806 Cable/DSL Router - WAN DHCP will not Update 1

[tmCCNA]

i have a cisco 806 cable/dsl router. i can not get it to grab an ip address from the isp's dhcp server. i can ping their dns servers though. i have cable internet and the way it works is you give them your pc's mac address and they add it to a table, so you can use their internet services. using the cwrs(gui), it doesn't give me an option to set the wan address up as dhcp. it only has pppoe and with that, it wants a username and password, which i do not have with my isp since they only go by mac addresses. i tried setting up the wan port in the cli, but never could get it to grab an ip address from their dhcp server. how do you your renew an ip address anyway?

 

[netmediasystems]

In order to allow the WAN interface capture a new lease from the ISP, you need to enter this statement:

access-list 101 permit udp any eq bootps any

post the running config and I will give you the entire config for your cable router.

brian

 

[tmCCNA]

here is my router configuration. it is just very basic, as this router is only going to serve as a firewall in my home and allow me to have multiple internet connections, because my isp only allows two and you have to call with the mac address each time. another thing is, i'm not really familiar with ddr that much and it was trying to dial like every 2 seconds, so i disabled it(doesn't show it in this configuration)

Building configuration...

Current configuration : 2550 bytes
!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
!
ip subnet-zero
ip name-server 12.27.240.3
ip name-server 12.27.240.4
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
--More--  !
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
no ip dhcp-client network-discovery
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
lcp max-session-starts 0
!
!
!
interface Ethernet0
--More--   ip address 10.10.10.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no cdp enable
hold-queue 32 in
!
interface Ethernet1
no ip address
ip tcp adjust-mss 1452
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip inspect myfw out
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
--More--   ppp chap hostname travis
ppp chap password 7 08355E4F1F1016
ppp pap sent-username travis password 7 0212165A1D0F1C
ppp ipcp dns request
ppp ipcp wins request
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
ip nat inside source list 102 interface Dialer1 overload
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq domain any
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit esp any any
--More--  access-list 111 permit udp any any eq isakmp
access-list 111 deny ip any any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end

thanks,
travis

 

[netmediasystems]

Ok, this a cable modem architecture correct? If so, you dont need any dialer interfaces. Dialer interfaces are for situations like ISDN. And Mac address capture by the ISP is only for the WAN interface MAC address, since that is all the ISP will see, since the computer and devices will more than likely be NAT'd. Confirm the architecture type for me.

brian

 

[tmCCNA]

here is the router i have:

http://www.cisco.com/en/US/products/hw/routers/ps380/products_data_sheet09186a0080088739.html

i installed the firewall set on it and it's ios image is now c806 version 12.2(1)xe.

i don't understand why the wan would be trying to dial or what you mean by the architecture.

here is my latest configuration:
Building configuration...

Current configuration : 2164 bytes
!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Firewall
!
logging rate-limit console 10 except errors
enable secret 5 $1$HQwp$W.vHe54zCKgiyKpl5VV2s/
!
username Firewall password 7 02000D490E110E2D40
ip subnet-zero
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
--More--  ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
no ip dhcp-client network-discovery
lcp max-session-starts 0
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.100.1-255.255.255.0
ip address 192.168.100.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp
ip access-group 101 in
ip inspect myfw out
--More--   ip nat outside
no cdp enable
!
ip classless
ip http server
!
ip nat inside source list 102 interface Ethernet1 overload
access-list 101 permit udp any eq bootps any
access-list 101 deny icmp any any echo-reply
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 deny ip any any
--More--  !
line con 0
exec-timeout 120 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end
Building configuration...

Current configuration : 2164 bytes
!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Firewall
!
logging rate-limit console 10 except errors
enable secret 5 $1$HQwp$W.vHe54zCKgiyKpl5VV2s/
!
username Firewall password 7 02000D490E110E2D40
ip subnet-zero
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
--More--  ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
no ip dhcp-client network-discovery
lcp max-session-starts 0
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.100.1-255.255.255.0
ip address 192.168.100.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp
ip access-group 101 in
ip inspect myfw out
--More--   ip nat outside
no cdp enable
!
ip classless
ip http server
!
ip nat inside source list 102 interface Ethernet1 overload
access-list 101 permit udp any eq bootps any
access-list 101 deny icmp any any echo-reply
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 deny ip any any
--More--  !
line con 0
exec-timeout 120 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end

Firewall#
Building configuration...

Current configuration : 2224 bytes
!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Firewall
!
logging rate-limit console 10 except errors
enable secret 5 $1$HQwp$W.vHe54zCKgiyKpl5VV2s/
!
username Firewall password 7 02000D490E110E2D40
ip subnet-zero
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
--More--  ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
no ip dhcp-client network-discovery
lcp max-session-starts 0
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.100.1-255.255.255.0
ip address 192.168.100.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp
ip access-group 101 in
ip inspect myfw out
--More--   ip nat outside
no cdp enable
!
interface Dialer1
no ip address
shutdown
no cdp enable
!
ip classless
ip http server
!
ip nat inside source list 102 interface Ethernet1 overload
access-list 101 permit udp any eq bootps any
access-list 101 deny icmp any any echo-reply
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
--More--  access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 deny ip any any
!
line con 0
exec-timeout 120 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end

Firewall# Travis McGuire

http://www.business-ky.com

 

[netmediasystems]

Travis - the configuration looks better. You should always just have what you need in the running config, not extra commands. And do you need all those configs in the access-lists? you have a isakmp statement...im surprised that this router can even support any isakmp(VPN). On the LAN interface, why do you have 2 different ip addressing scheme's? And you removed your DHCP pool for the LAN. Reconfigure your LAN interface to one address scheme, and make sure that you make the corrolating changes to the applied access-list. Remove the interface dialer1, since it isnt needed at all. For the access-lists..101, enter the deny statement(s) first. For the 111 statements, you really need those applied to WAN interface to be affective. Hope this helps.

brian

Building configuration...

Current configuration : 2164 bytes
!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Firewall
!
logging rate-limit console 10 except errors
enable secret 5 $1$HQwp$W.vHe54zCKgiyKpl5VV2s/
!
username Firewall password 7 02000D490E110E2D40
ip subnet-zero
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
--More--  ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
no ip dhcp-client network-discovery
lcp max-session-starts 0
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.100.1-255.255.255.0
ip address 192.168.100.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp
ip access-group 101 in
ip inspect myfw out
--More--   ip nat outside
no cdp enable
!
ip classless
ip http server
!
ip nat inside source list 102 interface Ethernet1 overload
access-list 101 permit udp any eq bootps any
access-list 101 deny icmp any any echo-reply
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 deny ip any any
--More--  !
line con 0
exec-timeout 120 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end

 

[tmCCNA]

i was working on the router at work today is the reason i disabled dhcp on my lan, i didn't want any computers getting an address from my router. about having a second ip address on the lan, i don't really understand that one either. crws did that, when i changed the network address on the lan. the access-lists were implemented by the crws also through the firewall feature set. i only added a couple of access-lists. when you say, "Remove the interface dialer1, since it isnt needed at all, what do you mean? i just did a shutdown on that interface, is that ok. i was getting an ip address from the dhcp server at work when i left, but now that i am home, i can't get it to get one from my isp. Travis McGuire

http://www.business-ky.com

 

[netmediasystems]

Travis - you need to put the DHCP pool back into the config in order to get an IP address from your router...thats what you mean right? You say I can't get an address from your ISP...the ISP only is giving you one address that gets assigned and captured by the WAN interface. The LAN addresses are created by the router...i.e. NAT. To remove the dialer, which you should, go:

router#config t
router#(config)no interface dialer1
router#(config)exit
router#

thats it. For the access-list, you should remove all that and enter this:

access-list 101 deny tcp any any eq finger
access-list 101 deny icmp any any echo log
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any
access-list 101 permit tcp any any gt 1023 established

Remove the 10 network from the ethernet interface0 and your router will be running great. If you have a problem, post the config after the changes and I will help you.

brian

 

[tmCCNA]

the lan part is not a problem, all computers accept dhcp from the router correctly. the wan port will not get an ip address from the isp. is there anything else that should be set up on this port? i'm getting ready to try the configuration you gave me and if it doesn't work, i will post the configuration that i have. Travis McGuire

http://www.business-ky.com

 

[tmCCNA]

i tried it and it did not work. here is the summary that the crws gave me:

LAN SUMMARY
--------------------
Interface Status : up
Interface IP Address : 192.168.100.1
Interface Subnet Mask : 255.255.255.0
DHCP Server Enabled : Yes
DHCP Network Address : 192.168.100.0
Default Router : 192.168.100.1
Primary WINS Server : 12.27.240.5
DHCP Lease : 1 Day
Primary DNS Server : 12.27.240.3
Secondary DNS Server : 12.27.240.4

WAN SUMMARY
----------------------
WAN IP Address : unassigned
Interface Status : up
Line Protocol : up
PPP User Name : Not Assigned
Automatic IP address : Yes

here is the configuration:

Building configuration...

Current configuration : 1403 bytes
!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
!
ip subnet-zero
ip name-server 12.27.240.3
ip name-server 12.27.240.4
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool CLIENT
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 12.27.240.3 12.27.240.4
--More--   netbios-name-server 12.27.240.5
!
no ip dhcp-client network-discovery
lcp max-session-starts 0
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.100.1-255.255.255.0
ip address 192.168.100.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp
ip access-group 101 in
ip nat outside
no cdp enable
!
ip classless
ip http server
--More--  !
ip nat inside source list 102 interface Ethernet1 overload
access-list 101 permit udp any eq bootps any
access-list 101 deny tcp any any eq finger
access-list 101 deny icmp any any echo log
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any any gt 1023 established
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
!
line con 0
exec-timeout 120 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end

Router#

is there a command to release and renew the wan ip address? Travis McGuire

http://www.business-ky.com

 

[Degg]

just a silly question, but have you rebooted your cable modem lately? the cable modem may remember your MAC from when your PC was connected, and when you plug the router in the MAC is different so it wont give you an IP. the way to fix that is to reboot your cable modem (just cycle the power) and you will clear out the old MAC and your router will get a new one. If you have already tried this, then you can ignore this post hehe. Degg
Network Administrator

 

[tmCCNA]

i am going to call my isp tomorrow and make sure they have my correct mac address for the wan port. they could have written it down wrong or something. i gave it to them over the phone. i really appreciate you helping me with this and maybe i can get it up and going tomorrow. if you see anything wrong with my configuration then let me know and i'll make another post tomorrow after i talk to them.

another question though. at work today, the wan port would get an ip address from our router, but i could not access the internet. why is this?

thank you,
travis Travis McGuire

http://www.business-ky.com

 

[netmediasystems]

ok travis here is the ticket...do a "sh ip int br" and post it. I would also remove the inbound "access-group" from the interface ethernet1. For the access-list i would remove all of them and put them back in with the deny statements first. Or remove all of these config and re-enter them like this:

ip nat inside source list 101 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 68.5.192.1 254 permanent
no ip http server
!
!
access-list 1 permit 192.168.1.19
access-list 1 deny any
access-list 101 deny tcp any any eq finger
access-list 101 deny icmp any any echo log
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any
access-list 101 permit tcp any any gt 1023 established

Your PAT config "ip nat inside source...isnt being applied to the interface. You need to remove the firewall features you are trying to implement and just get the line up first. Once you do that then you can enter the firewall feature set...and DO NOT use that crappy web set-up page. After you make these changes, power cycle the modem. when it comes back online do a sh ip int br and tell me what the is in the eth1 interface.

brian

 

