Solved: Changing ISPs

vincent.yee · ‎02-26-2013

Hi,

This is my first post and forgive me, I haven't configured a Cisco in a few years (as there was no need to). But as always the case, finance has made cutbacks which forced a change from a DSL (with static IPs) to a cable modem (dynamic). Currently, we have 3 internal VLANs on a 871 router that also serves as DHCP and FW. The router trunks the VLANs to a Smart switch (GS108T, no L3) as well as an access point, WAP4410N.

VLANs are : 10.20.30.0/26, 172.16.13.0/27, 192.168.0.0/24

I'd like to ask the audience here what is the quickest and/or the easiest way to make this change? Below is the summarized current (DSL) config below (with most of the IPs edited). Sorry if there are extraneous lines; I'm a bit out of practice.

!
version 15.1
!
hostname packet
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.20.30.1
ip dhcp excluded-address 10.20.30.54
ip dhcp excluded-address 172.16.13.1 172.16.13.10
ip dhcp excluded-address 172.16.13.21
ip dhcp excluded-address 10.20.30.23
ip dhcp excluded-address 192.168.0.1 192.168.0.200
!
ip dhcp pool Catsup
   import all
   network 172.16.13.0 255.255.255.224
   default-router 172.16.13.1 
   domain-name dmz.example.local
   dns-server 8.8.8.8
   lease 0 13
!
ip dhcp pool Ketchup
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1 
   domain-name int.example.local
   dns-server 10.20.30.23
   lease 0 23
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name example.local
ip inspect name DEFAULT-IN ftp
ip inspect name DEFAULT-IN h323
ip inspect name DEFAULT-IN netshow
ip inspect name DEFAULT-IN rcmd
ip inspect name DEFAULT-IN realaudio
ip inspect name DEFAULT-IN rtsp
ip inspect name DEFAULT-IN smtp
ip inspect name DEFAULT-IN sqlnet
ip inspect name DEFAULT-IN streamworks
ip inspect name DEFAULT-IN tftp
ip inspect name DEFAULT-IN tcp
ip inspect name DEFAULT-IN udp
ip inspect name DEFAULT-IN vdolive
ip inspect name DEFAULT-IN icmp
ip inspect name DEFAULT-IN ms-sql
ip inspect name DEFAULT-IN telnet
ip inspect name DEFAULT-OUT ftp
ip inspect name DEFAULT-OUT tcp
ip inspect name DEFAULT-OUT udp
no ipv6 cef
!
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
!
ip tcp synwait-time 10
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description SWITCH:Ketchup
 switchport access vlan 23
!
interface FastEthernet1
 description SWITCH:Catsup
 switchport access vlan 13
!
interface FastEthernet2
 description GS108T-200
 switchport mode trunk
!
interface FastEthernet3
 description WAP4410N
 switchport mode trunk
!
interface FastEthernet4
 description WAN$FW_OUTSIDE$
 ip address 11.22.33.44 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip inspect DEFAULT-IN in
 ip inspect DEFAULT-IN out
 ip virtual-reassembly in
 ip verify unicast reverse-path
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 description Mustard
 ip address 10.20.30.1 255.255.255.192
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip inspect DEFAULT-IN in
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan13
 description Catsup
 ip address 172.16.13.1 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip inspect DEFAULT-OUT in
 ip virtual-reassembly in
!
interface Vlan23
 description Ketchup
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip inspect DEFAULT-IN in
 ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http access-class 99
ip http authentication local
ip http secure-server
!
ip flow-top-talkers
 top 23
 sort-by packets
 cache-timeout 1200000
!
ip nat pool Ketchup 11.22.13.48 11.22.33.52 netmask 255.255.255.0
ip nat pool Catsup 11.22.33.45 11.22.33.46 netmask 255.255.255.0
ip nat inside source list 10 interface FastEthernet4 overload
ip nat inside source list 113 pool Catsup overload
ip nat inside source list 199 pool Ketchup overload
ip route 0.0.0.0 0.0.0.0 11.22.33.1
!
logging 10.20.30.23
access-list 10 permit 10.20.30.0 0.0.0.63
access-list 99 permit 10.20.30.0 0.0.0.63
access-list 99 permit 192.168.0.0 0.0.0.255
access-list 100 remark ISP facing
access-list 100 permit udp any any eq ntp
access-list 100 deny   ip 11.22.33.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   tcp any any eq 135
access-list 100 deny   tcp any any eq 137
access-list 100 deny   tcp any any eq 139
access-list 100 deny   udp any any eq netbios-ns
access-list 100 permit ip any any
access-list 111 deny   ip any any
access-list 111 permit ip 10.20.30.0 0.0.0.63 any
access-list 111 permit ip 192.168.0.0 0.0.0.255 any
access-list 113 permit ip 172.16.13.0 0.0.0.31 any
access-list 199 remark Ketchup
access-list 199 deny   ip 10.0.0.0 0.255.255.255 any
access-list 199 deny   ip 172.16.0.0 0.15.255.255 any
access-list 199 deny   tcp any any eq 135
access-list 199 deny   tcp any any eq 137
access-list 199 deny   tcp any any eq 139
access-list 199 deny   udp any any eq netbios-ns
access-list 199 permit ip 192.168.0.0 0.0.0.255 any
access-list 199 permit ip any any
no cdp run
!
end

