Cisco 831 behind Comcast Cable Modem

[chesco9]

Hello guys, I'm new to Cisco routers, I've had my first one for 5 days, and for 5 days I've been trying to configure it to work with my cable internet (Comcast). I'm currently using a netgear fvs318, but I want to replace the netgearfs router with this cisco 831 I got off ebay. Eventually I'll get something newer like a 85x or 87x. Basically I want to be able to and feel safe to open up ports for a db server down the road, but for now I want to at least be able to connect to the internet. Baby steps...

This is my setup now

Internet <--> Cable Modem (motorola) <--> Cisco 831 <--> PCs

I've been online for days trying to make my configuration work but I'm not able to connect to the internet yet. I'm able to get an ip from my ISP along with dns servers, but I cannot get outside my LAN. This is my configuration so far. I know that Cisco is the best way to go when it comes to routing, and I don't want to give up half ways through this. I want to get it to work one way or another.

Well this is the configuration I'm running now:

!
version 12.3
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
memory-size iomem 15
no logging buffered
!
no aaa new-model
ip subnet-zero
!
ip dhcp pool DHCP
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description Internal LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface Ethernet1
description Internet$ETH-WAN$
mac-address 0013.207c.e69f
ip address dhcp client-id Ethernet1
ip nat outside
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
router rip
version 2
network 192.168.2.0
no auto-summary
!
ip nat inside source list 102 interface Ethernet0 overload
ip classless
!
ip http server
no ip http secure-server
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
line con 0
exec-timeout 120 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
!
scheduler max-task-time 5000
!
end



I would really appreciate if someone can give me a hand with this. I'm sure that it is something pretty simple, but I just can't pin point it. thanks.

 

[phrk]

chesco9,

It sounds like you have the right equipment and attitude to do what you want.

Please let me ask a couple questions:

1.) Do you think your Cisco router is pulling a dhcp address successfully from the ISP? Please do a 'show ip interface' from the IOS command line and post. Presumably you would have a public IP bound to Ethernet1.

2.) Are your PCs successfully pulling DHCP addresses from the router? Do a 'ipconfig /all' from a command line and post if these are windows machines.

My first guess would be that your config looks OK and I bet the router has got a public address and the PCs have private addresses as long as you have everything connected to the right interfaces.

If so, what you might want to try for a quick fix is to specify a DNS server for the PCs to use in the private IP DHCP scope.

conf t
dns-server a.b.c.d

Check what name server the interface connected to the pubic interface gets and put it here. I suppose that is what the 'import all' was meant to do. I'm going to check here:

http://www.cisco.com/univercd/home/home.htm

Also get rid of RIP unless you need it for some reason.

You're close. Don't give up.

 

[phrk]

sorry, been a rough nite

conf t
ip dhcp pool DHCP
dns-server a.b.c.d

 

[phrk]

Also, I think the ip nat inside source list command is supposed to reference the public interface. Try:

ip nat inside source list 102 interface Ethernet1 overload

 

[burtsbees]

phrk is absolutely correct---you have the NAT pointing to the wrong interface. I assume the modem is in bridge mode as well, and you get a public IP) on E1...right?
Anyway, do what phrk says---he's right on.

Burt

 

[Minue]

Hello

After you have corrected the conf.Please put in the below command, so your know where to route unknown subnets.

“ip route 0.0.0.0 0.0.0.0 Ethernet1”

Regards
Ps. Why are you using the routing protocol RIP?

 

[chesco9]

Alright guys, thank you all for your help. I'm now able to connect to the internet. Like you guys said I was missing a line.

Something like suggested like:

"ip route 0.0.0.0 0.0.0.0 Ethernet1"

but that didn't work

i had to replace "Ethernet1" with the ip of the first hop on a tracert command using my netgear router, and voala.

So, now that I have the internet working ok, I created a firewall configuration through SDM and I'm now trying to open ports for a db server but I'm not being able to connnect. I created a dhcp binding "ethernet" client-identifier to my internal machine running sqlsvr (I made sure that the computer is actually at the IP address) and I added a "Port application mapping" for that computer/application port 1433, it shows on the list as active, but when I try to access from a remote location I have no access to the db service (this is using my WAN ip of course). I wonder if this has to do with the fact that in this IOS version I'm running does not allow me to specify the port type being TCP or UDP.

 

[Minue]

Please post the updated conf.This is going to be tricky with the Netgear handling the public IP address.For this kind of setup it would be better to bridge the connection.Are you using ADSL with PPPoE?In the meantime try opening the port forwarding on the netgear.
Regards

 

[chesco9]

Hello guys,

First of all I should mention that the netgear router will not be in the setup I only connected it to be able to do a tracert to find out what the next hop was for my internet connection. So my setup is:

Internet <--> Cable Modem (motorola) <--> Cisco 831 <--> PCs

my current configuration is this:


Building configuration...

