transparently for you - you just define the port forward.

There are many configuration support documents for IOS (the CLI operating system) on cisco.com.  Start at the follow, but also search for application notes on the site too, as they often provide additional context - be warned though, there is a huge amount of content there!

http://www.cisco.com/en/US/products/ps6441/tsd_products_support_configure.html.

Cheers

Andy

Andy,

Thank you for getting back. Yes, there certainly is a lot of content relating to the CLI but I have no option because the CCA is hopelessly flaky.

I've been looking at the changes it makes to the running config as I apply/remove its zone-based firewall but it's difficult even to do this since, having applied the firewall settings, it then starts to claim that the firewall is disabled. I presume it isn't since the settings are still present in the running config. Sometimes, after a considerable delay, refreshing the Firewall and DMZ dialogue results in it once again accepting that a firewall is configured.

!?

I'm afraid that I really can't work with software as non-functional as this and am a little perplexed that Cisco, which has a reputation to protect, would let it see the light of day.

Cheers, Ian.

Hi Andrew or Ian

Hope you can help me, i have seen the configuration that you use in this discussion To configure PPPoA using the SR520 CLI

I just want to configure the Cisco Router SR520-adsl using PPPoE, this is my configuration, but i have no

success using CCA (3.1) or telnet

interface ATM0

description myadsl

no ip address

no atm ilmi-keepalive

pvc 0/35

  encapsulation aal5snap

  pppoe-client dial-pool-number 1

!

dsl operating-mode auto

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 30

dialer pool 1

no cdp enable

ppp chap hostname myuser

ppp chap password 0 mypassword

ppp pap sent-username myuser password 0 mypassword

ppp ipcp dns request accept

ppp ipcp route default

ppp ipcp address accept

• The encapsulation that we use in my country is: LLC/SNAP

I cant use the CCA because there is a java.nullpointer exception, when i try to save changes

Thanks for everything.