Cisco 851W help

[SailingNut]

I'm extremely new to configuring Cisco routers (OK never done it before!) and I'm having problems getting my 851W set up.

Most things look complete in the setup but I know I'm missing a critical part because the 851 will not route traffic from my LAN to the WAN.

I went through the CDM wizard to set things up but no luck, so I also tried a set of IOS commands generated by a spreadsheet I found at Tech Republic.

I know you will need more information to figure out what I've mucked up. So please let me know whay tou need.

TIA for any and all help! Oh, if there is a good tutorial out there somewhere that can bring me up to speed on how Cisco routers work I'd love to have that too!

 

[burtsbees]

Post what you have so far...
router>en
router#sh run

Burt

 

[SailingNut]

Here is my full configuration. SOrry for it being so verbose, but I didn't know what I could safely cut out.

Current configuration : 9213 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco851W
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$lHpS$HKZ0wyNloC6bna3uOUIhC/
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamwork
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM sip
ip inspect name SDM_MEDIUM sip-tls
ip tcp synwait-time 10
no ip bootp server
ip domain name wtbhome.net
ip name-server 192.168.0.2
ip name-server 71.242.0.12
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-2835392884
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2835392884
revocation-check none
rsakeypair TP-self-signed-2835392884
!
!
crypto pki certificate chain TP-self-signed-2835392884
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383335 33393238 3834301E 170D3037 31313039 32303336
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38333533
39323838 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009C57 48315C40 E1F8C064 DD4102A7 E2B2BD04 0A1C4701 98A4DCCD C32B7CBD
6808F5A8 CC0454D4 F50B7B00 B4B42F3E 7E892DC0 C260015A F104C257 47E368FF
9D29E348 FCF223E2 08CCC5C1 D64CE0EF 2350CB74 7BF60673 78164EE9 513D43
9B077A7D 990E05A8 16FF2515 ADD356A8 C06A81B0 C68330D8 29C8C5E8 A4E3EA48
6C3D0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15436973 636F3835 31572E77 7462686F 6D652E6E 6574301F
0603551D 23041830 16801471 AB8F9CDA 5B134BF1 1D405057 E75CF6CF 58972030
1D060355 1D0E0416 041471AB 8F9CDA5B 134BF11D 405057E7 5CF6CF58 9720300D
06092A86 4886F70D 01010405 00038181 000E1419 D77B104A 8412A7FE 5AC507AA
D6B9AAAB 4AEBBD31 2278A3BC 09B934B4 0E396386 C6A03270 A999AF27 FA4CA9
F9B58832 62BBA673 83DAAE49 781F3A01 5465149F FD911AFD 2F4F0A2D 6629114D
3C9CBE39 6508FFFB 7DE72643 F3CBE4A3 99330846 0F43B289 B0D67A20 B16EE9E2
6B47C460 ACF2FB2A 59D3240B DC76F0ED EC
quit
username tborland privilege 15 secret 5 $1$tb9W$e42z49pdQLXXblMXKrBL30
!
!
!
bridge irb
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEther
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid wtbhome
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 0014550F0356020D182E181C5B4950
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.
54.0
station-role root
no dot11 extension aironet
no cdp enable
bridge-group 1
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 192.168.0.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip any any log
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 103 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[burtsbees]

change
ip route 0.0.0.0 0.0.0.0 dhcp
to
ip route 0.0.0.0 0.0.0.0 fa4
Also, do a sh int fa4, and make sure you're getting an IP address. It looks good to me, and I don't see any glaring mistakes...I have never seen
ip route 0.0.0.0 0.0.0.0 dhcp
just
ip route 0.0.0.0 0.0.0.0 x.x.x.x, where x.x.x.x is the next hop, and
ip route 0.0.0.0 0.0.0.0 outbound interface, in your case fa4

Burt

 

[SailingNut]

As far as I can tell fa4 is not getting assigned an IP address. The puzzling thing is that when I move the cable back over to my other router things work perfectly.

Any suggestions?

