01-02-2012 04:48 PM - edited 03-04-2019 02:48 PM
This is my first experience with a Cisco router so any help is very much appreciated!!
Physical devices are a Cisco 2901 (CISCO2901/K9) with GE0/0 configured as 192.168.1.1
Connected through a D-Link DGS-1210-24 configured as 192.168.1.202
Running on a domain with an HP domain server as 192.168.1.2
The 2901 was an EHWIC (VA-DSL-A oPoTS) on EHWIC 0/0/0
GE 0/0 on the 2901 is physically connected to the DGS-1210 which is physically connected to the server.
VDSL 0/0/0 is physically connected to the DSL jack.
So far the configuration reports all is connected, and I can ping the gateway of our ISP (using CLI or Cisco CP); however the server reports no internet connection and no workstations can access the 'net.
Once connected; I'd also like to allow ports through for use on the network (25, 80, 110, 443, 987, 1723) - but not sure on how to do that just yet!
Our IP is 202.27.19x.19x
Our Gateway is 202.27.217.5
I've attached the running configuration below;
Building configuration...
Current configuration : 6404 bytes
!
! Last configuration change at 13:17:30 PCTime Tue Jan 3 2012 by QslNetworks
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname QSLNZ
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$srr3$wEOhxPfw6whRK8p.fNzuf1
!
no aaa new-model
!
clock timezone PCTime 12 0
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
ip domain name qslnz.co.nz
ip name-server 192.168.1.2
ip name-server 202.14.102.1
ip name-server 202.27.217.195
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-769720646
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-769720646
revocation-check none
rsakeypair TP-self-signed-769720646
!
!
crypto pki certificate chain TP-self-signed-769720646
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37363937 32303634 36301E17 0D313131 32333130 31323035
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3736 39373230
36343630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BD6A3444 8A31D164 80A1E8DB AE6B7219 576A38C2 1E81E787 232621FB 5F4F11FA
A5B9FEF9 ED8DF959 8FB1893D AFB7E56D 2D3A9A39 FC99110D CAC38FC5 52E0653B
B31F4CC6 FBA00369 8BDF2B12 1F771DB1 DBCC0CDF 767200FC 8613385D C8E8D040
872FAF7D EE291E31 16630D79 25F2FC8C 494CBE5B D06AE6E8 0DD6F654 ED9061C5
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014A2 7E6943CF 41BC1470 5D765EB1 07FA577A 66DE3430 1D060355
1D0E0416 0414A27E 6943CF41 BC14705D 765EB107 FA577A66 DE34300D 06092A86
4886F70D 01010505 00038181 0032332D 8DF0591E EF1CADF3 D37B839F C1471D95
19B1F230 D30527A6 75A15E0F 01F25718 2A34370D 632E706A 345F1DF8 D7986E8E
7B84C1CC C604BDDB DBDE3FB7 E8BDE56F BEC669C6 FAE017F1 F6A637CF 6BBFE64C
2CFAF519 0D66C167 D74A9E1E 55817EB9 201063EA 0B49C837 31757556 23E23D98
752A3753 5617473D 439739BC F2
quit
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FGL155121A5
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
hw-module pvdm 0/0
!
!
!
username QslNetworks privilege 15 secret 5 $1$kGcI$0EVyNNtaVDXoaSjm6IPux.
!
redundancy
!
!
!
!
controller VDSL 0/0/0
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
description $ES_WAN$
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
description $FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no fair-queue
no mop enabled
!
interface Dialer0
ip address 202.27.19x.19x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ___ username@hostname ___ REPLACED ___
ppp chap password 7 120811040B59555C7E
ppp pap sent-username ___ username@hostname ___ REPLACED ___ password 7 071E355F575B405D43
no cdp enable
!
!
router rip
passive-interface GigabitEthernet0/0
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 202.27.217.5 permanent
!
logging trap debugging
dialer-list 1 protocol ip permit
!
no cdp run
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
EDIT: CLI content was scrambled
Message was edited by: Matthew Penn
Solved! Go to Solution.
