Cisco 871 with cable modem conf not enabling WAN traffic - TechRepublic
TechRepublic | Forums | Networks
Networks
Question
October 11, 2011 at 03:20 AM
#2208630
jantje85

Cisco 871 with cable modem conf not enabling WAN traffic

by jantje85 . Updated 14 years, 8 months ago

Dear all,

I have been trying for the past few days to migrate my cisco 871 currently configured with a DSL modem to use my new cable modem. It has been a few years though since I last had to make any major changes to it and I seem to have lost my ‘touch’ – if ever I had it…

Eventually I intend to have it fail-over between from the cable modem to the dsl line by putting a switched port in a vlan and placing the dialer on that… but first I have to get the cable modem working on the WAN port.. the WAN interface is assigned an IP just fine through DHCP and there s a static default route pointing to the interface, but I cannot ping anything outside my network – not even from the router itself.

I might be overlooking something really simple, but I can’t seem to find the issue.. most of the new config is just copied over from my old dsl config so I think bad access lists can’t be to blame..

I am running the Advanced IP Services image;I have pasted my configuration below.

Any advice you could offer would be greatly appreciated.

Kind Regards,
Jan
——
version 15.1
no parser cache
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers

hostname Central

boot-start-marker
boot-end-marker

security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console notifications
!enable secret 5 *****

aaa new-model

aaa authentication login local_authen local
aaa authentication ppp default local
aaa authorization exec default local

aaa session-id common

clock timezone WEST 1 0
clock summer-time WEST recurring
no ip source-route
ip cef

service dhcp
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.1.240 192.168.1.254

ip dhcp pool PrivNet
import all
network 192.168.1.0 255.255.255.0
domain-name MWeb
default-router 192.168.1.1
dns-server 192.168.1.1
lease 30

ip dhcp pool PubNet
import all
network 192.168.2.0 255.255.255.0
domain-name PubMWeb
default-router 192.168.2.1
dns-server 192.168.2.1

dot11 mbssid
dot11 vlan-name default vlan 1
dot11 vlan-name PubMWeb vlan 2

dot11 ssid MWeb
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
!wpa-psk ascii 7 ***********

dot11 ssid PubMWeb
vlan 2
authentication open
authentication key-management wpa
mbssid guest-mode
!wpa-psk ascii 7 ***********

ip tcp synwait-time 10
no ip bootp server
ip domain name MWeb
ip name-server 8.8.8.8
ip name-server 208.67.222.222
ip name-server 8.8.4.4
ip name-server 208.67.220.222
ip ssh time-out 60
ip ssh authentication-retries 2

ip inspect max-incomplete low 200
ip inspect max-incomplete high 400
ip inspect one-minute low 200
ip inspect one-minute high 400
ip inspect tcp synwait-time 15
ip inspect name FW1 appfw FW1
ip inspect name FW1 ftp timeout 3600
ip inspect name FW1 h323 timeout 3600
ip inspect name FW1 icmp timeout 360
ip inspect name FW1 netshow timeout 3600
ip inspect name FW1 rcmd timeout 3600
ip inspect name FW1 realaudio timeout 3600
ip inspect name FW1 rtsp timeout 3600
ip inspect name FW1 esmtp timeout 3600
ip inspect name FW1 sqlnet timeout 3600
ip inspect name FW1 streamworks timeout 360
ip inspect name FW1 tftp timeout 30
ip inspect name FW1 tcp timeout 3600
ip inspect name FW1 udp timeout 15
ip inspect name FW1 vdolive timeout 3600
ip inspect name FW1 https timeout 3600
ip inspect name FW1 dns timeout 60

bridge irb
bridge 1 protocol ieee
bridge 1 route ip

interface Null0
no ip unreachables

interface FastEthernet0
description Downlink to Private LAN Switch.
switchport mode trunk
no ip address
no shutdown

interface FastEthernet1
no cdp enable
no shutdown

interface FastEthernet2
no cdp enable
no shutdown

interface FastEthernet3
no cdp enable
no shutdown

interface FastEthernet4
description WAN
ip address dhcp
ip access-group ACL-Internet-Inbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip inspect FW1 in
ip inspect FW1 out
ip flow ingress
duplex auto
speed auto
no cdp enable
no shutdown

interface Dot11Radio0
no ip address
no dot11 extension aironet
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
ssid MWeb
ssid PubMWeb
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
mbssid
station-role root
no cdp enable
no shutdown

interface Dot11Radio0.1
description Main Wireless by MWeb
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled

interface Dot11Radio0.2
description Guest Wireless by MWeb
bandwidth 2000
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect FW1 out
ip nat inside
ip virtual-reassembly in

interface Vlan1
description Internal Private LAN
bridge-group 1
bridge-group 1 spanning-disabled

interface BVI1
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip inspect FW1 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no shutdown

ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server
ip dns spoofing
ip nat pool DJanPool 192.168.1.10 192.168.1.10 netmask 255.255.255.0 type rotary
ip nat pool LServ1Pool 192.168.1.7 192.168.1.7 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside destination list DJanF pool DJanPool
ip nat inside destination list LServ1F pool LServ1Pool
ip route 0.0.0.0 0.0.0.0 FastEthernet4

ip access-list extended ACL-Internet-Inbound
remark Restrict access from the internet to the LAN.
permit udp any eq bootps any eq bootpc
permit udp any eq domain any
permit udp host 81.246.92.139 eq ntp any eq ntp
permit udp any eq ntp any eq ntp
deny ip 192.168.2.0 0.0.0.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit gre any any
permit esp any any
permit udp any any eq 8887
permit udp any any eq 41170
permit udp any any range 10500 12500
permit tcp any any range 10500 12500
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 3306
permit tcp any any eq 5901
permit tcp any any range 6650 8000
permit udp any any range 6650 8000
permit tcp any any range 13000 15000
permit tcp any any eq 9418
permit udp any any range 13000 15000
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
ip access-list extended DJanF
permit udp any any eq 8887
permit udp any any eq 41170
permit tcp any any range 10500 12500
permit udp any any range 10500 12500
ip access-list extended Guest-ACL
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended LServ1F
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 3306
permit tcp any any eq 5901
permit tcp any any range 6650 8000
permit udp any any range 6650 8000
permit tcp any any range 13000 15000
permit udp any any range 13000 15000
permit tcp any any eq 9418
permit tcp any any eq www

logging esm config
logging trap notifications
access-list 1 remark Allow both VLANs access to the dialer
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark Incoming Traffic from main VLAN.
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark VTY Access-class list
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
no cdp run

control-plane

line con 0
login authentication local_authen
no modem enable
transport preferred none
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
login authentication local_authen
transport preferred none
transport input telnet ssh

scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 81.246.92.139
ntp server 81.246.92.140
ntp server 193.110.251.50
ntp server 93.94.105.122
end

This discussion is locked

All Comments