Current configuration : 5136 bytes
!
! Last configuration change at 04:54:37 Pacific Tue Oct 7 2008
! NVRAM config last updated at 20:20:46 Pacific Mon Oct 6 2008
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
memory-size iomem 15
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 *******************************
enable password 7 *****************************
!
username chesco9 secret 5 **********************************
clock timezone Pacific -8
clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name chesconet.local
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool DHCP
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
netbios-name-server 192.168.1.10
!
ip dhcp pool hermione
host 192.168.1.10 255.255.255.0
client-identifier 0008.5427.55de
!
ip dhcp pool mymojo
host 192.168.1.57 255.255.255.0
client-identifier 001d.0914.3354
!
!
no ip bootp server
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW http
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description Internal LAN$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
!
interface Ethernet1
description Internet$ETH-WAN$$FW_OUTSIDE$
mac-address 0040.05ca.17c3
ip address dhcp client-id Ethernet1
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip route-cache flow
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 73.x.x.x
!
ip http server
ip http access-class 1
no ip http secure-server
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 remark Auto generated by SDM for NTP (123) 207.150.167.80
access-list 101 permit udp host 207.150.167.80 eq ntp any eq ntp
access-list 101 remark SQLSVR
access-list 101 permit tcp any host 192.168.1.10 eq 1433 log <<---- I thought this would do the trick configured it through SDM
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=16
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 deny ip any any
no cdp run
banner login ^CCYOU AREN'T AUTHORIZED, YOU HAVE 15 SECONDS TO GET OUT^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 103 in
authorization exec local_author
login authentication local_authen
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 207.150.167.80
ntp server 207.150.167.80 prefer
ntp server 207.150.167.80 source Ethernet1 prefer
!
end

Thank you guys.

 

[sonarcoop]

Chesco... Have you had any luck yet?

I have an 831 behind Comcast as well, but have it working. My config is INTERNET>>Linksys Modem>> Cisco 831>>Cisco Aironet 1200>> PC's..

I deleted a Linksys wireless router by setting my network up adding the 831 and an AP.

On eth1, (outside link from modem) and set it to 'ip address dhcp' (config t) I reset the modem by unplugging it and plug it back in. By virtue that the port on the modem saw a new MAC from the 831, I got a new ip lease from COMCAST. Goto you enable "#" line and type 'sh arp' You will see a new ip address aquired by eth1. You most definately keep eth1 as DHCP. However, I am setting a VPN connection to my router and I wanted it to stay static...

Here is all I have on eth1....

interface Ethernet1
description COMCAST L3
ip address XX.XX.XXX.XXX 255.255.255.0
ip nat outside
duplex auto
no cdp enable

..and it's working.

Let me know if it's working for you.

Thanks,

Sonarcoop...

 

[travis06]

You have a few problems with your configuration.

Advice from Cisco beginner to Cisco beginner

When opening ports up from Outside to Inside it is ALWAYS a two step process if you have 1 external IP address you are working with.

1. You must open up a port on the firewall.
2. You must set a static NAT entry to NAT the traffic coming in on the Ethernet port to your LAN.

Tip for configuring ACL's: Use "sho ip access-list 101" DONT LOOK AT THE ACCESS LIST CONFIG FROM SHO RUN!! It is way too confusing.

You have no static NAT entries defined, so in your situation, your outside packets are hitting the WAN interface and die right there because the router does not know what to do with the packets.

You need this command:

ip nat inside source static tcp 192.168.1.10 1433 interface Ethernet1 1433

If you had a static IP, you would sub Ethernet1 for the WAN IP the traffic should come in on.

Keep going!! Cisco is fun and very challenging, don't give up! Once you tackle the basics, you'll be a pro.

-Travis

 

[travis06]

After pondering my previous post further, your ACL is incorrect as well..

access-list 101 permit tcp any host 192.168.1.10 eq 1433 log

In this line, translated to english, "A TCP packet that hits the Ethernet1 with ANY ip address is permitted as long as its destination IP is 192.168.1.10"

This cannot be true, thus your outside packets end up getting denied by your deny ip any any log.

Basically, when a packet hits your WAN, it's destination IP is your WAN IP, not your private IP. You utilize NAT to translate all packets with a public IP to private IP. And ACL is BEFORE NAT!!

Modify your ACL to be
access-list 101 permit tcp any any eq 1433 log

Your destination IP should not be defined unless you have multiple static public IPs.

Summary, make those two changes:

access-list 101 permit tcp any any eq 1433 log
ip nat inside source static tcp 192.168.1.10 1433 interface Ethernet1 1433

Another Tip: You should organize your access lists so that all deny's are grouped at the bottom of your ACL. For sanity sake, it will make it 10x easier to troubleshoot bad ACL lines.

Now you should be rockin'

Travis