Questions

Cisco 871 with cable modem conf not enabling WAN traffic

+
0 Votes
Locked

Cisco 871 with cable modem conf not enabling WAN traffic

Jantje85
Dear all,

I have been trying for the past few days to migrate my cisco 871 currently configured with a DSL modem to use my new cable modem. It has been a few years though since I last had to make any major changes to it and I seem to have lost my 'touch' - if ever I had it...

Eventually I intend to have it fail-over between from the cable modem to the dsl line by putting a switched port in a vlan and placing the dialer on that... but first I have to get the cable modem working on the WAN port.. the WAN interface is assigned an IP just fine through DHCP and there s a static default route pointing to the interface, but I cannot ping anything outside my network - not even from the router itself.

I might be overlooking something really simple, but I can't seem to find the issue.. most of the new config is just copied over from my old dsl config so I think bad access lists can't be to blame..

I am running the Advanced IP Services image;I have pasted my configuration below.

Any advice you could offer would be greatly appreciated.

Kind Regards,
Jan
------
version 15.1
no parser cache
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers

hostname Central

boot-start-marker
boot-end-marker

security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console notifications
!enable secret 5 *****

aaa new-model

aaa authentication login local_authen local
aaa authentication ppp default local
aaa authorization exec default local

aaa session-id common

clock timezone WEST 1 0
clock summer-time WEST recurring
no ip source-route
ip cef

service dhcp
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.1.240 192.168.1.254

ip dhcp pool PrivNet
import all
network 192.168.1.0 255.255.255.0
domain-name MWeb
default-router 192.168.1.1
dns-server 192.168.1.1
lease 30

ip dhcp pool PubNet
import all
network 192.168.2.0 255.255.255.0
domain-name PubMWeb
default-router 192.168.2.1
dns-server 192.168.2.1

dot11 mbssid
dot11 vlan-name default vlan 1
dot11 vlan-name PubMWeb vlan 2

dot11 ssid MWeb
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
!wpa-psk ascii 7 ***********

dot11 ssid PubMWeb
vlan 2
authentication open
authentication key-management wpa
mbssid guest-mode
!wpa-psk ascii 7 ***********

ip tcp synwait-time 10
no ip bootp server
ip domain name MWeb
ip name-server 8.8.8.8
ip name-server 208.67.222.222
ip name-server 8.8.4.4
ip name-server 208.67.220.222
ip ssh time-out 60
ip ssh authentication-retries 2

ip inspect max-incomplete low 200
ip inspect max-incomplete high 400
ip inspect one-minute low 200
ip inspect one-minute high 400
ip inspect tcp synwait-time 15
ip inspect name FW1 appfw FW1
ip inspect name FW1 ftp timeout 3600
ip inspect name FW1 h323 timeout 3600
ip inspect name FW1 icmp timeout 360
ip inspect name FW1 netshow timeout 3600
ip inspect name FW1 rcmd timeout 3600
ip inspect name FW1 realaudio timeout 3600
ip inspect name FW1 rtsp timeout 3600
ip inspect name FW1 esmtp timeout 3600
ip inspect name FW1 sqlnet timeout 3600
ip inspect name FW1 streamworks timeout 360
ip inspect name FW1 tftp timeout 30
ip inspect name FW1 tcp timeout 3600
ip inspect name FW1 udp timeout 15
ip inspect name FW1 vdolive timeout 3600
ip inspect name FW1 https timeout 3600
ip inspect name FW1 dns timeout 60

bridge irb
bridge 1 protocol ieee
bridge 1 route ip

interface Null0
no ip unreachables

interface FastEthernet0
description Downlink to Private LAN Switch.
switchport mode trunk
no ip address
no shutdown

interface FastEthernet1
no cdp enable
no shutdown

interface FastEthernet2
no cdp enable
no shutdown

interface FastEthernet3
no cdp enable
no shutdown

interface FastEthernet4
description WAN
ip address dhcp
ip access-group ACL-Internet-Inbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip inspect FW1 in
ip inspect FW1 out
ip flow ingress
duplex auto
speed auto
no cdp enable
no shutdown

interface Dot11Radio0
no ip address
no dot11 extension aironet
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
ssid MWeb
ssid PubMWeb
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
mbssid
station-role root
no cdp enable
no shutdown

interface Dot11Radio0.1
description Main Wireless by MWeb
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled

interface Dot11Radio0.2
description Guest Wireless by MWeb
bandwidth 2000
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect FW1 out
ip nat inside
ip virtual-reassembly in

interface Vlan1
description Internal Private LAN
bridge-group 1
bridge-group 1 spanning-disabled

interface BVI1
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip inspect FW1 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no shutdown

ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server
ip dns spoofing
ip nat pool DJanPool 192.168.1.10 192.168.1.10 netmask 255.255.255.0 type rotary
ip nat pool LServ1Pool 192.168.1.7 192.168.1.7 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside destination list DJanF pool DJanPool
ip nat inside destination list LServ1F pool LServ1Pool
ip route 0.0.0.0 0.0.0.0 FastEthernet4

ip access-list extended ACL-Internet-Inbound
remark Restrict access from the internet to the LAN.
permit udp any eq bootps any eq bootpc
permit udp any eq domain any
permit udp host 81.246.92.139 eq ntp any eq ntp
permit udp any eq ntp any eq ntp
deny ip 192.168.2.0 0.0.0.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit gre any any
permit esp any any
permit udp any any eq 8887
permit udp any any eq 41170
permit udp any any range 10500 12500
permit tcp any any range 10500 12500
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 3306
permit tcp any any eq 5901
permit tcp any any range 6650 8000
permit udp any any range 6650 8000
permit tcp any any range 13000 15000
permit tcp any any eq 9418
permit udp any any range 13000 15000
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
ip access-list extended DJanF
permit udp any any eq 8887
permit udp any any eq 41170
permit tcp any any range 10500 12500
permit udp any any range 10500 12500
ip access-list extended Guest-ACL
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended LServ1F
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 3306
permit tcp any any eq 5901
permit tcp any any range 6650 8000
permit udp any any range 6650 8000
permit tcp any any range 13000 15000
permit udp any any range 13000 15000
permit tcp any any eq 9418
permit tcp any any eq www

logging esm config
logging trap notifications
access-list 1 remark Allow both VLANs access to the dialer
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark Incoming Traffic from main VLAN.
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark VTY Access-class list
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
no cdp run

control-plane

line con 0
login authentication local_authen
no modem enable
transport preferred none
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
login authentication local_authen
transport preferred none
transport input telnet ssh

scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 81.246.92.139
ntp server 81.246.92.140
ntp server 193.110.251.50
ntp server 93.94.105.122
end
  • +
    0 Votes
    NetMan1958

    If you log in to your router and run a traceroute to something like yahoo.com, how far does it get and what is the ip address of the first hop?

    +
    0 Votes
    robo_dev

    Thus a router-behind-a-firewall router complicates things a lot.

    Can you get to the web config page of the cable modem?

    +
    0 Votes
    Jantje85

    Seems you are correct.. traffic isn't getting anywhere..

    It seems the problem was/is being caused by the default route.. :S
    When I add the following to the configuration
    ip route 0.0.0.0 0.0.0.0 fastEthernet 4

    I end up with this route table:
    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    S* 0.0.0.0/0 is directly connected, FastEthernet4
    81.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    ...
    After I again unset the default route I get this:
    Gateway of last resort is 81.82.192.1 to network 0.0.0.0

    S* 0.0.0.0/0 [254/0] via 81.82.192.1
    81.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

    The routing tables are not otherwise affected, but it seems that specifying the default gateway breaks the routing of all WAN traffic; instead of being send out F4, it s going to into null...
    I will need to be able to set 2 default routes though, one out the primary interface and a second out my backup interface at a higher cost.

    Any ideas why simply manually adding a default route could break the routing?

    +
    1 Votes
    NetMan1958

    Remove any existing default route(s) and add:
    ip route 0.0.0.0 0.0.0.0 dhcp

    Post back with the results.

    +
    0 Votes
    Jantje85

    this leaves the default gateway to 81.82.192.1 (my cable modem) intact and I can still reach the WAN side..
    Gateway of last resort is 81.82.192.1 to network 0.0.0.0

    i think it also added an extra record to the routing table for my dialer..
    213.49.94.0/32 is subnetted, 2 subnets
    C 213.49.94.1 is directly connected, Dialer1
    C 213.49.94.153 is directly connected, Dialer1

    Will this handle the automatic fail-over entirely though..? as i understood it i needed 2 static routes with different weights and a echo probe to check the gateway on the cable (primary) interface..

