1921 Routing problems

agreen1982 · ‎06-15-2012

I am a Cisco Noob.

That said, I am having trouble setting up my new 1921. Also, I'd like to note that I am setting it up for an office that I do not work in, so I cannot verify if the routing is working when I change it. I kind of need a bulletproof routing setup inside this thing before I box it up and send it there again. The people in that office are less knowledgeable that I am so if it gets there and it doesn't work it just gets shipped back to me on my dime

The office has a fiber connection from Cogent with 1 static IP address. I have already set the WAN port to 100MB Full Duplex as per Cogent's requirements.

I have been able to set up the gigabitethernet 0/0 up for my lan, with dhcp. That works fine.

I set my gigabitethernet 0/1 up for wan, entering in the static IP that I was given, and the subnet mask.

I have no idea what to enter for routing. Or where. I know this probably sounds terrible, but it's my first router I have ever had to manually set up.

I am looking for any help, as specific as possible. I would do trial and error, but I am not hooked up to the internet connection / IP that the office uses so I have no idea how to tell if it's working or not.

Thanks in advance to anyone willing to help me out of this hole I was cast into!

Here is my current configuration:

no aaa new-model

clock timezone MDT -7 0

clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

ip source-route

ip cef

!

ip dhcp excluded-address 10.0.1.1

ip dhcp excluded-address 10.0.1.101 10.0.1.254

!

ip dhcp pool Office

import all

network 10.0.1.0 255.255.255.0

default-router 10.0.1.1

!

ip domain name yourdomain.com

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1146180459

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1146180459

revocation-check none

rsakeypair TP-self-signed-1146180459

!

crypto pki certificate chain TP-self-signed-1146180459

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

license udi pid CISCO1921/K9 sn FTX161481JY

!

username cardinal privilege 15 password 0 cardinal

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description localArea$ETH-LAN$

ip address 10.0.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

ip address 38.104.26.150 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

no mop enabled

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

!

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 23 permit 10.0.1.1

access-list 23 permit 10.10.10.0 0.0.0.7

!

snmp-server community public RO

!

control-plane

!

John Blakley · ‎06-15-2012

Aaron,

You're going to need a default route pointing to the gateway (provider's router). Do you have that info? If not, you'll need to get it.

Then you'll need:

ip route 0.0.0.0 0.0.0.0

At first glance, natting looks correct so this may be all that you need.

HTH,

John

HTH, John *** Please rate all useful posts ***

agreen1982 · ‎06-15-2012

I hope it's that easy.

To be sure of what you are saying, if my external IP is x.x.x.149 and my gateway is x.x.x.150, I should set

ip route 0.0.0.0 0.0.0.0 x.x.x.150

That will allow traffic to flow between the two interfaces. Is there any way to test that this is happening before I ship it out?

I really appreciate the help!

John Blakley · ‎06-15-2012

According to what you posted, yes that's all you need. I do see that you're not assigning dns servers in your dhcp pool though. That's going to cause an issue for users getting an address and they not be able to resolve domain names. But overall the config looks good. The only way that I'm aware that you'll be able to test is going to be to put another router on the other side and set the 2 routers interfaces to be on a network between themselves. Then put a host on the 'inside' portion of the network and check the dhcp piece. You should be able to ping the other router from that host. Otherwise, you'll have to test onsite if you don't have a way of doing that.

John

* Please rate useful posts *

HTH, John *** Please rate all useful posts ***

agreen1982 · ‎06-15-2012

Last question, sorry for being a pain.

I should specify the DNS servers that my ISP game me in the DHCP Pool? Is there a specific port I should assign these to? I am assuming the LAN (o/o) port.

Would this be easier done in CCP or via the command line.

Again, sorry, but you're extremely helpful.

Here is my current config, with the DNS servers in the DHCP Pool. Look good?

no aaa new-model

clock timezone MDT -7 0

clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

ip source-route

ip cef

!

ip dhcp excluded-address 10.0.1.1

ip dhcp excluded-address 10.0.1.101 10.0.1.254

!

ip dhcp pool Office

import all

network 10.0.1.0 255.255.255.0

default-router 10.0.1.1

!

ip domain name yourdomain.com

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1146180459

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1146180459

revocation-check none

rsakeypair TP-self-signed-1146180459

!

crypto pki certificate chain TP-self-signed-1146180459

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

license udi pid CISCO1921/K9 sn FTX161481JY

!

username cardinal privilege 15 password 0 cardinal

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description localArea$ETH-LAN$

ip address 10.0.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

ip address 38.104.26.150 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

no mop enabled

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

!

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 23 permit 10.0.1.1

access-list 23 permit 10.10.10.0 0.0.0.7

!

snmp-server community public RO

!

control-plane

!

John Blakley · ‎06-15-2012

Aaron,

No worries Let's go at this step by step:

ip dhcp excluded address excludes a range of addresses from being able to be assigned to hosts. You have the whole range from 10.0.1.101 to 10.0.1.254 excluded. Are you only wanting to assign 10.0.1.2 - 10.0.1.100? If so, this is perfectly fine.

The dhcp scope should look something like this:

ip dhcp pool Office

import all

dns-server

network 10.0.1.0 255.255.255.0

default-router 10.0.1.1

So, dns server would be something like "dns-server 4.2.2.1 4.2.2.2"

As far as CCP or CLI - I'm all CLI, so I wouldn't know how easy CCP is unfortunately.

HTH,

John

HTH, John *** Please rate all useful posts ***

agreen1982 · ‎06-15-2012

OK, I did what you said. I did want a limited number of IP addresses in my DHCP pool, the rest is reserved for static IPs.

I was able to tracert/ping from the LAN(0/0) port to the WAN (0/1) port. I'll assume that this means it's routing things correctly. It's all I have to go on being that I don't have another router and I can't be on-site.

Thanks a ton!

John Blakley · ‎06-15-2012

You're welcome! Report back if you have any troubles after it gets onsite...

HTH, John *** Please rate all useful posts ***

agreen1982 · ‎06-22-2012

OK, the router is on-site and works, however, the download speed is 5.8MB/s. The upload speed is 87 MB/s, which is more like it.

Any ideas?