Cisco 2651XM and Cox Cable Dynamic IP issue.. 2

[DrArubix]

Hey guys..I am in some bad shape. I have this thread going in another forum so Ill keep it short and sweet as possible. I cannot access the internet. I cannot get a thing from the "sh dhcp lease" command so that tells me the ISP is not playing well. I called them and I do not have to provide them with my MAC address. They wont take it and barley understand why I would ask them that..I know the default-gateway (24.253.136.1 and my IP was 24.253.136.243). I used the "dhcp" command on the outside interface, as you can see frmo the config here, but no dice. I removed my access-list off the interface, excpet the NAT pool to be internalaly translated, I kept that, and good news is, I AM getting a DHCP function to work properly, but over all, no internet. I mean, this config is as bare-bones as I can think, so if anyone can help me out, I am so greatful for your time. Cheers!


I have nothing from the dhcp server. here was my output.


Router#sh dhcp lease
Temp IP addr: 0.0.0.0 for peer on Interface: FastEthernet0/0
Temp sub net mask: 0.0.0.0
DHCP Lease server: 0.0.0.0, state: 1 Selecting
DHCP transaction id: 274
Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
Next timer fires after: 00:00:02
Retry count: 2 Client-ID: cisco-0012.7f3d.baa0-Fa0/0
Client-ID hex dump: 636973636F2D303031322E376633642E
626161302D4661302F30
Hostname: Router


And just so you can see that I did make the changes to the running config...


!
interface FastEthernet0/0
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
ip http server
no ip http secure-server
ip nat inside source list NAT-ADDRESSES interface FastEthernet0/0 overload
!
ip access-list standard NAT-ADDRESSES
permit 192.168.0.0 0.0.0.255
!
access-list 101 permit tcp any any established

 

[imbadatthis]

first off you dont need this, a DHCP will by default inject a route for you .

ip route 0.0.0.0 0.0.0.0 dhcp

also post:

sh ip int bri

sh ip route

and im confused, are you or are you not getting an IP addy from the DHCP? im confused on :

and good news is, I AM getting a DHCP function to work properly

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[DrArubix]

Oh sorry..my DHCP function for my internal network is working, my NAT inside, as in the PC is getting an assigned address from the pool I specified but NO..I am not getting a DHCP Addy from the ISP. I posted the Sh DHCP lease statement and you can see I am getting nothing..but I will have to get home to remove the default route as you say and to give you some more information with those spcific show commands...thanks man!! See you in a few hours..I will be home soon..

 

[imbadatthis]

also try debugging your dhcp events. see if you are getting any packets from the ISP...

Im assuming this is connected to a fast ethernet port of the ISP's modem ? if yes, try plugging somethng else like a PC into it and see if you get an IP address...

reason i want to see the sh ip int bri is to check its status...

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[DrArubix]

Got it. Stay tuned please. Once I get home, I have a cross over able I can use, and I will telnet into the router and make all the changes and provide you with some more whole-hearted outputs..I will also try the PC-to-ISP Modem that you are asking about. I am do determined to finally be on today with this 2651XM, once I am home man, I will be online all day and evening until I get this, so again, thanks so much and stay tuned!

//wade

 

[kwing112000]

Sometimes you have to reboot the ISP modems when you change devices. they will only work with the 1st MAC address they see. so you may need to reboot when you connect your PC>

Kevin Wing
ACSS Small and Medium Enterprise (SME) Communications
ACS- Implement IP Office
ACA- Implement IP Office
Carousel Industries

 

[DrArubix]

Guys I AM ON!!!!!!!!!

Finally!! It’s been days, and all I had to do, was essentially, reset the modem. However, not in the manner you would think. I was unplugging my ISP Cable Modem and letting it start with the POST lights and let it go through its startup and let all the lights come on, as she told me I had to do. Well, the modem already learns its new MAC address if you wait that long so I tried something different.

kwing112000, I plugged the straight through in my router, unplugged the modem, and it was all off. I waited a bit, and while leaving the cable in my 2651 Router, I plugged the Modem back in without waiting for it to go through all the green lights on the front. Then, I let it go through, let all become green, and did the sh dhcp lease and all of it was working!!!!!!!!!!!!!!! Thanks to you all!!!! This is amazing and all I need to do now, is get a grip on some security, maybe let the SDM really tighten things up.

Thanks again to everyone's help..you all rock!!!!