    +
    0 Votes
    NetMan1958

    I did not see the Dialer interface in the config you posted. Maybe if you post your entire config I can get a better idea of what's going on.

    +
    0 Votes
    Jantje85

    This is the complete routing table at the moment (currently using the default route to 'dhcp' as you suggested; cf config):
    Gateway of last resort is 81.82.192.1 to network 0.0.0.0

    S* 0.0.0.0/0 [1/0] via 81.82.192.1
    81.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C 81.82.192.0/18 is directly connected, FastEthernet4
    L 81.82.20?.???/32 is directly connected, FastEthernet4
    192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.1.0/24 is directly connected, BVI1
    L 192.168.1.1/32 is directly connected, BVI1
    192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.2.0/24 is directly connected, Dot11Radio0.2
    L 192.168.2.1/32 is directly connected, Dot11Radio0.2
    195.130.137.0/32 is subnetted, 1 subnets
    S 195.130.137.10 [254/0] via 81.82.192.1, FastEthernet4
    213.49.94.0/32 is subnetted, 2 subnets
    C 213.49.94.1 is directly connected, Dialer1
    C 213.49.94.153 is directly connected, Dialer1

    And this is the entire config.. only keys and passwords have been left out.

    version 15.1
    no parser cache
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    service sequence-numbers
    !
    hostname MCentral
    !
    boot-start-marker
    boot-end-marker
    !
    !
    logging buffered 51200
    logging console notifications
    !
    aaa new-model
    !
    aaa authentication login local_authen local
    aaa authentication ppp default local
    aaa authorization exec default local
    !
    !
    aaa session-id common
    !
    clock timezone WEST 1 0
    clock summer-time WEST recurring
    !
    !
    dot11 mbssid
    dot11 syslog
    dot11 vlan-name default vlan 1
    dot11 vlan-name PubMWeb vlan 2
    !
    dot11 ssid MWeb
    vlan 1
    authentication open
    authentication key-management wpa
    mbssid guest-mode
    ! wpa-psk ascii 7 ******************
    !
    dot11 ssid PubMWeb
    vlan 2
    authentication open
    authentication key-management wpa
    mbssid guest-mode
    ! wpa-psk ascii 7 ******************
    !
    no ip source-route
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.20
    ip dhcp excluded-address 192.168.2.1 192.168.2.10
    ip dhcp excluded-address 192.168.1.240 192.168.1.254
    !
    ip dhcp pool MWeb
    network 192.168.1.0 255.255.255.0
    domain-name MWeb
    default-router 192.168.1.1
    dns-server 192.168.1.1
    lease 30
    !
    ip dhcp pool PubNet
    network 192.168.2.0 255.255.255.0
    domain-name PubMWeb
    default-router 192.168.2.1
    dns-server 192.168.2.1
    !
    !
    ip cef
    no ip bootp server
    ip domain name MWeb
    ip name-server 8.8.8.8
    ip name-server 208.67.222.222
    ip name-server 8.8.4.4
    ip name-server 208.67.220.222
    ip inspect max-incomplete low 200
    ip inspect max-incomplete high 400
    ip inspect one-minute low 200
    ip inspect one-minute high 400
    ip inspect tcp synwait-time 15
    ip inspect name FW1 appfw FW1
    ip inspect name FW1 ftp timeout 3600
    ip inspect name FW1 h323 timeout 3600
    ip inspect name FW1 icmp timeout 360
    ip inspect name FW1 netshow timeout 3600
    ip inspect name FW1 rcmd timeout 3600
    ip inspect name FW1 realaudio timeout 3600
    ip inspect name FW1 rtsp timeout 3600
    ip inspect name FW1 esmtp timeout 3600
    ip inspect name FW1 sqlnet timeout 3600
    ip inspect name FW1 streamworks timeout 360
    ip inspect name FW1 tftp timeout 30
    ip inspect name FW1 tcp timeout 3600
    ip inspect name FW1 udp timeout 15
    ip inspect name FW1 vdolive timeout 3600
    ip inspect name FW1 https timeout 3600
    ip inspect name FW1 dns timeout 60
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    ! Track the ICMP echo to our primary WAN interface gateway with a 20s delay
    track 300 ip sla 2147483647 reachability
    delay down 20
    !
    !
    !
    bridge irb
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0
    description Downlink to Private LAN Switch.
    switchport mode trunk
    no ip address
    !
    interface FastEthernet1
    no ip address
    !
    interface FastEthernet2
    no ip address
    spanning-tree portfast
    !
    interface FastEthernet3
    description WAN DSL interface through VLAN 5
    switchport access vlan 5
    no ip address
    !
    interface FastEthernet4
    description WAN Cable Interface
    ip address dhcp
    ip access-group ACL-Internet-Inbound in
    ip nat outside
    ip inspect FW1 in
    ip inspect FW1 out
    ip virtual-reassembly in
    duplex auto
    speed auto
    no cdp enable
    !
    interface Dot11Radio0
    no ip address
    no dot11 extension aironet
    !
    encryption vlan 1 mode ciphers aes-ccm
    !
    encryption vlan 2 mode ciphers aes-ccm
    !
    ssid MWeb
    !
    ssid PubMWeb
