Questions

Regarding Cisco 871w DHCP Configuration Worksheet - Cable modem

Tags:
+
0 Votes
Locked

Regarding Cisco 871w DHCP Configuration Worksheet - Cable modem

the.meing
Forgive me as I am a beginner with Cisco IOS... I followed the worksheet and am able to get IP's on all machines both wired and wireless and can ping the gateway. I am unable to browse or ping outside the router. Here's my 871 config:

Building configuration...

Current configuration : 5527 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MeingsRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$fxeS$Ghj9nBsKaBPo.7/Ymw69n/
enable password 7 120D0D441F585D0A2D
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool Internal-Net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name computersolutions.com
dns-server 24.25.4.103
lease 7
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name computersolutions.com
lease 7
!
ip dhcp pool Internal-net
dns-server 24.25.4.103
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name computersolutions.com
ip name-server 24.25.4.103
ip name-server 24.25.4.104
ip name-server 192.168.1.1
!
!
crypto pki trustpoint TP-self-signed-1884494949
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1884494949
revocation-check none
rsakeypair TP-self-signed-1884494949
!
!
crypto pki certificate chain TP-self-signed-1884494949
certificate self-signed 01
3082025C 308201C5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383834 34393439 3439301E 170D3032 30343037 30303039
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38383434
39343934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009E06 CECC55F7 07A02865 4DF265D9 9A164E26 66335A95 B338100C 02F5033C
9C3334F7 36946F76 1DC5106E 9A25F042 C43820AD 3BAB99AC 2013D6A8 5D9EC139
57133788 161B4490 152B90BC 7358ACC1 EFF557A5 92B2F530 482A397E 1C21C4CD
828D9C67 4CF540EF 0609E974 6510D961 75A1F9CA 9939444B DFA3767A 7B0B296E
42550203 010001A3 81833081 80300F06 03551D13 0101FF04 05300301 01FF302D
0603551D 11042630 2482224D 65696E67 73526F75 7465722E 636F6D70 75746572
736F6C75 74696F6E 732E636F 6D301F06 03551D23 04183016 8014C4F6 F7B31516
65694A16 74EE2C00 703E0654 A2DB301D 0603551D 0E041604 14C4F6F7 B3151665
694A1674 EE2C0070 3E0654A2 DB300D06 092A8648 86F70D01 01040500 03818100
81F37EF9 C1E9FD96 F4CB2A62 9ED56F08 F84E55BA 71EBF8A2 CFC1E0CA 4DCD6D5B
3273F870 1EF52506 89717E69 DF6D1E4A 28F46123 375CA5F4 0F948749 06D1C177
C1F6E7DF DD3ADEAA 90E43FE3 4B1FDDA3 5C95C263 CABE2A5F A6BBB6E3 4FC84093
44D36304 E75FFD87 C53B9B4F E56D9D64 76FFE763 DF221EC0 04284495 2E22C93B
quit
username the-meing privilege 15 password 7 00101B5509085A0808
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip access-group Internet-inbound-acl in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid GuestWLAN
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 045C1E551C355F1D0A0B5603
!
ssid InternalWLAN
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 0836401A070A5614005818
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2462
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN - routed WLAN
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-acl in
ip inspect MYFW out
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip dns server
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-acl
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
!
line con 0
exec-timeout 90 0
password 7 0456585701265F5C590C114400
no modem enable
line aux 0
line vty 0 4
password 7 020B570A05011C331C5B1D4A17
!
scheduler max-task-time 5000
end


Any suggestions ideas?

Thanks much!
  • +
    0 Votes
    CG IT

    the end statement on all access lists is deny. This is an implicit line statement. you do not see this as any end statement on any access list. So if you use an access list, the last command is deny [though you don't see it and you can't turn it off].


    Basic rule of thumb in troubleshooting access lists is to first disable all access lists and see if that solves the problem. Then work you way through what you want to allow and deny line by line. Cisco IOS is not an easy to configure and it takes planning.

    The other thing that puzzles me is the two local addresses 192.168.1.1/24 and 192.168.2.1/24 for VLAN 20.

    are you specifically trying to VLAN some ports on the router into a different subnet?

    +
    0 Votes
    the.meing

    I think I've made the changes that you suggested... here's my config now:

    MeingsRouter#sh ru
    Building configuration...

    Current configuration : 5012 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname MeingsRouter
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$fxeS$Ghj9nBsKaBPo.7/Ymw69n/
    enable password 7 120D0D441F585D0A2D
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local
    !
    aaa session-id common
    !
    resource policy
    !
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.99
    ip dhcp excluded-address 192.168.2.1 192.168.2.99
    !
    ip dhcp pool Internal-Net
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    domain-name computersolutions.com
    lease 7
    !
    ip dhcp pool VLAN20
    import all
    network 192.168.2.0 255.255.255.0
    default-router 192.168.2.1
    domain-name computersolutions.com
    lease 7
    !
    !
    ip inspect name MYFW tcp
    ip inspect name MYFW udp
    no ip domain lookup
    ip domain name computersolutions.com
    !
    !
    crypto pki trustpoint TP-self-signed-1884494949
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1884494949
    revocation-check none
    rsakeypair TP-self-signed-1884494949
    !
    !
    crypto pki certificate chain TP-self-signed-1884494949
    certificate self-signed 01
    3082025C 308201C5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31383834 34393439 3439301E 170D3032 30343037 30303039
    30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38383434
    39343934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    81009E06 CECC55F7 07A02865 4DF265D9 9A164E26 66335A95 B338100C 02F5033C
    9C3334F7 36946F76 1DC5106E 9A25F042 C43820AD 3BAB99AC 2013D6A8 5D9EC139
    57133788 161B4490 152B90BC 7358ACC1 EFF557A5 92B2F530 482A397E 1C21C4CD
    828D9C67 4CF540EF 0609E974 6510D961 75A1F9CA 9939444B DFA3767A 7B0B296E
    42550203 010001A3 81833081 80300F06 03551D13 0101FF04 05300301 01FF302D
    0603551D 11042630 2482224D 65696E67 73526F75 7465722E 636F6D70 75746572
    736F6C75 74696F6E 732E636F 6D301F06 03551D23 04183016 8014C4F6 F7B31516
    65694A16 74EE2C00 703E0654 A2DB301D 0603551D 0E041604 14C4F6F7 B3151665
    694A1674 EE2C0070 3E0654A2 DB300D06 092A8648 86F70D01 01040500 03818100
    81F37EF9 C1E9FD96 F4CB2A62 9ED56F08 F84E55BA 71EBF8A2 CFC1E0CA 4DCD6D5B
    3273F870 1EF52506 89717E69 DF6D1E4A 28F46123 375CA5F4 0F948749 06D1C177
    C1F6E7DF DD3ADEAA 90E43FE3 4B1FDDA3 5C95C263 CABE2A5F A6BBB6E3 4FC84093
    44D36304 E75FFD87 C53B9B4F E56D9D64 76FFE763 DF221EC0 04284495 2E22C93B
    quit
    username the-meing privilege 15 password 7 00101B5509085A0808
    !
    !
    !
    bridge irb
    !
    !
    interface FastEthernet0
    spanning-tree portfast
    !
    interface FastEthernet1
    spanning-tree portfast
    !
    interface FastEthernet2
    spanning-tree portfast
    !
    interface FastEthernet3
    spanning-tree portfast
    !
    interface FastEthernet4
    ip address dhcp
    ip inspect MYFW out
    ip nat outside
    ip virtual-reassembly
    ip tcp adjust-mss 1460
    duplex auto
    speed auto
    no cdp enable
    !
    interface Dot11Radio0
    no ip address
    !
    encryption vlan 1 mode ciphers tkip
    !
    encryption vlan 20 mode ciphers tkip
    !
    ssid GuestWLAN
    vlan 20
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 045C1E551C355F1D0A0B5603
    !
    ssid InternalWLAN
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 0836401A070A5614005818
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    channel 2462
    station-role root
    no dot11 extension aironet
    no cdp enable
    !
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no snmp trap link-status
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Dot11Radio0.2
    !
    interface Dot11Radio0.20
    description Guest wireless LAN - routed WLAN
    encapsulation dot1Q 20
    ip address 192.168.2.1 255.255.255.0
    ip inspect MYFW out
    ip nat inside
    ip virtual-reassembly
    no snmp trap link-status
    !
    interface Vlan1
    description Internal Network
    no ip address
    ip nat inside
    ip virtual-reassembly
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    description Bridge to Internal Network
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    ip http server
    ip http secure-server
    ip nat inside source list 1 interface FastEthernet4 overload
    ip dns server
    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 1 permit 192.168.2.0 0.0.0.255
    !
    control-plane
    !
    bridge 1 route ip
    !
    line con 0
    exec-timeout 90 0
    password 7 0456585701265F5C590C114400
    no modem enable
    line aux 0
    line vty 0 4
    password 7 020B570A05011C331C5B1D4A17
    !
    scheduler max-task-time 5000
    end

    What may also help you to understand what I did is at this address:

    http://downloads.techrepublic.com.com/abstract.aspx?docid=258359

    Thanks again!

    +
    0 Votes
    chris

    i added
    ip route 0.0.0.0 0.0.0.0 x.x.x.x
    where x.x.x.x is your known gateway address for your cable modem - i left both ip route statements in.

    +
    0 Votes
    mcgauley

    Meing,

    I would not post your config with type 7 passwords they are very easy to decrypt. I would suggest you not use that password any more and if you are one of those that use the same password everywhere I would change those too.

  • +
    0 Votes
    CG IT

    the end statement on all access lists is deny. This is an implicit line statement. you do not see this as any end statement on any access list. So if you use an access list, the last command is deny [though you don't see it and you can't turn it off].


    Basic rule of thumb in troubleshooting access lists is to first disable all access lists and see if that solves the problem. Then work you way through what you want to allow and deny line by line. Cisco IOS is not an easy to configure and it takes planning.

    The other thing that puzzles me is the two local addresses 192.168.1.1/24 and 192.168.2.1/24 for VLAN 20.

    are you specifically trying to VLAN some ports on the router into a different subnet?

    +
    0 Votes
    the.meing

    I think I've made the changes that you suggested... here's my config now:

    MeingsRouter#sh ru
    Building configuration...

    Current configuration : 5012 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname MeingsRouter
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$fxeS$Ghj9nBsKaBPo.7/Ymw69n/
    enable password 7 120D0D441F585D0A2D
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local
    !
    aaa session-id common
    !
    resource policy
    !
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.99
    ip dhcp excluded-address 192.168.2.1 192.168.2.99
    !
    ip dhcp pool Internal-Net
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    domain-name computersolutions.com
    lease 7
    !
    ip dhcp pool VLAN20
    import all
    network 192.168.2.0 255.255.255.0
    default-router 192.168.2.1
    domain-name computersolutions.com
    lease 7
    !
    !
    ip inspect name MYFW tcp
    ip inspect name MYFW udp
    no ip domain lookup
    ip domain name computersolutions.com
    !
    !
    crypto pki trustpoint TP-self-signed-1884494949
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1884494949
    revocation-check none
    rsakeypair TP-self-signed-1884494949
    !
    !
    crypto pki certificate chain TP-self-signed-1884494949
    certificate self-signed 01
    3082025C 308201C5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31383834 34393439 3439301E 170D3032 30343037 30303039
    30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38383434
    39343934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    81009E06 CECC55F7 07A02865 4DF265D9 9A164E26 66335A95 B338100C 02F5033C
    9C3334F7 36946F76 1DC5106E 9A25F042 C43820AD 3BAB99AC 2013D6A8 5D9EC139
    57133788 161B4490 152B90BC 7358ACC1 EFF557A5 92B2F530 482A397E 1C21C4CD
    828D9C67 4CF540EF 0609E974 6510D961 75A1F9CA 9939444B DFA3767A 7B0B296E
    42550203 010001A3 81833081 80300F06 03551D13 0101FF04 05300301 01FF302D
    0603551D 11042630 2482224D 65696E67 73526F75 7465722E 636F6D70 75746572
    736F6C75 74696F6E 732E636F 6D301F06 03551D23 04183016 8014C4F6 F7B31516
    65694A16 74EE2C00 703E0654 A2DB301D 0603551D 0E041604 14C4F6F7 B3151665
    694A1674 EE2C0070 3E0654A2 DB300D06 092A8648 86F70D01 01040500 03818100
    81F37EF9 C1E9FD96 F4CB2A62 9ED56F08 F84E55BA 71EBF8A2 CFC1E0CA 4DCD6D5B
    3273F870 1EF52506 89717E69 DF6D1E4A 28F46123 375CA5F4 0F948749 06D1C177
    C1F6E7DF DD3ADEAA 90E43FE3 4B1FDDA3 5C95C263 CABE2A5F A6BBB6E3 4FC84093
    44D36304 E75FFD87 C53B9B4F E56D9D64 76FFE763 DF221EC0 04284495 2E22C93B
    quit
    username the-meing privilege 15 password 7 00101B5509085A0808
    !
    !
    !
    bridge irb
    !
    !
    interface FastEthernet0
    spanning-tree portfast
    !
    interface FastEthernet1
    spanning-tree portfast
    !
    interface FastEthernet2
    spanning-tree portfast
    !
    interface FastEthernet3
    spanning-tree portfast
    !
    interface FastEthernet4
    ip address dhcp
    ip inspect MYFW out
    ip nat outside
    ip virtual-reassembly
    ip tcp adjust-mss 1460
    duplex auto
    speed auto
    no cdp enable
    !
    interface Dot11Radio0
    no ip address
    !
    encryption vlan 1 mode ciphers tkip
    !
    encryption vlan 20 mode ciphers tkip
    !
    ssid GuestWLAN
    vlan 20
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 045C1E551C355F1D0A0B5603
    !
    ssid InternalWLAN
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 0836401A070A5614005818
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    channel 2462
    station-role root
    no dot11 extension aironet
    no cdp enable
    !
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no snmp trap link-status
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Dot11Radio0.2
    !
    interface Dot11Radio0.20
    description Guest wireless LAN - routed WLAN
    encapsulation dot1Q 20
    ip address 192.168.2.1 255.255.255.0
    ip inspect MYFW out
    ip nat inside
    ip virtual-reassembly
    no snmp trap link-status
    !
    interface Vlan1
    description Internal Network
    no ip address
    ip nat inside
    ip virtual-reassembly
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    description Bridge to Internal Network
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    ip http server
    ip http secure-server
    ip nat inside source list 1 interface FastEthernet4 overload
    ip dns server
    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 1 permit 192.168.2.0 0.0.0.255
    !
    control-plane
    !
    bridge 1 route ip
    !
    line con 0
    exec-timeout 90 0
    password 7 0456585701265F5C590C114400
    no modem enable
    line aux 0
    line vty 0 4
    password 7 020B570A05011C331C5B1D4A17
    !
    scheduler max-task-time 5000
    end

    What may also help you to understand what I did is at this address:

    http://downloads.techrepublic.com.com/abstract.aspx?docid=258359

    Thanks again!

    +
    0 Votes
    chris

    i added
    ip route 0.0.0.0 0.0.0.0 x.x.x.x
    where x.x.x.x is your known gateway address for your cable modem - i left both ip route statements in.

    +
    0 Votes
    mcgauley

    Meing,

    I would not post your config with type 7 passwords they are very easy to decrypt. I would suggest you not use that password any more and if you are one of those that use the same password everywhere I would change those too.