06-15-2012 10:26 AM - edited 03-04-2019 04:41 PM
I am a Cisco Noob.
That said, I am having trouble setting up my new 1921. Also, I'd like to note that I am setting it up for an office that I do not work in, so I cannot verify if the routing is working when I change it. I kind of need a bulletproof routing setup inside this thing before I box it up and send it there again. The people in that office are less knowledgeable that I am so if it gets there and it doesn't work it just gets shipped back to me on my dime
The office has a fiber connection from Cogent with 1 static IP address. I have already set the WAN port to 100MB Full Duplex as per Cogent's requirements.
I have been able to set up the gigabitethernet 0/0 up for my lan, with dhcp. That works fine.
I set my gigabitethernet 0/1 up for wan, entering in the static IP that I was given, and the subnet mask.
I have no idea what to enter for routing. Or where. I know this probably sounds terrible, but it's my first router I have ever had to manually set up.
I am looking for any help, as specific as possible. I would do trial and error, but I am not hooked up to the internet connection / IP that the office uses so I have no idea how to tell if it's working or not.
Thanks in advance to anyone willing to help me out of this hole I was cast into!
Here is my current configuration:
no aaa new-model
clock timezone MDT -7 0
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.1.1
ip dhcp excluded-address 10.0.1.101 10.0.1.254
!
ip dhcp pool Office
import all
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
!
!
ip domain name yourdomain.com
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1146180459
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1146180459
revocation-check none
rsakeypair TP-self-signed-1146180459
!
!
crypto pki certificate chain TP-self-signed-1146180459
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO1921/K9 sn FTX161481JY
!
!
username cardinal privilege 15 password 0 cardinal
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description localArea$ETH-LAN$
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 38.104.26.150 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 23 permit 10.0.1.1
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
snmp-server community public RO
!
control-plane
!
!
06-15-2012 10:33 AM
Aaron,
You're going to need a default route pointing to the gateway (provider's router). Do you have that info? If not, you'll need to get it.
Then you'll need:
ip route 0.0.0.0 0.0.0.0
At first glance, natting looks correct so this may be all that you need.
HTH,
John
06-15-2012 10:38 AM
I hope it's that easy.
To be sure of what you are saying, if my external IP is x.x.x.149 and my gateway is x.x.x.150, I should set
ip route 0.0.0.0 0.0.0.0 x.x.x.150
That will allow traffic to flow between the two interfaces. Is there any way to test that this is happening before I ship it out?
I really appreciate the help!
06-15-2012 10:49 AM
According to what you posted, yes that's all you need. I do see that you're not assigning dns servers in your dhcp pool though. That's going to cause an issue for users getting an address and they not be able to resolve domain names. But overall the config looks good. The only way that I'm aware that you'll be able to test is going to be to put another router on the other side and set the 2 routers interfaces to be on a network between themselves. Then put a host on the 'inside' portion of the network and check the dhcp piece. You should be able to ping the other router from that host. Otherwise, you'll have to test onsite if you don't have a way of doing that.
John
* Please rate useful posts *
06-15-2012 11:06 AM
Last question, sorry for being a pain.
I should specify the DNS servers that my ISP game me in the DHCP Pool? Is there a specific port I should assign these to? I am assuming the LAN (o/o) port.
Would this be easier done in CCP or via the command line.
Again, sorry, but you're extremely helpful.
Here is my current config, with the DNS servers in the DHCP Pool. Look good?
no aaa new-model
clock timezone MDT -7 0
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.1.1
ip dhcp excluded-address 10.0.1.101 10.0.1.254
!
ip dhcp pool Office
import all
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
!
!
ip domain name yourdomain.com
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1146180459
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1146180459
revocation-check none
rsakeypair TP-self-signed-1146180459
!
!
crypto pki certificate chain TP-self-signed-1146180459
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO1921/K9 sn FTX161481JY
!
!
username cardinal privilege 15 password 0 cardinal
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description localArea$ETH-LAN$
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 38.104.26.150 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 23 permit 10.0.1.1
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
snmp-server community public RO
!
control-plane
!
!
06-15-2012 11:37 AM
Aaron,
No worries Let's go at this step by step:
ip dhcp excluded address excludes a range of addresses from being able to be assigned to hosts. You have the whole range from 10.0.1.101 to 10.0.1.254 excluded. Are you only wanting to assign 10.0.1.2 - 10.0.1.100? If so, this is perfectly fine.
The dhcp scope should look something like this:
ip dhcp pool Office
import all
dns-server
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
So, dns server would be something like "dns-server 4.2.2.1 4.2.2.2"
As far as CCP or CLI - I'm all CLI, so I wouldn't know how easy CCP is unfortunately.
HTH,
John
06-15-2012 11:48 AM
OK, I did what you said. I did want a limited number of IP addresses in my DHCP pool, the rest is reserved for static IPs.
I was able to tracert/ping from the LAN(0/0) port to the WAN (0/1) port. I'll assume that this means it's routing things correctly. It's all I have to go on being that I don't have another router and I can't be on-site.
Thanks a ton!
06-15-2012 11:49 AM
You're welcome! Report back if you have any troubles after it gets onsite...
06-22-2012 06:33 AM
OK, the router is on-site and works, however, the download speed is 5.8MB/s. The upload speed is 87 MB/s, which is more like it.
Any ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide