Fast Interface configuration for making WAN interface

Vikrant Ambhore · ‎01-21-2011

Hello All Friends,

I am using Cisco 877 for Access internet by ADSL Line,Now everything is going fine, we don't have Static IP at the moment that's why I'm going to change my ISP, I have another Internet, I have Plugged that modem into Cisco 877 through Cat5 acable on fa1 port,
So i need to change my running configuration for getting Internet from New Modem

New ISP's Modem is configured, If i Plugeed it in my Laptop, I can access Internet without IP Setting because Laptop is getting IP from Modem, DHCP is enable on New Modem, But i need to Get IP from Cisco not New, so please can anyone help me for modify setting on 877, also I want to Keep Wi-Fi & Cable Client in Same Subnet.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password 7 03125200071C
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2149300000
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2149300000
 revocation-check none
 rsakeypair TP-self-signed-2149300000
!
!
crypto pki certificate chain TP-self-signed-2149300000
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32313439 33303030 3030301E 170D3037 30383234 30343338 
  35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31343933 
  30303030 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100C3A7 F701D7A0 5DDD90D6 818BB30E D9E680F7 1EEB12BD B0047D7A 978A7188 
  B8862673 B88BB646 4A4B6FC7 5CF73422 4DDB2BEB 39CC2141 E18B3006 F8892C1E 
  D95D4678 5A2E7441 7799C02A AD9EB079 ADC006A6 6A5F18B0 1219208A 8E682BEF 
  45D1B98F F0AE8282 B38C7E86 F17A5E3D 621EDFA4 18057C0D F3E0177F 8EFF09B7 
  2DAD0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 
  551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 14275D63 
  B6D8FFFE C641F864 25EF338D 278EAFF2 82301D06 03551D0E 04160414 275D63B6 
  D8FFFEC6 41F86425 EF338D27 8EAFF282 300D0609 2A864886 F70D0101 04050003 
  8181001B EDA25E81 08ADA2F7 730400E5 E76F533E 851E5CF7 421EAD2E 26C8AE3C 
  31EACF15 E74ABF74 2AF8039F DF61E414 B389AFEC F69047C3 23D63935 2D8AB419 
  2DD95465 1A9578B3 218BA9AC A9DDE380 78410250 B8ECF6F3 CE19428C BE8087C4 
  9B247169 5465173A 1D89C3EE 7A1E3A84 1CCC6367 529ECEDB 70DD3234 1F09E852 587376
       quit
dot11 syslog
!
dot11 ssid XXXXXXXXXXXX
   authentication open 
   guest-mode
!
ip cef
!
!
!
!
ip name-server XXXXXXXXXXXX
ip name-server XXXXXXXXXXXX
!
multilink bundle-name authenticated
!
!
username XXXXXXXXXXXX privilege 15 password 7 XXXXXXXXXXXX
username XXXXXXXXXXXX privilege 15 password 7 XXXXXXXXXXXX
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 5
 lifetime 28800
crypto isakmp key coinopsolutions.com address XXXXXXXXXXXX
!
!
crypto ipsec transform-set LAB-Transform esp-aes 256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
!
!
!
crypto ipsec client ezvpn AustraliaVPN
 connect auto
 group EZVPN_GROUP_1 key XXXXXXXXXXXX
 mode network-extension
 peer XXXXXXXXXXXX
 username vpnadmin password XXXXXXXXXXXX
 xauth userid mode local
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback0
 no ip address
!
interface Loopback1
 no ip address
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 pvc 0/35 
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 ip address 192.168.6.1 255.255.254.0
 ip nat inside
 ip virtual-reassembly
 !
 ssid vikas
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 description $ES_LAN$
 ip address 192.168.4.1 255.255.254.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 crypto ipsec client ezvpn AustraliaVPN inside
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname palewar176
 ppp chap password 7 00141215174C04140B
 ppp pap sent-username palewar176 password 7 06160E325F59060B01
 crypto ipsec client ezvpn AustraliaVPN
!
interface Dialer1
 no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 ATM0
ip route 192.168.4.0 255.255.254.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list ToNAT interface Dialer0 overload
!
ip access-list extended ToNAT
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.4.0 0.0.3.255 any
ip access-list extended acl_vpn
 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 40 permit 192.168.2.0 0.0.0.255
access-list 50 permit 192.168.0.0 0.0.255.25
access-list 50 deny   any
access-list 50 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit icmp 192.168.2.0 0.0.0.255 any
access-list 100 remark SDM_ACL Category=4
access-list 101 permit icmp 192.168.2.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 permit gre host 192.168.1.250 host XXXXXXXXXXXX
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.6.0 0.0.1.255 XXXXXXXXXXXX 0.0.0.63
access-list 104 remark SDM_ACL Category=4
access-list 104 permit gre host 192.168.4.250 host XXXXXXXXXXXX
dialer-list 1 protocol ip permit
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login
!
scheduler max-task-time 5000
end

Amit Singh · ‎01-21-2011

Hi Vikrant,

How are your LAN clients are getting the IP's right now, both wired and wireless? Is it from the ADSL modem? If yes, then ADSL model will have both the DHCP pools configured. Also, have you got the static IP from your ISP that you want to configure on the router for internet access?

In this case most of the configuration will remain the same. Here are the steps that you will do to make it work :

1. Configure the static IP on the fast ethernet interface and make sure that you are able to ping the ISP device.

2. Configure the DHCP pools on the router both for your wireless clients i.e 192.168.6.x and wired clients 192.168.4.x .

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html

3. Configure the NAT on the FA interface to make sure clients access the internet. If the NAT policy remains the same then you have to just enable NAT on fastEthernet interface " IP nat outside" and change the PAT command to reflect the FA interface "

ip nat inside source list ToNAT interface FA 0 overload.

if you need to change the NAT policy, Please do that and then enable the NAT under the "FA" interface.