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    no cdp enable
    !
    interface Dot11Radio0.1
    description Main Wireless by MWeb
    encapsulation dot1Q 1 native
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Dot11Radio0.2
    description Guest Wireless by MWeb
    bandwidth 2000
    encapsulation dot1Q 2
    ip address 192.168.2.1 255.255.255.0
    ip access-group Guest-ACL in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip inspect FW1 out
    ip virtual-reassembly in
    no cdp enable
    !
    interface Vlan1
    description Internal Private LAN
    no ip address
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface Vlan5
    description VLAN to isolate DSL dialer
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    pppoe-client dial-pool-number 1
    !
    interface Dialer1
    description WAN link to Scarlet
    ip address negotiated
    ip access-group ACL-Internet-Inbound in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat outside
    ip inspect FW1 in
    ip inspect FW1 out
    ip virtual-reassembly in
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ! ppp chap hostname **************
    ! ppp chap password 7 **************
    ppp ipcp dns request
    ppp ipcp address accept
    no cdp enable
    !
    interface BVI1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip inspect FW1 out
    ip virtual-reassembly in
    !
    ip forward-protocol nd
    ip http server
    ip http access-class 5
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    !
    ip dns server
    ip dns spoofing
    ip nat pool DJanPool 192.168.1.10 192.168.1.10 netmask 255.255.255.0 type rotary
    ip nat pool LServ1Pool 192.168.1.7 192.168.1.7 netmask 255.255.255.0 type rotary
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source list 2 interface Dialer1 overload
    ip nat inside destination list DJanF pool DJanPool
    ip nat inside destination list LServ1F pool LServ1Pool
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    ! We need these for automatic failover, but they make Null0 our gateway of last resort
    ! breaking all WAN connectivity
    !ip route 0.0.0.0 0.0.0.0 FastEthernet4 track 300
    !ip route 0.0.0.0 0.0.0.0 Dialer1 250
    !
    ip access-list extended ACL-Internet-Inbound
    remark Restrict access from the internet to the LAN.
    permit udp any eq bootps any eq bootpc
    permit udp any eq domain any
    permit udp any eq ntp any eq ntp
    permit icmp any any echo-reply
    permit icmp any any time-exceeded
    permit icmp any any unreachable
    permit gre any any
    permit esp any any
    permit udp any any eq 8887
    permit udp any any eq 41170
    permit tcp any any range 10500 12500
    permit tcp any any eq www
    permit tcp any any eq 3306
    permit tcp any any eq 5901
    permit tcp any any eq 9418
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any
    deny ip any any log
    ip access-list extended DJanF
    permit udp any any eq 8887
    permit udp any any eq 41170
    permit tcp any any range 10500 12500
    ip access-list extended Guest-ACL
    deny ip host 255.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip any 192.168.1.0 0.0.0.255
    permit ip any any
    ip access-list extended LServ1F
    permit tcp any any eq smtp
    permit tcp any any eq 3306
    permit tcp any any eq 5901
    permit tcp any any eq www
    ip access-list extended object-track
    permit icmp any host 81.82.192.1
    !
    ! Send ICMP echos to our cable gateway..
    ip sla 2147483647
    icmp-echo 81.82.192.1 source-interface FastEthernet4
    frequency 5
    ip sla schedule 2147483647 life forever start-time now
    logging esm config
    logging trap notifications
    access-list 1 remark Allow only the private VLAN access to the cable uplink.
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 2 remark Allow all VLANs access to the DSL line.
    access-list 2 permit 192.168.1.0 0.0.0.255
    access-list 2 permit 192.168.2.0 0.0.0.255
    access-list 5 remark HTTP Access-class list
    access-list 5 remark SDM_ACL Category=1
    access-list 5 permit 192.168.1.0 0.0.0.255
    access-list 5 deny any
    dialer-list 1 protocol ip list 2
    no cdp run
    !
    !
    !Send the ICMP echos to Null0 when our primary WAN interface is down
    route-map OT permit 300
    match ip address object-track
    set ip next-hop 81.82.192.1
    set interface Null0
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    line con 0
    login authentication local_authen
    no modem enable
    transport preferred none
    transport output telnet
    line aux 0
    login authentication local_authen
    transport output telnet
    line vty 0 4
    access-class 102 in
    login authentication local_authen
    transport preferred none
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp server 81.246.92.139
    ntp server 81.246.92.140
    ntp server 193.110.251.50
    ntp server 93.94.105.122
    end

    +
    0 Votes
    NetMan1958

    if you leave the "ip route 0.0.0.0 0.0.0.0 dhcp" in and add only "ip route 0.0.0.0 0.0.0.0 Dialer1 250" ? What does the route table look like then?

    +
    0 Votes
    Jantje85

    It doesn't seem to have any effect as long as f4 remains up... once it goes down however, it sends all WAN traffic to the null interface again so no failover to dialer1..

    This is the routing table with no changes other then the extra ip route..
    Gateway of last resort is 81.82.192.1 to network 0.0.0.0

    S* 0.0.0.0/0 [1/0] via 81.82.192.1
    81.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C 81.82.192.0/18 is directly connected, FastEthernet4
    L 81.82.2??.???/32 is directly connected, FastEthernet4
    192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.1.0/24 is directly connected, BVI1
    L 192.168.1.1/32 is directly connected, BVI1
    192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.2.0/24 is directly connected, Dot11Radio0.2
    L 192.168.2.1/32 is directly connected, Dot11Radio0.2
    195.130.137.0/32 is subnetted, 1 subnets
    S 195.130.137.10 [254/0] via 81.82.192.1, FastEthernet4
    213.49.94.0/32 is subnetted, 2 subnets
    C 213.49.94.1 is directly connected, Dialer1
    C 213.49.94.153 is directly connected, Dialer1

    This is the routing table with f4 unplugged:
    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    S* 0.0.0.0/0 is directly connected, Dialer1
    192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.1.0/24 is directly connected, BVI1
    L 192.168.1.1/32 is directly connected, BVI1
    192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.2.0/24 is directly connected, Dot11Radio0.2
    L 192.168.2.1/32 is directly connected, Dot11Radio0.2
    213.49.94.0/32 is subnetted, 2 subnets
    C 213.49.94.1 is directly connected, Dialer1
    C 213.49.94.153 is directly connected, Dialer1

    +
    0 Votes
    NetMan1958

    But then I've never tried to configure fail-over using DSL and/or dynamic IPs before. Let me think on this a little and I will try to come up with something.

  • +
    0 Votes
    NetMan1958

    If you log in to your router and run a traceroute to something like yahoo.com, how far does it get and what is the ip address of the first hop?

    +
    0 Votes
    robo_dev

    Thus a router-behind-a-firewall router complicates things a lot.

    Can you get to the web config page of the cable modem?

    +
    0 Votes
    Jantje85

    Seems you are correct.. traffic isn't getting anywhere..

    It seems the problem was/is being caused by the default route.. :S
    When I add the following to the configuration
    ip route 0.0.0.0 0.0.0.0 fastEthernet 4

    I end up with this route table:
    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    S* 0.0.0.0/0 is directly connected, FastEthernet4
    81.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    ...
    After I again unset the default route I get this:
    Gateway of last resort is 81.82.192.1 to network 0.0.0.0

    S* 0.0.0.0/0 [254/0] via 81.82.192.1
    81.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

    The routing tables are not otherwise affected, but it seems that specifying the default gateway breaks the routing of all WAN traffic; instead of being send out F4, it s going to into null...
    I will need to be able to set 2 default routes though, one out the primary interface and a second out my backup interface at a higher cost.

    Any ideas why simply manually adding a default route could break the routing?

    +
    1 Votes
    NetMan1958

    Remove any existing default route(s) and add:
    ip route 0.0.0.0 0.0.0.0 dhcp

    Post back with the results.

    +
    0 Votes
    Jantje85

    this leaves the default gateway to 81.82.192.1 (my cable modem) intact and I can still reach the WAN side..
    Gateway of last resort is 81.82.192.1 to network 0.0.0.0

    i think it also added an extra record to the routing table for my dialer..
    213.49.94.0/32 is subnetted, 2 subnets
    C 213.49.94.1 is directly connected, Dialer1
    C 213.49.94.153 is directly connected, Dialer1

    Will this handle the automatic fail-over entirely though..? as i understood it i needed 2 static routes with different weights and a echo probe to check the gateway on the cable (primary) interface..

    +
    0 Votes
    NetMan1958

    I did not see the Dialer interface in the config you posted. Maybe if you post your entire config I can get a better idea of what's going on.

    +
    0 Votes
    Jantje85

    This is the complete routing table at the moment (currently using the default route to 'dhcp' as you suggested; cf config):
    Gateway of last resort is 81.82.192.1 to network 0.0.0.0

    S* 0.0.0.0/0 [1/0] via 81.82.192.1
    81.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C 81.82.192.0/18 is directly connected, FastEthernet4
    L 81.82.20?.???/32 is directly connected, FastEthernet4
    192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.1.0/24 is directly connected, BVI1
    L 192.168.1.1/32 is directly connected, BVI1
    192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.2.0/24 is directly connected, Dot11Radio0.2
    L 192.168.2.1/32 is directly connected, Dot11Radio0.2
    195.130.137.0/32 is subnetted, 1 subnets
    S 195.130.137.10 [254/0] via 81.82.192.1, FastEthernet4
    213.49.94.0/32 is subnetted, 2 subnets
    C 213.49.94.1 is directly connected, Dialer1
    C 213.49.94.153 is directly connected, Dialer1

    And this is the entire config.. only keys and passwords have been left out.

    version 15.1
    no parser cache
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    service sequence-numbers
    !
    hostname MCentral
    !
    boot-start-marker
    boot-end-marker
    !
    !
    logging buffered 51200
    logging console notifications
    !
    aaa new-model
    !
    aaa authentication login local_authen local
    aaa authentication ppp default local
    aaa authorization exec default local
    !
    !
    aaa session-id common
    !
    clock timezone WEST 1 0
    clock summer-time WEST recurring
    !
    !
    dot11 mbssid
    dot11 syslog
    dot11 vlan-name default vlan 1
    dot11 vlan-name PubMWeb vlan 2
    !
    dot11 ssid MWeb
    vlan 1
    authentication open
    authentication key-management wpa
    mbssid guest-mode
    ! wpa-psk ascii 7 ******************
    !
    dot11 ssid PubMWeb
    vlan 2
    authentication open
    authentication key-management wpa
    mbssid guest-mode
    ! wpa-psk ascii 7 ******************
    !
    no ip source-route
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.20
    ip dhcp excluded-address 192.168.2.1 192.168.2.10
    ip dhcp excluded-address 192.168.1.240 192.168.1.254
    !
    ip dhcp pool MWeb
    network 192.168.1.0 255.255.255.0
    domain-name MWeb
    default-router 192.168.1.1
    dns-server 192.168.1.1
    lease 30
    !
    ip dhcp pool PubNet
    network 192.168.2.0 255.255.255.0
    domain-name PubMWeb
    default-router 192.168.2.1
    dns-server 192.168.2.1
    !
    !
    ip cef
    no ip bootp server
    ip domain name MWeb
    ip name-server 8.8.8.8
    ip name-server 208.67.222.222
    ip name-server 8.8.4.4
    ip name-server 208.67.220.222
    ip inspect max-incomplete low 200
    ip inspect max-incomplete high 400
    ip inspect one-minute low 200
    ip inspect one-minute high 400
    ip inspect tcp synwait-time 15
    ip inspect name FW1 appfw FW1
    ip inspect name FW1 ftp timeout 3600
    ip inspect name FW1 h323 timeout 3600
    ip inspect name FW1 icmp timeout 360
    ip inspect name FW1 netshow timeout 3600
    ip inspect name FW1 rcmd timeout 3600
    ip inspect name FW1 realaudio timeout 3600
    ip inspect name FW1 rtsp timeout 3600
    ip inspect name FW1 esmtp timeout 3600
    ip inspect name FW1 sqlnet timeout 3600
    ip inspect name FW1 streamworks timeout 360
    ip inspect name FW1 tftp timeout 30
    ip inspect name FW1 tcp timeout 3600
    ip inspect name FW1 udp timeout 15
    ip inspect name FW1 vdolive timeout 3600
    ip inspect name FW1 https timeout 3600
    ip inspect name FW1 dns timeout 60
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    ! Track the ICMP echo to our primary WAN interface gateway with a 20s delay
    track 300 ip sla 2147483647 reachability
    delay down 20
    !
    !
    !
    bridge irb
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0
    description Downlink to Private LAN Switch.
    switchport mode trunk
    no ip address
    !
    interface FastEthernet1
    no ip address
    !
    interface FastEthernet2
    no ip address
    spanning-tree portfast
    !
    interface FastEthernet3
    description WAN DSL interface through VLAN 5
    switchport access vlan 5
    no ip address
    !
    interface FastEthernet4
    description WAN Cable Interface
    ip address dhcp
    ip access-group ACL-Internet-Inbound in
    ip nat outside
    ip inspect FW1 in
    ip inspect FW1 out
    ip virtual-reassembly in
    duplex auto
    speed auto
    no cdp enable
    !
    interface Dot11Radio0
    no ip address
    no dot11 extension aironet
    !
    encryption vlan 1 mode ciphers aes-ccm
    !
    encryption vlan 2 mode ciphers aes-ccm
    !
    ssid MWeb
    !
    ssid PubMWeb
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    no cdp enable
    !
    interface Dot11Radio0.1
    description Main Wireless by MWeb
    encapsulation dot1Q 1 native
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Dot11Radio0.2
    description Guest Wireless by MWeb
    bandwidth 2000
    encapsulation dot1Q 2
    ip address 192.168.2.1 255.255.255.0
    ip access-group Guest-ACL in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip inspect FW1 out
    ip virtual-reassembly in
    no cdp enable
    !
    interface Vlan1
    description Internal Private LAN
    no ip address
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface Vlan5
    description VLAN to isolate DSL dialer
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    pppoe-client dial-pool-number 1
    !
    interface Dialer1
    description WAN link to Scarlet
    ip address negotiated
    ip access-group ACL-Internet-Inbound in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat outside
    ip inspect FW1 in
    ip inspect FW1 out
    ip virtual-reassembly in
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ! ppp chap hostname **************
    ! ppp chap password 7 **************
    ppp ipcp dns request
    ppp ipcp address accept
    no cdp enable
    !
    interface BVI1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip inspect FW1 out
    ip virtual-reassembly in
    !
    ip forward-protocol nd
    ip http server
    ip http access-class 5
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    !
    ip dns server
    ip dns spoofing
    ip nat pool DJanPool 192.168.1.10 192.168.1.10 netmask 255.255.255.0 type rotary
    ip nat pool LServ1Pool 192.168.1.7 192.168.1.7 netmask 255.255.255.0 type rotary
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source list 2 interface Dialer1 overload
    ip nat inside destination list DJanF pool DJanPool
    ip nat inside destination list LServ1F pool LServ1Pool
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    ! We need these for automatic failover, but they make Null0 our gateway of last resort
    ! breaking all WAN connectivity
    !ip route 0.0.0.0 0.0.0.0 FastEthernet4 track 300
    !ip route 0.0.0.0 0.0.0.0 Dialer1 250
    !
    ip access-list extended ACL-Internet-Inbound
    remark Restrict access from the internet to the LAN.
    permit udp any eq bootps any eq bootpc
    permit udp any eq domain any
    permit udp any eq ntp any eq ntp
    permit icmp any any echo-reply
    permit icmp any any time-exceeded
    permit icmp any any unreachable
    permit gre any any
    permit esp any any
    permit udp any any eq 8887
    permit udp any any eq 41170
    permit tcp any any range 10500 12500
    permit tcp any any eq www
    permit tcp any any eq 3306
    permit tcp any any eq 5901
    permit tcp any any eq 9418
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any
    deny ip any any log
    ip access-list extended DJanF
    permit udp any any eq 8887
    permit udp any any eq 41170
    permit tcp any any range 10500 12500
    ip access-list extended Guest-ACL
    deny ip host 255.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip any 192.168.1.0 0.0.0.255
    permit ip any any
    ip access-list extended LServ1F
    permit tcp any any eq smtp
    permit tcp any any eq 3306
    permit tcp any any eq 5901
    permit tcp any any eq www
    ip access-list extended object-track
    permit icmp any host 81.82.192.1
    !
    ! Send ICMP echos to our cable gateway..
    ip sla 2147483647
    icmp-echo 81.82.192.1 source-interface FastEthernet4
    frequency 5
    ip sla schedule 2147483647 life forever start-time now
    logging esm config
    logging trap notifications
    access-list 1 remark Allow only the private VLAN access to the cable uplink.
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 2 remark Allow all VLANs access to the DSL line.
    access-list 2 permit 192.168.1.0 0.0.0.255
    access-list 2 permit 192.168.2.0 0.0.0.255
    access-list 5 remark HTTP Access-class list
    access-list 5 remark SDM_ACL Category=1
    access-list 5 permit 192.168.1.0 0.0.0.255
    access-list 5 deny any
    dialer-list 1 protocol ip list 2
    no cdp run
    !
    !
    !Send the ICMP echos to Null0 when our primary WAN interface is down
    route-map OT permit 300
    match ip address object-track
    set ip next-hop 81.82.192.1
    set interface Null0
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    line con 0
    login authentication local_authen
    no modem enable
    transport preferred none
    transport output telnet
    line aux 0
    login authentication local_authen
    transport output telnet
    line vty 0 4
    access-class 102 in
    login authentication local_authen
    transport preferred none
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp server 81.246.92.139
    ntp server 81.246.92.140
    ntp server 193.110.251.50
    ntp server 93.94.105.122
    end

    +
    0 Votes
    NetMan1958

    if you leave the "ip route 0.0.0.0 0.0.0.0 dhcp" in and add only "ip route 0.0.0.0 0.0.0.0 Dialer1 250" ? What does the route table look like then?

    +
    0 Votes
    Jantje85

    It doesn't seem to have any effect as long as f4 remains up... once it goes down however, it sends all WAN traffic to the null interface again so no failover to dialer1..

    This is the routing table with no changes other then the extra ip route..
    Gateway of last resort is 81.82.192.1 to network 0.0.0.0

    S* 0.0.0.0/0 [1/0] via 81.82.192.1
    81.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C 81.82.192.0/18 is directly connected, FastEthernet4
    L 81.82.2??.???/32 is directly connected, FastEthernet4
    192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.1.0/24 is directly connected, BVI1
    L 192.168.1.1/32 is directly connected, BVI1
    192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.2.0/24 is directly connected, Dot11Radio0.2
    L 192.168.2.1/32 is directly connected, Dot11Radio0.2
    195.130.137.0/32 is subnetted, 1 subnets
    S 195.130.137.10 [254/0] via 81.82.192.1, FastEthernet4
    213.49.94.0/32 is subnetted, 2 subnets
    C 213.49.94.1 is directly connected, Dialer1
    C 213.49.94.153 is directly connected, Dialer1

    This is the routing table with f4 unplugged:
    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    S* 0.0.0.0/0 is directly connected, Dialer1
    192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.1.0/24 is directly connected, BVI1
    L 192.168.1.1/32 is directly connected, BVI1
    192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.2.0/24 is directly connected, Dot11Radio0.2
    L 192.168.2.1/32 is directly connected, Dot11Radio0.2
    213.49.94.0/32 is subnetted, 2 subnets
    C 213.49.94.1 is directly connected, Dialer1
    C 213.49.94.153 is directly connected, Dialer1

    +
    0 Votes
    NetMan1958

    But then I've never tried to configure fail-over using DSL and/or dynamic IPs before. Let me think on this a little and I will try to come up with something.