Solved: Cisco 876 pppoe with bridged modem

Charalampos Prevezanos · ‎02-13-2014

Hello sirs,

Im new to this so please forgive my ignorance,i have a cisco 876 router running advipservicesk9-mz.124-15.T17 ios,my adsl2+ line is Pstn so i figured i could use this router with a zyxel modem in bridged mode,after much frustration and search over the web i finaly got it to work,i also used Cisco CCP to apply a zone firewall in low mode since i know very little about firewalls,im posting my configuration below and i would appreciate any feedback as to whether is correct or not and also is there a way to create a second Vlan so that the zyxel modem would be accessed through a different network that of my primary vlan?

Thanks in advance

Building configuration...

Current configuration : 9546 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Kerberos

!

boot-start-marker

boot system flash:c870-advipservicesk9-mz.124-15.T17.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

no logging buffered

logging console critical

enable secret 5 $1$26AC$XdfeeI/jEufq7z71fGib..

!

aaa new-model

!

aaa authentication login default local enable

aaa authentication login clientauth local

aaa authentication login local_authen local

aaa authorization exec local_author local

aaa authorization network groupauthor local

!

aaa session-id common

clock timezone Athens 2

!

crypto pki trustpoint TP-self-signed-2038751039

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2038751039

revocation-check none

rsakeypair TP-self-signed-2038751039

!

crypto pki certificate chain TP-self-signed-2038751039

certificate self-signed 01

3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32303338 37353130 3339301E 170D3134 30323033 31373433

31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333837

35313033 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100D75B 9761DA15 E795851C 4019BE5D B9A3EB77 DB917493 CAECE885 EB7DD2E7

77C7ADBE 644319A3 8A4D87D5 D3AFA9A1 9CF9D7C6 0EE25F06 349FDB95 D05D999F

1860CA4E 0B0E9188 ADD87800 603CFDF4 44B91064 CD0E3FA9 81EF1A8F C852B781

E083ED39 58D91081 639A8067 8E692FDC 6E09F420 837B33DD CF564DBA 54B1CDF2

97F90203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603

551D1104 16301482 124B6572 6265726F 732E6368 616F732E 636F6D30 1F060355

1D230418 30168014 816950C6 34F3AFC1 6F4C7A32 3F77A6AD CBBD521E 301D0603

551D0E04 16041481 6950C634 F3AFC16F 4C7A323F 77A6ADCB BD521E30 0D06092A

864886F7 0D010104 05000381 81007F04 AADCCD51 E5A40D72 5AE6C04C 20ED53C6

3546F182 6DA245E5 7C1198E2 FEB4F95D 7440C752 56236EB3 C0A3AD94 667499A5

BBEC2C5F ABADA946 F5F609B7 9FC9EBF3 CEEC63F2 E1449E14 B75D898B D61CCC29

42F60E54 0E81A601 FE4AFF81 256AF987 A68477E0 0372714F 00769659 94E7AFEA

ED3C42A3 8DF1862C 9B7FDEBF BAB0

quit

dot11 syslog

no ip source-route

ip cef

!

no ip bootp server

ip domain name chaos.com

!

multilink bundle-name authenticated

!

username babz privilege 15 password 7 110D000B16011F15

!

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class class-default

policy-map type inspect ccp-permit

class class-default

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

!

interface Null0

no ip unreachables

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

ip route-cache flow

shutdown

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet0

description ADSL WAN Interface

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

no cdp enable

!

interface FastEthernet2

no cdp enable

!

interface FastEthernet3

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 192.168.1.200 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

pppoe enable group global

!

interface Dialer1

description ADSL WAN Dialer$FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

ip route-cache flow

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp chap hostname *****************************

ppp chap password 7 *********************

ppp ipcp dns request

ppp ipcp route default

!

ip forward-protocol nd

!

ip http server

ip http access-class 7

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat translation finrst-timeout 120

ip nat inside source list 1 interface Dialer1 overload

!

no logging trap

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 7 remark HTTP Access-class list

access-list 7 remark CCP_ACL Category=1

access-list 7 permit 192.168.1.230

access-list 7 permit 192.168.1.0 0.0.0.255

access-list 7 deny any

access-list 8 remark CCP_ACL Category=2

access-list 8 permit 192.168.1.0 0.0.0.255

access-list 9 remark CCP_ACL Category=2

access-list 9 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq telnet

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq 22

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq www

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq 443

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq cmd

access-list 101 deny tcp any host 192.168.1.200 eq telnet

access-list 101 deny tcp any host 192.168.1.200 eq 22

access-list 101 deny tcp any host 192.168.1.200 eq www

access-list 101 deny tcp any host 192.168.1.200 eq 443

access-list 101 deny tcp any host 192.168.1.200 eq cmd

access-list 101 deny udp any host 192.168.1.200 eq snmp

access-list 101 permit ip any any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit ip host 192.168.1.230 any

no cdp run

!