4. Change the IP static routes to point towards the "FA" interface.

ip route 0.0.0.0 0.0.0.0 Fastethernet 0
ip route 192.168.4.0 255.255.254.0 Fastethernet 0


5. Enable the VPN configuration under the FA interface for EZVPN." 
crypto ipsec client ezvpn AustraliaVPN"

6. Change the MTU settings if you need to under the FA interface as configured under the "dial interface"

These are the major steps that you need to do in order to make it work.

Let us know if you have any doubts.

HTH, Please rate if it does.

Cheers,
-amit singh

Vikrant Ambhore · ‎01-21-2011

Hi Amit,

Thanks for your intrest to help me, But sorry for posting wrong configuration, below is my present config, I want to assign DHCP from Cisco, & need to disable dhcp FROM new modem,

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password 7 XXXXXXX
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2149300000
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2149300000
revocation-check none
rsakeypair TP-self-signed-2149300000
!
!
crypto pki certificate chain TP-self-signed-2149300000
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313439 33303030 3030301E 170D3037 30383234 30343338
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31343933
30303030 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C3A7 F701D7A0 5DDD90D6 818BB30E D9E680F7 1EEB12BD B0047D7A 978A7188
B8862673 B88BB646 4A4B6FC7 5CF73422 4DDB2BEB 39CC2141 E18B3006 F8892C1E
D95D4678 5A2E7441 7799C02A AD9EB079 ADC006A6 6A5F18B0 1219208A 8E682BEF
45D1B98F F0AE8282 B38C7E86 F17A5E3D 621EDFA4 18057C0D F3E0177F 8EFF09B7
2DAD0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 14275D63
B6D8FFFE C641F864 25EF338D 278EAFF2 82301D06 03551D0E 04160414 275D63B6
D8FFFEC6 41F86425 EF338D27 8EAFF282 300D0609 2A864886 F70D0101 04050003
8181001B EDA25E81 08ADA2F7 730400E5 E76F533E 851E5CF7 421EAD2E 26C8AE3C
31EACF15 E74ABF74 2AF8039F DF61E414 B389AFEC F69047C3 23D63935 2D8AB419
2DD95465 1A9578B3 218BA9AC A9DDE380 78410250 B8ECF6F3 CE19428C BE8087C4
9B247169 5465173A 1D89C3EE 7A1E3A84 1CCC6367 529ECEDB 70DD3234 1F09E852 587376
        quit
dot11 syslog
!
dot11 ssid Coinopsolutions
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 XXXXXXX
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.4.1 192.168.4.25
!
ip dhcp pool LAN-POOL
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1
   dns-server 192.168.4.1
   lease 0 2
!
!
ip name-server 218.248.255.212
ip name-server 218.248.255.139
!
multilink bundle-name authenticated
!
!
username admin privilege 15 password 7 XXXXXXX
username rcohen privilege 15 password 7 XXXXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key DMVPN_STR0NG_K3Y address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set LAB-Transform esp-aes 256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN
!
!
!
crypto ipsec client ezvpn AustraliaVPN
connect auto
group EZVPN_GROUP_1 key Coinopsolutions.com
mode network-extension
peer 58.108.208.65
username XXXXXXX password XXXXXXX
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface Loopback0
no ip address
!
interface Loopback1
no ip address
!
interface Tunnel0
description -= DMVPN =-
ip address 10.91.255.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_A
ip nhrp map multicast XXXXXXX
ip nhrp map 10.91.255.1 XXXXXXX
ip nhrp network-id 91
ip nhrp holdtime 600
ip nhrp nhs 10.91.255.1
delay 1000
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 91
tunnel protection ipsec profile DMVPN
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
ip nat inside
ip virtual-reassembly
!
encryption vlan 1 mode ciphers tkip
!
ssid Coinopsolutions
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ES_LAN$
no ip address
ip access-group BlockIPSec2HQ in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1360
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname palewar176
ppp chap password 7 00141215174C04140B
ppp pap sent-username palewar176 password 7 06160E325F59060B01
crypto ipsec client ezvpn AustraliaVPN
!
interface Dialer1
no ip address
!
interface BVI1
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn AustraliaVPN inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 10.10.10.0 255.255.255.0 10.1.1.1
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.254.0 Dialer0
ip route 192.168.8.0 255.255.255.0 192.168.2.1
ip route 192.168.8.0 255.255.255.0 10.91.255.2
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list ToNAT interface Dialer0 overload
!
ip access-list extended BlockIPSec2HQ
deny   udp any host XXXXXXX eq isakmp
permit ip any any
ip access-list extended ToNAT
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.4.0 0.0.3.255 any
ip access-list extended acl_vpn
permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 40 permit 192.168.2.0 0.0.0.255
access-list 50 permit 192.168.0.0 0.0.255.25
access-list 50 deny   any
access-list 50 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit icmp 192.168.2.0 0.0.0.255 any
access-list 100 remark SDM_ACL Category=4
access-list 101 permit icmp 192.168.2.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 permit gre host 192.168.1.250 host 58.108.208.65
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.6.0 0.0.1.255 58.108.208.64 0.0.0.63
access-list 104 remark SDM_ACL Category=4
access-list 104 permit gre host 192.168.4.250 host 58.108.208.65
dialer-list 1 protocol ip permit
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 XXXXXXX
login local
no modem enable
line aux 0
line vty 0 4
password 7 XXXXXXX
login local
!
scheduler max-task-time 5000
end

Router#