 

[burtsbees]

Try simply
router(config)#int fa4
router(config-if)#no ip add dhcp client-id FastEther
router(config-if)#ip add dhcp

Like that. That probably won't make a difference, so find out what subnet the other end is on, so you can statically set the IP address. You can do this by plugging the other router in, and see what IP address it picks up, and the plug the 851 in (quickly), and set the IP as the same. For example, if the other router picks up 12.12.12.12 255.255.255.0, then...
router(config)#int fa4
router(config-if)#ip add 12.12.12.12 255.255.255.0
router(config-if)#no shut
router(config-if)#end
router#wr

At least this will give you connectivity for now...what is fa4 going to? Perhaps you need a crossover cable, as Cisco devices do not auto-sense crossover and straight through cables, so the correct cable must be used.

Burt

 

[SailingNut]

Burt, thanks for all of the help so far!

I tried the first steps and I got an incomplete command error for the "no ip add dhcp client-id FastEther"

FYI I will be out of town for the next few days, so I won't be able to try anything.

One question I have (because I can't remember from long ago) if I have the wrong cable cross over vs. straight will I get a link light even if I have the wrong cable?

Also, the router clearly thought fa4 was up. Will that happen with the wrong cable?

 

[burtsbees]

NO, so it appears you have the right cable. What does it physically connect to?

Burt

 

[SailingNut]

The router connects to a Verizon ONT which converts the signal from the fiber to Ethernet.

 

[SailingNut]

Back and looking at things again.

I just re-inspected my config and I noticed that the

ip route 0.0.0.0 0.0.0.0 dhcp

was still stuck in the config along with the

ip route 0.0.0.0 0.0.0.0 fa4

So I removed that but I am still not getting an IP address from the DHCP server at Verizon.

I've dredged through Google and found several posts on forums about the same thing, but none of them had solutions.

Any thoughts?

 

[burtsbees]

Well, did you hard code an IP address in the same subnet?

Burt

 

[SailingNut]

Crap forgot that test.

I did do that test and it did not work. I assigned the same IP that my other router had when the cable was plugged in.

I'm unable to ping anything outside of my network. I tried a ping where DNS would have to resolve the IP and that failed so I also tried to ping the IP of the DNS server from my ISP and no luck on that either.

 

[burtsbees]

Post a sh int fa0...

Burt

 

[SailingNut]

Burt,

Here it is:

FastEthernet0 is up, line protocol is up
Hardware is Fast Ethernet, address is 001c.f68e.2328 (bia 001c.f68e.2328)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1000 bits/sec, 2 packets/sec
5 minute output rate 1000 bits/sec, 3 packets/sec
3805 packets input, 445162 bytes, 0 no buffer
Received 259 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
7931 packets output, 1405436 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

 

[SailingNut]

Well, I solved it with someone else's suggestion. I had to clone the MAC of my other router on fa4.

I didn't believe that would work because I've had 3 other routers plugged in and never had to do any MAC cloning to get them to work.

Now it's on to other problems like getting my Verizon Voicewing service working through the 851. I forwarded the proper ports, but no luck. I'll start another thread on this one.

Thanks so much for all of your help Burt!

 

[burtsbees]

I didn't think of that...guess they had your MAC configured on their end, too.
I'll take a look at the other post as well.

Burt

 

[n1koolkat]

I had the same problem. I was using a cable modem, When connected directly to a laptop the cable modem assigned an ip address however when connected to the router it did not assign the i address to fa4 port. However both the status and protocol indicated the line was up. I also couldnt connect to the internet.

The ip route 0.0.0.0 0.0.0.0 dhcp assumes that the interface will be assigned an ip address from a dhcp server, In my case the cable modem. The cable modem also provides the dns address whih is why i couldnt connect to the internet.

What i did to resolve the problem was to manually assign the ip address i got when the laptop was directly connected to a modem to fa4. I then "shut and no shut" the interface. Everything then started working. I connected a laptop to the router and and made sure it assigned an ip address and could connect to the internet. I the changed fa4 back to dhcp, copied it to the startup config and everything remain up.

I can only presume something remains caches and needs to be released.

 

[burtsbees]

The ip route 0.0.0.0 0.0.0.0 dhcp assumes that the interface will be assigned an ip address from a dhcp server"
Actually,...
router(config-if)#ip add dhcp
allows the interface to get an address via dhcp. The default route
0.0.0.0 0.0.0.0 dhcp
will send all unknown traffic to the next hop, which will be negotiated using dhcp. I would have put in
ip route 0.0.0.0 0.0.0.0 fa4
So that the router is forced to do an ARP lookup.

Burt