What I've tried so far hasn't quite worked, but so far I've figured that I'd have to remove the nat pools (and their relative nat source lists), replace FE4 with a 'ip address dhcp' and replace the default route with 'ip route 0.0.0.0 0.0.0.0 dhcp' but to no avail. I've tried creating a new ACL (20) with the above VLANs, added that to the access-group of FE4 with 'ip nat source list 20 interface FE4 overload'. I've also even tried creating a route-map, and thought about possibly using InterVLANs but would rather not use sub-interfaces and such. Also, at some point, I'll likely add some extended ACLs but first, getting routing working...

But I maybe overthinking things and am obviously out of practice, but I'd like to ask what would be the best direction to switch to this new ISP? Also, is there a way to verify that the WAN interface has been leased an IP? Seems a bit silly, but just wanted to know if there was any other way to determine the router can route besides attempting to ping an outside DNS server...?

Thanks for reading...

-vin

Elton Babcock · ‎02-26-2013

I would say all you need to do is change the IP address of your WAN interface to "IP address DHCP"

You should be able to issue "show dhcp server" and even a "show IP int brief" to see the IP address of the dynamically assigned address.

Then you need to create an ACL for your NATing.

A standard ACL will do with 3 lines permitting each one of your internal VLANs.

Then remove your previous NAT statements and issue "IP NAT inside source list interface fastethernet4"

That should cover most of it.

Let me know if it helps.

Elton

Sent from Cisco Technical Support iPhone App

View solution in original post

dc5chris209 · ‎02-26-2013

Is the cable company assigning you a router?

This is what I would do if it were me. I'd find out what the default gateway for your ISP is. You can determine that a number of ways, the easiest would be to plug the modem directly into your laptop and run an ipconfig command.

conf t

int fe4

ip address DHCP

exit

ip route 0.0.0.0 0.0.0.0 (ISP default gateway)

You will need to edit your nat pools ketchup and catsup for dynamic IPs. Unfortunately I am not familiar with this procedure as I always use static. Hopefully someone can chime in and help with that.

ip route 0.0.0.0 0.0.0.0 11.22.33.1

ip nat pool Ketchup 11.22.13.48 11.22.33.52 netmask 255.255.255.0 ip nat pool Catsup 11.22.33.45 11.22.33.46 netmask 255.255.255.0 - See more at: https://supportforums.cisco.com/message/3867697#3867697

View solution in original post

jawad-mukhtar · ‎02-26-2013

What your Problem and wat you want to achieve. Please Brief.

You Want to use use Internet form ISP One

or you want to use bohat ISP in active / Standby.

Jawad

vincent.yee · ‎02-26-2013

I'm just trying to switchover FE4 from DSL to cable while still retaining the VLANs and have them all route through FE4. PAT typically works with 1 VLAN but uncertain with multiple internal VLANs. So only 1 ISP.

jawad-mukhtar · ‎02-26-2013

What i got from is that you are change your internet connection from dsl to cable, if i am rite then this is the case with you.

ip nat pool Ketchup 11.22.13.48 11.22.33.52 netmask 255.255.255.0

ip nat pool Catsup 11.22.33.45 11.22.33.46 netmask 255.255.255.0

These IPs are binded with your DSL Connection by our DSL Service Provider they have routed that ips towards you.