control-plane

!

banner login ^CC

+-------------------------------------------------------+

| |

| CHAOS |

| |

+-------------------------------------------------------+

| UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE AND |

| ATTACHED NETWORKS IS STRICTLY PROHIBITED. |

| You must have explicit permission to access or |

| configure this device. All activities performed on |

| this device may be logged or monitored without further|

| notice, and the resulting logs may be used as evidence|

| in court. |

| Any unauthorized use of the system is unlawful, and |

| may be subject to civil and/or criminal penalties. |

+-------------------------------------------------------+

^C

!

line con 0

login authentication local_authen

no modem enable

transport output telnet

line aux 0

login authentication local_authen

transport output telnet

line vty 0 4

access-class 102 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

cadet alain · ‎02-14-2014

Hi,

you can't make it a L3 routed port so if you have ios 15 you can do an intra zone policy with ZBF or you can maybe put a L2 access-list if it is possible on this platform but I'm not sure it is.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

Charalampos Prevezanos · ‎02-13-2014

Anyone??

cadet alain · ‎02-13-2014

Hi,

for second vlan:

-on interface where a device in this vlan is connected:

int f1/x

switchport access vlan x

-create the SVI:

int vlan 2

ip address 192.168.2.254 255.255.255.0

-make this interface part of inside zone

int vlan 2

zone-member security in-zone

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-13-2014

Hello Akain,i tried your example

int vlan 2

ip address 10.10.10.2 255.255.255.0

interface fae0

switchport access vlan 2

but then pppoe drops ,i tried restarting the dialer interface but it gets no ip from ISP

cadet alain · ‎02-13-2014

Hi,

I forgot to edit ACL for NAT:

access-list 1 permit 10.10.10.0 0.0.0.255

This should have no impact on dialer interface getting an IP as you only changed the LAN.

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-13-2014

Hi again,

Yet the same thing happens as soon a i enter switchport access vlan2 on ethernet0(thats the interface that the dialer uses to pppoe) the connection drops :S

cadet alain · ‎02-13-2014

Hi,

of course this is on another interface not the one connected to the bridged modem

I hadn't remarked you had done this before.

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-13-2014

So what you are saying is that this interface Fae0 thats on the bridged modem cannot change vlan? it must be always on 192.168.1.200?

Ive done this because my modem(zyxel) is a single port and im trying to maintain access on it but have it on a different network than my lan

cadet alain · ‎02-13-2014

You're running PPPoE on this interface and so this is the dialer interface which gets an IP from PPP and this is your outside interface.

your vlan interface is for L3 access for clients connected to L2 ports in the corresponding VLAN, these are the inside Interfaces

Oh and I realize I forgot still one thing, you have to enable nat with ip nat inside on the corresponding interface vlan

otherwise traffic won't get natted, I forgot lots of basic stuffs when replying for this thread(I'm a little bit tired these days and I reply too fast without making my brain work )

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-13-2014

Thank you very much for your input,what you mention makes absolute sense,what i cannot understand is why if i leave the config as it is ,i have access to the bridged modem through Fae0(dialer interface)

cadet alain · ‎02-13-2014

Hi,

which config, the one you had before?

What don't you understand ?

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-13-2014

Yes the one i posted above,with that configuration im able to access the zyxel,through fae0,the same port that dialer1 uses,is the port thats connected to the zyxel,im sorry if my questions seem stupid but im trying to learn and have no previous experience on cisco routers

cadet alain · ‎02-13-2014

I don't understand exactly what you want to know ?

Could you clarify please.

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-14-2014

Hello and thnanks again for spending time to help out,

look

c876(192.168.1.200)ethernet0---------->zyxel(192.168.100) in bridged mode thats how its connected,what i dont understand is why i can still access the zyxel web interface, ethernet0 on the 876 is supposed to be dialers interface and it works that way just fine ,but it also works as a lan interface..

cadet alain · ‎02-14-2014

Hi,

µok so all 4 ethernet ports on the 876 are switch ports so are you sure your zyxel is indeed bridging because the dialer interface should be linked to a L3 port as far as I know.

Can you provide following output:

-sh ip int br

-sh ip route

Regards

Alain

Don't forget to rate helpful posts.