 

[imbadatthis]

security , you got a few options.

zone managment which is kinda of nice.

or just basic firewalls.

class-map type inspect match-any WIRELESS
 match protocol http
 match protocol dns
 match protocol https
 match protocol telnet
 match protocol ssh
class-map type inspect match-all VLAN200-MNGM
 match access-group name VLAN200-MNGM
class-map type inspect match-any OUTSIDE-DMZ
 match protocol fasttrack
 match access-group name DMZ-HOST
class-map type inspect match-any DMZ-TRAFFIC
 match protocol http
 match protocol dns
 match protocol https
 match protocol icmp
 match protocol ftp
 match protocol smtp extended
 match protocol sip
 match protocol pop3
 match protocol ntp
 match protocol telnet
 match protocol fasttrack
 match access-group name DMZ-HOST
 match protocol tcp
 match protocol udp
class-map type inspect match-any DMZ-WIRELESS
 match protocol tcp
 match protocol udp
 match protocol icmp
 match access-group name DMZ-WIRELESS
!
!
policy-map type inspect WIRELESS
 class type inspect WIRELESS
  inspect
 class class-default
policy-map type inspect OUTSIDE-DMZ
 class type inspect OUTSIDE-DMZ
  inspect
 class class-default
policy-map type inspect DMZ
 class type inspect DMZ-TRAFFIC
  inspect
 class class-default
policy-map type inspect DMZ-WIRELESS
 class type inspect DMZ-WIRELESS
  inspect
 class class-default
!
zone security DMZ
zone security OUTSIDE
zone security WIRELESS
zone-pair security DMZ-OUTSIDE source DMZ destination OUTSIDE
 service-policy type inspect DMZ
zone-pair security OUTSIDE-DMZ source OUTSIDE destination DMZ
 service-policy type inspect OUTSIDE-DMZ
zone-pair security WIRELESS-OUTSIDE source WIRELESS destination OUTSIDE
 service-policy type inspect WIRELESS
zone-pair security DMZ-WIRELESS source DMZ destination WIRELESS
 service-policy type inspect DMZ-WIRELESS
zone-pair security WIRELESS-DMZ source WIRELESS destination DMZ
 service-policy type inspect DMZ-WIRELESS

You basically have to define the type of traffic you want to allow for each ZONE (each interface/subinterface/or vlan is its own zone).

OR here is a sample ACL:

access-list 101 remark for fa0/0
access-list 101 remark FAILSAFE ACCESS LIST IN CASE OF ZBF ISSUES
access-list 101 permit tcp any any eq 3784
access-list 101 permit udp any any eq 3784
access-list 101 permit ip host 207.6.146.72 any
access-list 101 deny   ip 10.254.0.0 0.0.255.255 any
access-list 101 deny   ip host 172.16.1.1 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 2710
access-list 101 permit tcp any any eq 1863
access-list 101 permit tcp any any eq 2910
access-list 101 permit tcp any any eq 57462
access-list 101 permit tcp any any eq 57463
access-list 101 permit tcp any any eq 57464
access-list 101 permit tcp any any eq 57465
access-list 101 permit udp any any eq 5060
access-list 101 permit udp any any eq 5004
access-list 101 permit udp any any eq 10000
access-list 101 permit udp any any eq 16348
access-list 101 permit udp any any
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip any any

and ofcourse don't forget about the telnet / SSH session.

one neat command CISCO has is :

auto secure
this is run from the privilage level :

EarlGrey-Hot#auto secure ?
  firewall       AutoSecure Firewall
  forwarding     Secure Forwarding Plane
  full           Interactive full session of AutoSecure
  login          AutoSecure Login
  management     Secure Management Plane
  no-interact    Non-interactive session of AutoSecure
  ntp            AutoSecure NTP
  ssh            AutoSecure SSH
  tcp-intercept  AutoSecure TCP Intercept
  <cr>

you can customize the command, or just use the basic form and go through the questions to secure your router.

cheers mate,



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[DrArubix]

Hey I will be sure to lock her up well. I am in the CCNAS curriculem at a small Cisco site and CBAC and Zone based security are all things I have configured but not more than in a small lab and havent touched it since..there sure are many ways to go about it all. I am very excited. I am so open and vulnerable its scary, but I have to go away for work, for two weeks coming up so I dont get to play with her now that I actually have a connection to the outside world. I think I am going to start with some CBAC or just start getting into the Zones..any thoughts as to what is the most practile and scalable soultions that lean into VPNS?

Thanks!!