Jawad

vincent.yee · ‎02-26-2013

That's correct. The config (above) is what works with DSL, but when changing to cable, this is what I did:

#clear ip nat translations *

(config)#no ip nat pool Ketchup

(config)#no ip nat pool Catsup

(config)#no ip nat source list 113 pool Catsup overload

(config)#no ip nat source list 199 pool Ketchup overload

(config)#access-list 20 permit 10.20.30.0 0.0.0.63

(config)#access-list 20 permit 172.16.13.0 0.0.0.31

(config)#access-list 20 permit 192.168.0.0 0.0.0.255

(config)#int f4

(config-if)#ip address dhcp

(config-if)#ip access-group 20 in

(config-if)#exit

(config)#no ip nat source inside list 10 interface F4 overload

(config)#ip nat source inside list 20 interface F4 overload

(config)#ip route 0.0.0.0 0.0.0.0 dhcp

(config)#end

But still nothing... I'll worry about the actual ACL and FW rules later but simple routing isn't even working.

By the way, thanks for helping out! I'm just a bit lost, I think...

Elton Babcock · ‎02-26-2013

I would say all you need to do is change the IP address of your WAN interface to "IP address DHCP"

You should be able to issue "show dhcp server" and even a "show IP int brief" to see the IP address of the dynamically assigned address.

Then you need to create an ACL for your NATing.

A standard ACL will do with 3 lines permitting each one of your internal VLANs.

Then remove your previous NAT statements and issue "IP NAT inside source list interface fastethernet4"

That should cover most of it.

Let me know if it helps.

Elton

Sent from Cisco Technical Support iPhone App

vincent.yee · ‎02-27-2013

I've tried that, but no go... But taking a step back helps. Found out that the 'ip address dhcp' on FE4 does not actually receive an IP but instead a 'sh int f4' reveals interface 'will be negotiating with DHCP'. Which is odd, because I've plugged in 2 different laptops and both have received IPs.

dc5chris209 · ‎02-26-2013

Is the cable company assigning you a router?

This is what I would do if it were me. I'd find out what the default gateway for your ISP is. You can determine that a number of ways, the easiest would be to plug the modem directly into your laptop and run an ipconfig command.

conf t

int fe4

ip address DHCP

exit

ip route 0.0.0.0 0.0.0.0 (ISP default gateway)

You will need to edit your nat pools ketchup and catsup for dynamic IPs. Unfortunately I am not familiar with this procedure as I always use static. Hopefully someone can chime in and help with that.

ip route 0.0.0.0 0.0.0.0 11.22.33.1

ip nat pool Ketchup 11.22.13.48 11.22.33.52 netmask 255.255.255.0 ip nat pool Catsup 11.22.33.45 11.22.33.46 netmask 255.255.255.0 - See more at: https://supportforums.cisco.com/message/3867697#3867697

vincent.yee · ‎02-27-2013

No... We've had the router for a few years now and we're pretty satisfied with it. The odd thing is, after checking (with 'sh int f4') the WAN interface isn't receiving an address at all. I've tried plugging a laptop and it received a 71.x.x.x IP address. But then I plugged a different laptop but then got a 24.x.x.x address, which is a completely different network... With such drastic changing of networks, I'm not entirely sure recording the gw from one leased address would work if the router is leased on a different network...

dc5chris209 · ‎02-27-2013

Sorry, I was thinking the cable co assigned you a router. That's odd that you do not receive a consistent address, I have Comcast and I have had the same dynamic IP for a while.

Maybe you can call the cable Co. and explain what you are trying to acheive. Maybe they can assign a static address to your modem?

vincent.yee · ‎05-31-2013

Sorry for the latest of late responses, but this is working. The commands are correct, but strangely, the cable modem needed a hard power reset. Maybe I'm wrong but I wasn't aware of long cache times for MAC addresses for some devices.

Still, I want to say thank you to all who helped. If there's anything I'm missing, I'm sure I could use a few pointers...