Re: Cannot Access Internet Through SR520 Router

davefieldsea · ‎04-03-2013

Good Afternoon,

I'm extremely new to the world of Cisco CLI Routers and to be completely honest I know I'm a bit out of my depth here. However, I've been asked to create a basic setup on our SR520 router to connect to a PPPoA BT Connection. Due to the fact that the Cisco Configuration Assistant doesn't support PPPoA, I've had to do this via the CLI which is proving to be a bit of a pain..

I've followed this guide http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a008071a601.shtml here which helped do a basic config but I changed a couple of things such as the vlan 75 details and the DHCP scope via the CCA.

Anyway, I have got it connected to the internet and the Rx/Tx lights are flashing with the CD light solid so I guess that's a good start! However, I'm thinking that NAT and/or the firewall settings aren't working because I cannot contact any websites or even ping the external DNS server from a client.

I would really appreciate it if someone can point me in the right configuration. I think I need to disable the dialer 0, I've shut it down but not sure if that helped? My router config is attached.

-> THIS PART IS NO LONGER AN ISSUE -- On a side note, I keep getting the following appear:

*Apr 2 15:35:38.987: %FW-6-DROP_PKT: Dropping udp session 192.168.75.11:64757 8.8.8.4:53 due to One of the interfaces not being cfged for zoning with ip ident 0

Pretty sure this is my FW dropping packets which doesn't help but no idea how to fix it! <-

Any help would be most appreciated, thank you in advance!

Edit: LATEST CONFIG IS ALWAYS IN MY LATEST REPLY

kcnajaf · ‎04-03-2013

Hi Dave,

I have not personally worked on SR 520 router, but still could you try testing by removing the zone based firewall configuration from interface and see if you are getting the same result.

conf terminal

interface Dialer1

no zone-member security out-zone

!

interface Vlan75

no zone-member security in-zone

Regards

Najaf

Please rate when applicable or helpful !!!

davefieldsea · ‎04-03-2013

Thank you very much for your reply, unfortunately it didn't seem to change anything which leads me to think that maybe my ATM/Dialer configuration is incorrect.

I appreciate that you haven't used this particular router but wondering if you could have a quick nose around the rest of the config to see if anything is obviously wrong there.

As I've made a few changes since my original post, here is my updated config attached.

Do you know if there is a way to see the status of the dialer/ATM interfaces to see whether it's picked up and IP from the ISP?

Thanks for the help so far!

Edit: Latest config is in latest reply.

kcnajaf · ‎04-03-2013

Hi Dave,

show ip interface brief should show if the interface has picked up an ip address.

Regards

Najaf

Please rate when applicable or helpful !!!

davefieldsea · ‎04-04-2013

Thanks for the help so far guys.

I have changed a few things in my config, like removing the packet dropping and I've checked that the IP is being picked up by the dialer.. which it's not. Here is the output from my interfaces:

show ip interface br

Interface IP-Address OK? Method Status Protocol

FastEthernet0 unassigned YES unset up up

FastEthernet1 unassigned YES unset up down

FastEthernet2 unassigned YES unset up down

FastEthernet3 unassigned YES unset up down

ATM0 unassigned YES DHCP up up

ATM0.1 unassigned YES DHCP up up

SSLVPN-VIF0 unassigned NO unset up up

Vlan1 unassigned YES NVRAM administratively down down

Vlan75 192.168.1.1 YES NVRAM up up

NVI0 unassigned YES unset administratively down down

Dialer0 unassigned YES NVRAM administratively down down

Dialer1 unassigned YES NVRAM up up

Virtual-Access1 unassigned YES unset up up

Virtual-Access2 unassigned YES unset up down

As you can see, it's not getting an IP from the ISP. However, I'm not sure which part to try and fix! I understand that the ATM is the actual port I plug the ADSL cable into and the Dialer 1 is the modem dialer to connect to the ISP so I'm not sure which one is meant to have an IP address (assuming dialer).

I have attached my updated config for your reference. Thanks again for your help so far.

Edit: Config attached to latest reply.

Saurabh Srivastava · ‎04-03-2013

Hi Deve,

As per the message your packet is getting droped by firewall inspection rule. you can try to test by dissbling "IP Inspact log droup-pkt".

Regards,
Saurabh

Regards, Saurabh

davefieldsea · ‎04-04-2013

Not sure if you get alerts to replies to other's messages but I've tried your suggestion and unfortunately it didn't help fix the route issue (although was probably a step towards the right direction! Thanks for that )

Do you have any idea about the updated issue above?

cadet alain · ‎04-05-2013

Hi,

disabling logging for dropped-packet won't help to solve the problem, on the contrary you won't be able to see that it is not working because your packet was dropped by the firewall.

Try this:

no ip route 0.0.0.0 0.0.0.0 Dialer0

interface Dialer1

no ip address dhcp

ip address negotiated

interface ATM0

no ip address dhcp

interface ATM0.1 point-to-point

no ip address dhcp

int atm0

shut

no shut

do sh ip int br

Now you should get an IP from the ISP on the dialer1 interface

Regards

Alain

Don't forget to rate helpful posts.

davefieldsea · ‎04-05-2013

Hey there,

Thanks very much for the detailed reply. Unfortunately it's still refusing to pickup an IP address. Interfaces output:

show ip interfaces br

Interface IP-Address OK? Method Status Protocol

FastEthernet0 unassigned YES unset up up

FastEthernet1 unassigned YES unset up down

FastEthernet2 unassigned YES unset up down

FastEthernet3 unassigned YES unset up down

ATM0 unassigned YES NVRAM up up

ATM0.1 unassigned YES unset up up

SSLVPN-VIF0 unassigned NO unset up up

Vlan1 unassigned YES NVRAM administratively down down

Vlan75 192.168.1.1 YES NVRAM up up

NVI0 unassigned YES unset administratively down down

Dialer0 unassigned YES NVRAM administratively down down

Dialer1 unassigned YES NVRAM up up

Virtual-Access1 unassigned YES unset up up

Virtual-Access2 unassigned YES unset up down

I changed everything that you suggested and have attached my config for you. I'm not sure whether the syntax for my ADSL connections is correct? It's meant to be:

VPI number: 0
VCI number: 38
Authentication: CHAP
Modulation: G.DMT
Encapsulation: PPP over ATM (PPPoA); Virtual Circuit Multiplexing (VC-MUX)

Thanks again for your help so far!

cadet alain · ‎04-05-2013

Hi,

Can you follow this config: http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a008071a601.shtml

Regards

Alain

Don't forget to rate helpful posts.

davefieldsea · ‎04-05-2013

Hi Alain,

As mentioned in my initial post, that is what I started with. I then basically only changed the DHCP range. I'll reset it all and start again if you wish.

Will post back with findings.

davefieldsea · ‎04-05-2013

Hi Alain,

I've set the router to defaults and gone through the entire setup again. The only differences to the guide you mentioned is that I used vlan75 instead of ethernet0/0 as the nat inside etc.

The config is attached with the "show ip interface brief" command at the bottom too.

Thanks again for persevering!

davefieldsea · ‎04-05-2013

This is now solved. My configuration was all correct, however I needed to put the PVC and encapsulation type etc under the ATM0.1 NOT ATM 0.

The Cisco guide was wrong in this.

Thanks to everyone who helped!