Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1609
Views
15
Helpful
4
Replies

Probably a pppoe connection or routing problem?

Go to solution
Robert_Gorajski
Level 1
Level 1

‎07-12-2021 01:04 PM

 

This is my first post - my name is Robert. And helo to everyone

 

Last week I bought a Cisco C1111-8P router. Ruth will be used in my home. I just bought it to learn cisco device.
Last weekend, I tried to configure it - unfortunately I ran into a problem that I can't deal with.


My configuration is:

ISP Fiber Modem <-----> C1111-8P <-----> Home Lan with Vlan's "

 

I will describe my actions one by one (I configured via con 1)

1 / I have configured the DNS server

2 / I have configured the name-servers that I want to use: 1.1.1.1 1 and 1.0.0.1

3 / I configured the WAN interface - Gi0/0/1

4 / I have configured the dialer 1 interface

5 / I configured IP VLAN1 (currently includes all Gi0/1/0 to Gi0/1/7 LAN interfaces)

5 / I have configured a DHCP server

6 / I have set up additional things like account / passwords etc.

7 / I have configured ACL 101

 

I connected two PCs - settings from DHCP: to Gi0/1/0 (Linux) and Gi/0/1/1 - (Windows 10) the computers set the DHCP configuration correctly


On the router I ran PING 1.1.1.1 and PING google.com

I got the answers

 

Additionally, on Linux and Windows computers the Internet does not work properly:

If I PING on my computer to any IP address 1.1.1.1 / 8.8.8.8 / 4.4.4.4 etc. - everything is OK

If I PING to any name cisco.com / google.com / duckduckgo.com etc. - everything is OK


However, pages in the web browser: either open OK (fast), or only part of the page loads, or the page does not open at all. I tried to download the file from, for example, https://www.opera.com/pl - unfortunately it fails. But the video from youtube.com works great. eg. "BREATHTAKING COLORS OF NATURE IN 8K | 8K BEAUTIFUL NATURE - RELAXATION MUSIC 8K FUHD SCREENSAVER" - https://www.youtube.com/watch?v=bUCfv8D_hoQ - I am watching this video in 1080p FHD by writing this post.

 

Attention ! My IPS's engineer told me to set up:
pppoe - pap, chap, mschap1, mschap2
and tried to set the MTU from 1480, if not ok change to 1492.

Unfortunately, changing MTU and shut / no shut Dialer 1 interface does nothing.

 

Below is my entire configuration.

I changed the real data to XXX in several places. e.g. login and password for pppoe

 

Do you have any suggestions on what I am doing wrong and how can I fix this problem?


Thank you very much in advance for your help.

 

KRGR#show configuration
Using 2795 out of 33554432 bytes
!
! Last configuration change at 19:54:27 UTC Mon Jul 12 2021 by frampt
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname KRGR
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip name-server 1.1.1.1 1.0.0.1
ip domain name robert.name
ip dhcp excluded-address 10.100.100.101 10.100.100.254
!
ip dhcp pool vlan1_dhcp_pool
 network 10.100.100.0 255.255.255.0
 default-router 10.100.100.254
 dns-server 10.100.100.254
 lease 7
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2831065596
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2831065596
 revocation-check none
 rsakeypair TP-self-signed-2831065596
!
!
crypto pki certificate chain TP-self-signed-2831065596
 certificate self-signed 01 nvram:IOS-Self-Sig#9.cer
!
license udi pid C1111-8P sn XXX
license boot level securityk9_npe
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username XXX privilege 15 secret 9 XXX
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/1
 no ip address
 speed 1000
 no negotiation auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
 ip address 10.100.100.254 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
!
interface Dialer1
 mtu 1480
 ip address negotiated
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap chap ms-chap ms-chap-v2 callin
 ppp pap sent-username XXX password 0 XXX
 ppp ipcp route default
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat inside source list 101 interface Dialer1 overload
ip ssh version 2
!
!
ip access-list extended 101
 deny   tcp any any eq 22
 permit icmp 10.100.100.0 0.0.0.255 any
 permit tcp 10.100.100.0 0.0.0.255 any
 permit udp 10.100.100.0 0.0.0.255 any
 permit ip 10.100.100.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 60 0
 login local
 transport input none
 stopbits 1
line vty 0 5
 login local
 transport input ssh
!
!
!
!
!
!
end
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Alex Pfeil
Level 7
Level 7

‎07-12-2021 01:40 PM

I would change your NAT Access-list because the deny SSH was not really doing anything for you.

