Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9697
Views
25
Helpful
5
Replies

Configuring Cisco 1841 with ISP and Static IPs

EAlt41279
Level 1
Level 1

‎09-13-2012 10:59 AM - edited ‎03-07-2019 08:52 AM

I am new to the forums and am not a Cisco expert by any means, but have learned enough over the years to be dangerous.

Anyways, long story short.  We upgrade our Internet service in our India office which required a new router.  The local vendor suggested an 1841, so that is what we have.  It has two fastethernet ports on it.

The ISP (Airtel) provided the following IP address information:

Public WAN IP  : 122.181.23.200/30

WAN IP      :  122.181.23.202
SUBNET MASK : 255.255.255.252
GATEWAY     :  122.181.23.201
Pri DNS :  125.22.47.125
Sec DNS :  202.56.250.5


Public LAN IP :      122.181.187.224/28


Public lan ip series :  122.181.187.226-239
SUBNET MASK :    255.255.255.240
GATEWAY     :    122.181.187.225
Pri DNS :   125.22.47.125
Sec DNS :   202.56.250.5

                  

The Cisco 1841 was configured with FastEthernet 0/0 to be the WAN and FastEthernet 0/1 to be the "LAN" interface.  Behind the LAN interface is our firewall which we have assigned one of the public IP addresses on its external interface.

The problem we are facing is that, though we can get traffic out to the Internet without issue, for whatever reason, we cannot get traffic INTO the network when it originates from outside.  IE, no ping responses when pinging the WAN or LAN interfaces or the firewall's external Interface, nor can my management server access the firewall's external interface for management and VPN connections.  Is there something missing from our configuration?

Here is the config. on our 1841:

IN-ROUTER01#sho run
Building configuration...

Current configuration : 3013 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IN-ROUTER01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone PCTime 5 30
ip cef
!
!
!
!
ip domain name mycompany.com
ip name-server 125.22.47.125
ip name-server 202.56.250.5
username root privilege 15 secret 5 $1$.Qpl$7MrqVR8daEKG2jQszhTTf1
username ealt privilege 15 secret 5 $1$5iNE$IIt3.TD4UTYKHmLEQOBNo0
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 122.181.23.202 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet0/1
description $ES_LAN$
ip address 122.181.187.225 255.255.255.240
duplex auto
speed auto
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 122.181.23.201
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
password 7 110C140C10000A
login
line aux 0
line vty 0 4
privilege level 15
password 7 030752180500
login
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end

Any help will be GREATLY appreciated!

Sincerely,

Eric

Labels:
0 Helpful
5 Replies 5

SASCHA AMHERD
Level 1
Level 1

‎09-13-2012 10:43 PM

Your isp must route the 122.181.187.224/28 to your wan ip, or you need nat in the config.

Sent from Cisco Technical Support iPhone App

srikanth ath
Level 4
Level 4
In response to SASCHA AMHERD

‎09-13-2012 11:34 PM

hello Eric,


1ST INTERFACE OF THE ROUTER: connect  ISP router/Mux to one of the interface of the router and configure a Lan Public IP as mentioned above . with the gateway IP:122.181.187.225

2nd interface:
assign a Lan IP (Interanet) /inside IP of your network lets assume you have 10.10.0.0/16

Please configure as below:


int fa 0/1
description $Lan/Inside IP$
ip address 10.10.0.1 255.255.0.0

ip nat inside


int fa 0/2
description $Public-lan/outside IP$
ip address 122.181.187.226 255.255.255.240

ip nat outside

ip nat inside source route-map NAT interface fa 0/2 overload -------> static Pat of all insie IP to outside interface IP(fa 0/2)
ip nat inside source static 10.10.10.10 122.181.187.227 extendable ----->static IP natting (Pat) to Public IP

access-list 101 permit ip 10.10.0.0 255.255.0.0 any

route-map NAT permit 10
match ip address 101

ip route 0.0.0.0 0.0.0.0 122.181.187.225

As for your requirement please change the IP's of the above config .

Donot forget to rate the ehlpful posts.

Regards,

srikanth

EAlt41279
Level 1
Level 1

‎09-16-2012 04:10 PM

Thank you for the suggestions.  I was able to pull the config of our original router on the old service and have applied some NAT to the new router.

It appears I can now ping the Inside interface of the router.  But I cannot ping any devices connected on the inside interface.

please provide feedback on this configuration:

Using 3156 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IN-ROUTER01
!
boot-start-marker
boot-end-marker
!
no logging on
!
no aaa new-model
clock timezone PCTime 5 30
ip cef
!
!
!
!
ip domain name emigra.com
ip name-server 125.22.47.125
ip name-server 202.56.250.5
username root privilege 15 secret 5 $1$.Qpl$7MrqVR8daEKG2jQszhTTf1
username ealt privilege 15 secret 5 $1$5iNE$IIt3.TD4UTYKHmLEQOBNo0
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 122.181.23.202 255.255.255.252
ip nat outside
speed 100
full-duplex
!
interface FastEthernet0/1
description $ES_LAN$
ip address 122.181.187.225 255.255.255.240
ip nat inside
duplex auto
speed auto
!
no ip classless
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 122.181.23.201
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool mypool 122.181.23.202 122.181.23.202 netmask 255.255.255.252
ip nat inside source list 10 pool mypool
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
password 7 110C140C10000A
login
line aux 0
line vty 0 4
privilege level 15
password 7 030752180500
login
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end

Sincerely,

Eric Alt

Richard Burts
Hall of Fame
Hall of Fame
In response to EAlt41279

‎09-16-2012 09:57 PM

Eric

I have looked through the config that you posted (but not in great detail I must admit). It looks pretty reasonable to me. I believe that your problem is not so much in the router config but is probably in the firewall. You have not told us much about the firewall (what kind of firewall, how it is configured) but most firewalls by default will not respond to pings or management requests that originate from outside. Pending any further information that you give us about the firewall I believe that the issues are with the behavior of your firewall.

HTH

Rick

HTH

Rick

EAlt41279
Level 1
Level 1
In response to Richard Burts

‎09-17-2012 01:35 PM

Rick,

Thank you for the response.  the firewall is a Watchguard XTM23W.  It has been in-place for nearly two years. 

I think i stated this earlier, we had 2Mb service with the ISP with a block of static IP addresses.  Everything worked fine.  The previous Cisco router had a BRI card and an Ethernet interface and we didn't have issues with routing or using our block of external IPs with the external interface of the firewall.

We upgraded to 10Mb service (doesn't seem to act like 10 right now) and had to replace the router.  Ever since, the service has not been right.  The firewall does not respond to pings (yes, the policy allows Ping from ANY external right to the firebox), the service is slow, and my Watchguard Management server cannot see the firewall.

Could this be a routing issue on the ISP's side, or is there something still missing from our config above?

I appreciate the assistance!

Sincerely,

Eric Alt

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card