Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 2611 NAT, IOS Firewall for cable modem

Status
Not open for further replies.
stre1026

stre1026

IS-IT--Management
Jul 9, 2001
40
0
0
US
Hello all -

I know this question has been asked many times, but I have been hitting my head against the wall with this configuration and want to know what I am doing wrong. I have a Cisco 2611 router which I am trying to configure as a router/gateway/firewall for my cable modem as well as provide dialup remote access for my network. Everntually, once I get this working, I will want to add site to site VPN and Cisco VPN client connections. BTW, is this router capable of terminating more than one tunnel at the same time?
My configuration is below. For some reason, I can't connect to the Internet. My modem does see the router is there, and the router does give the modem an IP. However, I can't connect to the 'net. What's wrong? My config is below.

!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Router
!
enable password *****
username ***** password *****
!
ip source-route
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Context-Based Access Control
!
no ip inspect audit-trail
ip inspect tcp synwait-time 30
ip inspect tcp finwait-time 5
ip inspect tcp idle-time 3600
ip inspect udp idle-time 30
ip inspect dns-timeout 5
ip inspect one-minute low 900
ip inspect one-minute high 1100
ip inspect max-incomplete low 900
ip inspect max-incomplete high 1100
ip inspect tcp max-incomplete host 50 block-time 0
!
! IP inspect Dialer_65535_1
!
no ip inspect name Dialer_65535_1
ip inspect name Dialer_65535_1 tcp
ip inspect name Dialer_65535_1 udp
ip inspect name Dialer_65535_1 cuseeme
ip inspect name Dialer_65535_1 ftp
ip inspect name Dialer_65535_1 h323
ip inspect name Dialer_65535_1 rcmd
ip inspect name Dialer_65535_1 realaudio
ip inspect name Dialer_65535_1 smtp
ip inspect name Dialer_65535_1 streamworks
ip inspect name Dialer_65535_1 vdolive
ip inspect name Dialer_65535_1 sqlnet
ip inspect name Dialer_65535_1 tftp
!
! IP inspect Ethernet_0_1
!
no ip inspect name Ethernet_0_1
ip inspect name Ethernet_0_1 tcp
ip inspect name Ethernet_0_1 udp
ip inspect name Ethernet_0_1 cuseeme
ip inspect name Ethernet_0_1 ftp
ip inspect name Ethernet_0_1 h323
ip inspect name Ethernet_0_1 rcmd
ip inspect name Ethernet_0_1 realaudio
ip inspect name Ethernet_0_1 smtp
ip inspect name Ethernet_0_1 streamworks
ip inspect name Ethernet_0_1 vdolive
ip inspect name Ethernet_0_1 sqlnet
ip inspect name Ethernet_0_1 tftp
!
interface Dialer 1
description connected to Dial-in Modem
ip unnumbered Ethernet 0/1
ip nat inside
ip tcp header-compression passive
ip inspect Dialer_65535_1 in
ip access-group 100 in
encapsulation ppp
dialer in-band
dialer-group 1
ppp authentication chap
no cdp enable
peer default ip address pool Router-Group-1
!
interface Ethernet 0/0
no shutdown
description connected to Internet
ip address dhcp
ip nat outside
ip access-group 102 in
keepalive 10
!
interface Ethernet 0/1
no shutdown
description connected to Network
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip inspect Ethernet_0_1 in
ip access-group 101 in
no keepalive
!
interface Async 65
no shutdown
description connected to Dial-in Modem
ip unnumbered Ethernet 0/1
async mode dedicated
dialer rotary-group 1
!
interface BRI 0/0
no description
no ip address
shutdown
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 10.0.1.0 0.0.0.255
!
! Access Control List 100
!
no access-list 100
access-list 100 permit ip any any
!
! Access Control List 101
!
no access-list 101
access-list 101 permit ip any any
!
! Access Control List 102
!
no access-list 102
access-list 102 deny ip any any
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface Ethernet 0/0 overload
!
! DHCP Server
!
service dhcp
ip dhcp excluded-address 10.0.1.1 10.0.1.99
ip dhcp pool 1
network 10.0.1.0 255.255.255.0
domain-name *****.local
default-router 10.0.1.1
dns-server 10.0.1.1 *.*.*.16
!
ip local pool Router-Group-1 10.0.1.99 10.0.1.99
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Ethernet 0/0
ip http server
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password magical1
login
!
line vty 0 4
password magical1
login
!
line aux 0
exec
autoselect ppp
autoselect during-login
login
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
!
end
 
Sort by date Sort by votes
I had a similar problem recently with a cisco 2611 with two adsl cards installed. I had a switch coming off ethernet 0/1 and a server coming off ethernet 0/0. I was able to surf and access my webserver coming off ethernet 0/0 but nothing could get out through the switch and ethernet 0/1. I thought the problem was my switch and tried several with no luck. I switched the ethernet ports on the router. Webserver and static IP coming off ethernet 0/1 now and the switch with NAT runing going off ethernet 0/0 and all works perfectly. I think that a firmware upgrade on the router might fix the problem.
 
Upvote 0 Downvote
Hi, one question,

if perform a show ip inter brief

do you see a public IP address at your ethernet0/0 interface?

Thanks.
 
Upvote 0 Downvote
sbonete,

I actually found out what the problem was. The public IP was dropping for some reason. It works when I have an IP. Now for some reason, the router refuses to get an IP even though the modem sees the router. Any ideas?

Thanks!
 
Upvote 0 Downvote
This might have something to do with it...

interface Ethernet 0/0
no shutdown
description connected to Internet
ip address dhcp
ip nat outside
ip access-group 102 in
keepalive 10

! Access Control List 102
!
no access-list 102
access-list 102 deny ip any any

Looks to me like you're rejecting the DHCP offer from the cable modem.
 
Upvote 0 Downvote
Thank Lundah,

That's a good point. What would I put there instead? Is my firewall enough or do I need some other access-list to substitute?

Thanks,
Steve
 
Upvote 0 Downvote
You need to be more granular with your access list, because right now it's blocking all incoming IP traffic on that interface. What you do from there depends on what you want to block and from where.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
119
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
103
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
120
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
107
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
138
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top