 

ip access-list extended 101
permit ip 10.100.100.0 0.0.0.255 any
I believe you would have to change the tcp adjust-mss if you have the MTU on the interface set to 1480 as well. 
interface Dialer1
 ip tcp adjust-mss 1400   

 Do you have a default route besides the ipcp default route command?

ip route 0.0.0.0 0.0.0.0 Dialer1?

 

Please try this and let me know.

View solution in original post

4 Replies 4

Go to solution
Alex Pfeil
Level 7
Level 7

‎07-12-2021 01:40 PM

I would change your NAT Access-list because the deny SSH was not really doing anything for you.

 

ip access-list extended 101
permit ip 10.100.100.0 0.0.0.255 any
I believe you would have to change the tcp adjust-mss if you have the MTU on the interface set to 1480 as well. 
interface Dialer1
 ip tcp adjust-mss 1400   

 Do you have a default route besides the ipcp default route command?

ip route 0.0.0.0 0.0.0.0 Dialer1?

 

Please try this and let me know.

Go to solution
Robert_Gorajski
Level 1
Level 1
In response to Alex Pfeil

‎07-13-2021 09:16 AM

Gentlemen, thank you very much for your quick reply

 

Alex Pfeil - thanks a lot for your help!

 

interface Dialer1
  ip tcp adjust-mss 1400

This is it !!! - Everything works great.

 

 

 

If you allow me, I only have two more questions:

 

You wrote:

 

"I would change your NAT Access-list because the deny SSH was not really doing anything for you."

 

My goal is to close the SSH port from the Internet so that no one tries to log in from the outside - am I wrong?

 

and

"Do you have a default route besides the ipcp default route command? - ip route 0.0.0.0 0.0.0.0 Dialer1?"

 

For what purpose - from the documentation, I understood that in this case, the command:

 

ppp ipcp route default

Set my routing table to the value taken from the ISP - isn't that the same?

 

 

Or maybe setting:

 

no ppp ipcp route default
ip route 0.0.0.0 0.0.0.0 Dialer1

 

Is it more secure?

 

Sorry for the newbie questions, but until last week I had not entered a single command on the Cisco router. So far, I have used it at home Ubiquity Edge Router and Mikrotik Router. The above my setup is the result of reading documentation on Cisco websites and searching on the Internet.

 

Thanks again for your help!

 

0 Helpful

Go to solution
paul driver
VIP
VIP

‎07-13-2021 12:03 AM

Hello

try the following:

ip route 0.0.0.0 0.0.0.0 dialer 1
no ip name server

int dailer 1
ppp ipcp dns request 

no ip access-list extended 101
ip access-list extended 101
deny tcp 10.100.100.0 0.0.0.255 any eq 22
permit ip 10.100.100.0 0.0.0.255 any

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7

‎07-14-2021 01:37 PM

The reason the SSH command is not necessary is that NAT is only 1 way for PAT.

A PAT connection by default will not allow any connections from the outside in. What you can try to do is connect to your outside IP address via SSH and if it is successful, then apply an ACL to the Dialer interface similar to the ACL that you have already completed.

The route command that you have should be good, I have seen recommendations to have both but I do not believe it would be necessary. You could also do a floating static  sot that if you lose the default, it would add it back in statically. I would not worry about it if everything is working.

ip route 0.0.0.0 0.0.0.0 Dialer1 255

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card