01-02-2012 06:00 PM
You said, you can ping any device on the Internet for the router
now, can you ping the same devices using source address 192.168.1.1 (see below)
ping x.x.x.x source 192.168.1.1
If above does not work, can you add below statment's to your router and try testing again?
access-list 1 permit 192.168.1.0 0.0.0.255 any
ip nat inside source list 1 interface Dialer0 overload
HTH
01-03-2012 02:17 AM
Hi,
to publish theses services for outside you need static PAT entries:
let's suppose your server is 192.168.1.10.
ip nat inside source static tcp 192.168.1.10 25 dialer0 25
ip nat inside source static tcp 192.168.1.10 110 dialer0 110
ip nat inside source static tcp 192.168.1.10 80 dialer0 80
ip nat inside source static tcp 192.168.1.10 443 dialer0 443
ip nat inside source static tcp 192.168.1.10 987 dialer0 987
ip nat inside source static tcp 192.168.1.10 1723 dialer0 1723
You can also delete the access-list 102 and the access-group command on g0/0
If you want security then either use CBAC or ZBF to have a stateful firewall and permit this traffic to your server(s).
don't forget to rate if helpful.
Regards.
Alain
01-03-2012 01:24 PM
Hi,
sorry I missed the interface keyword so replace dialer0 by interface dialer0
Regards.
Alain
01-02-2012 05:35 PM
Is the server configured with the correct default gateway (192.168.1.1)?
01-02-2012 05:39 PM
Yes; the temp router we have on loan was also configured with this IP and worked fine on the network.
When we connect the 2901 the connection drops...
01-02-2012 06:00 PM
You said, you can ping any device on the Internet for the router
now, can you ping the same devices using source address 192.168.1.1 (see below)
ping x.x.x.x source 192.168.1.1
If above does not work, can you add below statment's to your router and try testing again?
access-list 1 permit 192.168.1.0 0.0.0.255 any
ip nat inside source list 1 interface Dialer0 overload
HTH
01-02-2012 06:27 PM
That solved it!
I wasn't able to add the -any at the end of the first command line though; it returned an error at that point...
How would I best go about opening ports for services on:
25
80
110
443
987
1723
01-02-2012 06:38 PM
To allow these ports you can create an access list and allow them
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq 987
access-list 102 permit tcp any any eq 1723
Then
interface GigabitEthernet0/0
ip access-group 101 in
HTH
01-02-2012 07:21 PM
Added those; somehow that takes down my internet connection.
How do I remove those so I can start again?
EDIT:
Got them removed; and in doing so spotted I'd created the wrong association!
Created them again as above. Internet connectivity seems ok. Just checking inwards on the ports.
Message was edited by: Matthew Penn
01-02-2012 07:44 PM
Do I need to configure anything else associated with those ports?
Test email messages aren't coming in to the server, and using the www.canyouseeme.org website I get Connection refused on those ports.
Thanks heaps for your help so far!
01-03-2012 01:28 AM
When I try to log in to our Outlook Web Access it gives a certificate warning error.
If I ignore the error and try to navigate to the page; it fails.
Could it be a security setting, and not exactly the ports that's preventing OWA and mail being delivered to the server?
Cheers
01-03-2012 02:17 AM
Hi,
to publish theses services for outside you need static PAT entries:
let's suppose your server is 192.168.1.10.
ip nat inside source static tcp 192.168.1.10 25 dialer0 25
ip nat inside source static tcp 192.168.1.10 110 dialer0 110
ip nat inside source static tcp 192.168.1.10 80 dialer0 80
ip nat inside source static tcp 192.168.1.10 443 dialer0 443
ip nat inside source static tcp 192.168.1.10 987 dialer0 987
ip nat inside source static tcp 192.168.1.10 1723 dialer0 1723
You can also delete the access-list 102 and the access-group command on g0/0
If you want security then either use CBAC or ZBF to have a stateful firewall and permit this traffic to your server(s).
don't forget to rate if helpful.
Regards.
Alain
01-03-2012 12:13 PM
I'm getting an 'invalid input detected' indication at dialer0 when using this command (but with 192.168.1.2 for the domain server)
01-03-2012 01:24 PM
Hi,
sorry I missed the interface keyword so replace dialer0 by interface dialer0
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide