Solved: Cisco 2911 ADSL NAT configuration - LoopBack/SVI question

whickwire · ‎08-16-2018

I am running into a problem with my NAT configuration on this router. I have successfully leased a connection from my ISP but am wondering about what the setup would look like if the ip address is negotiated. It's my understand and possibly the wrong one that I will need to possibly duo a policy map or create a loopback interface and reference the leased IP to make things work with my switching equipment. (This 2911 has old fw and doesn't support SVI's unfortunately)

Previously when I hooked up my router to a generic Cable connection that seemed relatively easy because the interface was actually receiving an address and then I just had to make a simple acl and overload.

Building configuration...

Current configuration : 1770 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CoreRouter
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
dot11 syslog
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$M6fZ$TDpU3j4kbBqI9ZE1Nrv9e0
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description UPLINK to TEKSAVY
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
ip address 10.79.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/2/0
no ip address
shutdown
no fair-queue
clock rate 125000
!
interface Serial0/2/1
no ip address
shutdown
clock rate 125000
!
interface Dialer1
ip address negotiated
no ip proxy-arp
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
delay 50000
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ymca79james@teksavvy.com
ppp chap password 0 ymca79Jame5
ppp pap sent-username ymca79james@teksavvy.com password 0 ymca79Jame5
ppp ipcp dns request accept
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎08-16-2018

Hello,

below is a way to do it (changes marked in bold). Make sure the uplink port on the switch is reverted back to a switchport.

Current configuration : 1770 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CoreRouter
!
boot-start-marker
boot-end-marker
!
no aaa new-model
dot11 syslog
!
ip cef
!
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
username admin privilege 15 secret 5 $1$M6fZ$TDpU3j4kbBqI9ZE1Nrv9e0
archive
log config
hidekeys
!
bridge irb
!
interface FastEthernet0/0
description UPLINK to TEKSAVY
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
no ip address
bridge-group 1
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/2/0
no ip address
shutdown
no fair-queue
clock rate 125000
!
interface Serial0/2/1
no ip address
shutdown
clock rate 125000
!
interface BVI1
ip address 10.79.0.1 255.255.255.0
ip nat inside
!
interface Dialer1
ip address negotiated
no ip proxy-arp
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
delay 50000
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ymca79james@teksavvy.com
ppp chap password 0 ymca79Jame5
ppp pap sent-username ymca79james@teksavvy.com password 0 ymca79Jame5
ppp ipcp dns request accept
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!

bridge 1 protocol ieee
bridge 1 route ip
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end

View solution in original post

Georg Pauwen · ‎08-16-2018

Hello,

I am not clear on what you are asking. Has your ISP given you a subnet mask to go with the IP address ?

whickwire · ‎08-16-2018

Your probably getting sick of me Georg but I appreciate you help :)

My ISP has told me and I'm quoting "There isn’t a subnet mask for this static IP, its pulled from a PPPOE session and assigned." I can purchase a /30 Subnet (2 usable IP addresses) and he has stated I would assign the /30 to one of the ports and setup static routes. Is this what I am after?

Georg Pauwen · ‎08-16-2018

Hello,

what do you want to do, connect a switch to the router ? There really is no advantage to purchasing a /30 subnet, as all you need for external connecivity is the address assigned to the dialer...

Not sure if I understand what you are asking...:|

whickwire · ‎08-16-2018

Sorry, yes a switch is connected to the router but I get no connectivity from it.

FA 0/0 is the internet uplink from the DSL modem

FA 0/1 is the uplink that is connected to the switch IP 10.79.0.1

SW 0/23 I have issued no switchport and assigned IP 10.79.0.2

The default route on the switch points to the internal router interface in my case 0.0.0.0 0.0.0.0 10.79.0.1

The default route on the router points to the dialer 0.0.0.0 0.0.0.0 dialer1

The NAT statement doesn't appear to be translating the internal to the external. Does that make sense?

Georg Pauwen · ‎08-16-2018

Hello,

below is a way to do it (changes marked in bold). Make sure the uplink port on the switch is reverted back to a switchport.

Current configuration : 1770 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CoreRouter
!
boot-start-marker
boot-end-marker
!
no aaa new-model
dot11 syslog
!
ip cef
!
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
username admin privilege 15 secret 5 $1$M6fZ$TDpU3j4kbBqI9ZE1Nrv9e0
archive
log config
hidekeys
!
bridge irb
!
interface FastEthernet0/0
description UPLINK to TEKSAVY
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
no ip address
bridge-group 1
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/2/0
no ip address
shutdown
no fair-queue
clock rate 125000
!
interface Serial0/2/1
no ip address
shutdown
clock rate 125000
!
interface BVI1
ip address 10.79.0.1 255.255.255.0
ip nat inside
!
interface Dialer1
ip address negotiated
no ip proxy-arp
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
delay 50000
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ymca79james@teksavvy.com
ppp chap password 0 ymca79Jame5
ppp pap sent-username ymca79james@teksavvy.com password 0 ymca79Jame5
ppp ipcp dns request accept
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!

bridge 1 protocol ieee
bridge 1 route ip
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end

whickwire · ‎08-16-2018

That is so cool. I had no idea about Bridge Groups.

I'm probably out of my depth here as I take my ICND1 in the fall but this certainly beats the help desk!

Thanks Again!

Georg Pauwen · ‎08-17-2018

Hello,

when you have different Vlans and want them all to connect to the Internet, a pretty common configuratiois what is called 'router-on-a-stick', which basically means that you create dot1q subinterfaces for each Vlan on the router.

Check the document below:

https://community.spiceworks.com/how_to/55605-how-to-configure-router-on-a-stick

whickwire · ‎08-17-2018

Unable to go to VLAN route as my 2911 does not support dot1q. The BVI was very cool, I had no idea it existed.