[netmediasystems]

do not put the same ip address in the ip route statement...that is an example. also do not include the access-list 1 statements

brian

 

[tmCCNA]

i have tried rebooting the modem. it won't com up when the interface is up, if i shut it down, it will, then when i bring the interface back up, it still will not get an ip address. Travis McGuire

http://www.business-ky.com

 

[netmediasystems]

Im confused now...if you plug your pc directly into the modem can you get connectivity? The ISP doesnt know that there is a router behind the modem, it captures the modems mac-address in their table, not the routers mac. are you using the correct cable between the router and the modem? Think in layers physical - data - network or wire - mac - ip. check each of these points from the bottom up. Check the link lights at each connection point to ensure layer 1 connectivity.

 

[tmCCNA]

a pc gets an ip just fine from the isp. if i connect the router to the cable modem via ethernet, and reboot the cm, then the cable modem will not ever come up. i let it try for about 5 hours and it never did. i shutdown the ethernet interface on the router to the cm, and the cm came up in only a few minutes. i brought the interface back up on the router and it would not get an ip address from the isp. it is a straight through cable i am using to connect the router and cable modem. this is correct right?

at work i connected the router's wan port(ethernet) to the lan and it would get an ip address from the dhcp server on the router at work, but with the same configuration at home the router would not get an ip from the isp. sorry to confuse you, but i'm confused also. i have never had this much trouble with a router.

all link lights are on, and the trasmit and recieve lights blink as if it is sending and recieving data on the wan port. i know my ethernet cables are good, because they are the same ones i used at work and they worked fine. if you are still confused, let me know and i'll try to clear things up.

i really appreciate all your help. Travis McGuire

http://www.business-ky.com

 

[tmCCNA]

the isp has to capture your pc or router's mac besides the cm wouldn't they? how else would they allow you on their network when they go by your connected devices macs, not the cm mac? please explain this as i'm not sure how the isp does it. Travis McGuire

http://www.business-ky.com

 

[netmediasystems]

this is how your entire config should look like:

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
enable password 7 10421C1200
!
username xxxxx password 7 10471A1807121E070D
ip subnet-zero
no ip domain-lookup
ip name-server 65.4.16.30
ip name-server 65.6.16.30
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
!
ip dhcp pool Client
import all
network 192.168.1.0 255.255.255.0
dns-server 65.4.16.30 65.6.16.30
domain-name (provider)
default-router 192.168.1.1
!
ip inspect name LANOUT http java-list 1
ip inspect name LANOUT ftp
ip inspect name LANOUT tcp
ip inspect name LANOUT udp
ip inspect name LANOUT smtp
!
!
!
interface Ethernet0
description Lan Interface
ip address 192.168.1.1 255.255.255.0
no ip proxy-arp
ip nat inside
no ip route-cache
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
description Wan Interface
ip address dhcp
ip access-group 101 in
ip nat outside
ip inspect LANOUT out
arp timeout 1500
no cdp enable
!
ip nat inside source list 101 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x 254 permanent
no ip http server
!
!

access-list 101 deny tcp any any eq finger
access-list 101 deny icmp any any echo log
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any
access-list 101 permit tcp any any gt 1023 established
no cdp run
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 120 0
login local
transport input telnet
!
scheduler max-task-time 5000
end

Router#

See how much cleaner this running is.

If you enter this config you should get the green light. About the mac-address capture, usually the mac is captured from the cable modem interface not the device behind it. Different ISP's do it differently. about the cable, you need to try both cables. but, the router WAN interface light on the front of the router will not light up with the wrong cable. post a ip int br after you establish that you have the right cable.

 

[Degg]

if the isp needs the MAC of what is behind the cable modem, then they have your PC's MAC. you said your PC gets an IP just fine, then that indicates they have the MAC of your PC. If that is the case, you need to give them the MAC from your router. If they only get the MAC of your modem, then they wont care what is behind it and your router and PC should be able to get an IP. Degg
Network Administrator