CISCO 2611 - PPPoE - ADSL - Need help please

[tektipman]

Hello,

I am badly trying to get this sorted. I have a Cisco 2611 with two ethernet and trying to get a PPPOE session with my ISP . The ISP requires PPPOE and is dynamicaly assigning the IP address. Can I ask you to have a look at my conf below and advice me on what am doing wrong. Or perhaps there is another way to get this done? I would be grateful if you could help me out here

I have confirmed my ADSL account's username and password. Below my conf is the error which is being thrown at me every minutes :/

thanks in advance

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$lp1j$FP.MRNE/ewBiVLyzJIywN0
!
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
interface Ethernet0/0
ip address 192.168.0.200 255.255.255.0
ip nat inside
no ip mroute-cache
half-duplex
!
interface Ethernet0/1
no ip address
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated previous
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap
ppp pap sent-username ad51603791 password 0 dTwji4Fh
!
ip nat inside source list 1 interface Dialer1 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 0 0
transport preferred none
line aux 0
line vty 0 4
login
!
!
!
!
end


Router#
Router#
*Mar 1 00:06:49.939: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Mar 1 00:06:49.947: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Mar 1 00:06:50.027: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
*Mar 1 00:06:50.035: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
Router#
Router#

 

[JOAMON]

What make and model number is the device connecting this 2611 to the ADSL circuit?

 

[tektipman]

Hi Joamon - I am connecting the WAN port of an "Alcatel Speedtouch 515" ADSL modem onto the E0/1 of the 2611 router. Still no chance here :/ Can't telnet in the modem to see whatever has been 'speedtouched' in there...

On another subject, purchasing a WIC-ADSL card would suggest that I can connect the RJ-11 ADSL line directly in the router right?

 

[JOAMON]

Before I spent that much on a WIC for and old 10-Base-T ethernet router I think you may consider an upgrade to say the 877 or 877W (wireless). This is a SOHO ADSL router with built in 4 port fast ethernet switch. Pretty affordable and comparable to the price of that WIC new. But in answer to your question it should work in place of the modem. Check hardware, IOS, and memory requirements if you go that route.

 

[JOAMON]

Give this a shot:

Remove from dialer1 interface

ip address negotiated previous
ppp authentication pap

Add to dialer1 interface

ip address negotiated
no cdp enable
ppp authentication pap callin
ppp chap refuse

 

[JOAMON]

Also double check the following:

router#show vpdn group 1
% VPDN is not enabled

If you get this response then do the following:


router#conf t

router(config)#vpdn enable

It is possible to setup VPDN groups without VPDN actually being enabled. In my opinion it should deny setting it up unless VPDN is enabled first.

 

[tektipman]

Yea!!!!! router(config)#vpdn enable did the trick I guess. You are the man, very grateful for that. 3 days to figure this one out. Regarding the WIC, surprise... I am based/expatriate/working in Shanghai, China and all Cisco hardware is a fraction of the price (genuine) and please don't ask why Can get a sealed WIC-1ADSL card here for $80.00. Currently doing my CCNA with 2600 series routers and 2950s switches.

Go the router running and now want to route incoming packets (TCP 80) to another server on my LAN (192.168.0.30). How do set up the ACL for the NAT? This is very frustrating, whatever I learn from CBT, I try and it just doesn't work the way I want. Tried everything, ACL permit tcp any host x.x.x.x eq 80, static route, etc... nothing works? You mind giving me a hand there?

 

[JOAMON]

I think you are after something like the following:

ip nat inside source static tcp 192.168.0.30 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.0.30 443 xxx.xxx.xxx.xxx 443 extendable

access-list 107 permit tcp any eq 80 host 192.168.0.30 eq 80
access-list 107 permit tcp any eq 443 host 192.168.0.30 eq 443
access-list 107 deny ip any any log

interface dialer1
ip access-group 107 in

Unfortuneately without a static IP address users will have a difficult time finding it without some sort of a Dynamic DNS Service pointing to it. Without a static outside address all you will be able to enter is the following:

ip nat inside source static tcp 192.168.0.30 80 interface dialer 1 80
ip nat inside source static tcp 192.168.0.30 443 interface dialer 1 443

access-list 107 permit tcp any eq 80 host 192.168.0.30 eq 80
access-list 107 permit tcp any eq 443 host 192.168.0.30 eq 443
access-list 107 deny ip any any log

interface dialer1
ip access-group 107 in

I beleive you need to have the extendable option for this to work correctly but I may be wrong on that.

 

[tektipman]

Back from Holiday yesterday eve.. Tokyo rocks in gen but rare are the cheaps :/

Got your ACLs running in 5 minutes - many thanks for that. works like:

ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.20 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.20 25 interface Dialer1 25
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

But in order to block external trafic.... as soon as I place an ACL listening on the Dilaer 1 (in), then I loose my web browsing. Trying below to test if indeed I get my port 25 blocked... the thing just block everything.

access-list 101 permit ip any any
access-list 101 permit tcp any eq

http://www any

access-list 101 deny tcp any any log
access-list 102 permit ip any any
access-list 102 permit tcp any eq

http://www any

access-list 102 deny tcp any any

int dialer 1
ip access-group 101 in
ip access-group 102 out

If you have any quick fix, otherwise I guess I have a lot more to learn on ACLs.

Take care

 

[plshlpme]

you should follow what joamon posted above your last post

right now your trying to use access-list 101 for your nat and then reuse it as an incoming access-list (firewall)
if you were to use 107 as he had in his example instead of 101 i think you would be fine...

also in your example of access-list 101... you have the permit any rule first...
nothing will ever go to the next rules because your basically saying anything can pass.

 

[ratrace2]

That is because the stuff is make in China.......