Cisco 871 General Config - DHCP not working

[sackohammers]

Hello. I'm new to Cisco. Have the cookbook. Spent several hours over the last several days looking at examples and coming up with my own config. I usually don't ask for handouts, but I need some help to stay sane. I'm at the point now where I need to ask for help - just to get things up and running.

Below is my config. It likely has many mistakes. Right now, I can't DHCP working on the inside.

Cisco 871.
Port FE4 is connected to my cable modem. Its getting its address from the cable modem (DHCP) just fine. It even has DNS enabled and I can ping out successfully by hostname.

Port FE0 is for a guest VLAN - VLAN 21. This is for guests like my inlaws to plug in their virus-ridden laptops when they come over. So it doesn't affect my machines. Currently, DHCP isn't working here.

Port FE1-3 is for VLAN 11 where I'll have my machines.
This is where DHCP is failing. My machines inside are not getting an address from the router.

I have no idea what I'm doing with firewalls and it is possible the firewall settings I have are getting in the way. The firewall config I do have on there was taken from the tutorial over at tech-republic.

Any help is greatly appreciated. Please help me get DHCP up and running. Also, any advice on making the firewall more secure is greatly appreciated. With my current knowledge I wouldn't know if I were leaving any gaping holes open or not. Once I get the thing up and running, then I want to endeavor to understand more about the firewall configuration and learn on my own.
Eventually, I'll want to implement QoS (for gaming, no VOIP). If there is an easy way to implement that, I'd appreciate advice there as well.

Config pasted below:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FW
!
boot-start-marker
boot-end-marker
!
enable secret <Removed by Poster>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
ip domain name <Removed by Poster>
!
crypto key generate rsa
1024
ip ssh time-out 120
ip ssh authentication-retries 4
ip ssh version 2
!
!
ip cef
!
! I might be missing some passwords here
line con 0
no modem enable
line aux 0
line vty 0 4
! This line removes "Telnet" as the default command when in terminal mode - to prevent timeouts when a typo is entered
transport preferred none
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.100 10.10.10.254
ip dhcp excluded-address 10.10.20.100 10.10.20.254
!
service dhcp
!
ip dhcp pool VLAN11
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.254
domain-name <Removed by Poster>
lease 4
!
ip dhcp pool VLAN21
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
domain-name <Removed by Poster>
lease 4
!
!
ip inspect log drop-pkt
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
! Dynamic DNS to update IP address with no-IP.com
ip ddns update method MYUPDATE
HTTP
add

http://<Removed

by Poster>:<Removed by Poster>%40dynupdate.no-ip.com/nic/update%3Fhostname=<Removed by Poster>
! remove

http://<Removed

by Poster>:<Removed by Poster>%40dynupdate.no-ip.com/nic/update%3Fhostname=<Removed by Poster>
interval maximum 0 0 2 0
interval minimum 0 0 1 0
!
!
multilink bundle-name authenticated
!
!
username rtradmin secret <Removed by Poster>
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
switchport access vlan 21
no shut
!
interface FastEthernet1
switchport access vlan 11
no shut
!
interface FastEthernet2
switchport access vlan 11
no shut
!
interface FastEthernet3
switchport access vlan 11
no shut
!
interface FastEthernet4
! Dynamic DNS to update IP address with no-IP.com
ip ddns update hostname <Removed by Poster>
ip ddns update MYUPDATE
!
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect MYFW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface VLAN11
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
!
interface VLAN21
description Guest Network
no ip address
ip nat inside
ip virtual-reassembly
!
! ip forward-protocol udp
!
no ip http server
no ip http secure-server
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
! Turning off diag info to improve security
no cdp run
!
!
!
!
control-plane
!
banner login ^C
+--------------------------------------------------------------------+
/ WARNING /
/ ------- /
/ This system is solely for the use of authorized users for official /
/ purposes. You have no expectation of privacy in its use and to /
/ ensure that the system is functioning properly, individuals using /
/ this computer system are subject to having all of their activities /
/ monitored and recorded by system personnel. Use of this system /
/ evidences an express consent to such monitoring and agreement that /
/ if such monitoring reveals evidence of possible abuse or criminal /
/ activity, system personnel may provide the results of such /
/ monitoring to appropriate officials. /
+--------------------------------------------------------------------+
^C
!
!
scheduler max-task-time 5000
end

FW#

 

[unclerico]

you need to make VLAN11 and VLAN21 into SVI's by giving them IP addresses.

interface VLAN11 
 description Internal Network 
 [b]ip address 10.10.10.254 255.255.255.0[/b] 
 ip nat inside 
 ip virtual-reassembly
!
interface VLAN21 
 description Guest Network 
 [b]ip address 10.10.20.254 255.255.255.0[/b] 
 ip nat inside 
 ip virtual-reassembly

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sackohammers]

Thank you very kindly. My machines are now getting IP addresses issued from the router.

However, I am unable to access websites or successfully ping outside hosts.

I also get an unexpected error when I type "nslookup" from one of my Windows host machines.

C:\Documents and Settings\ken>nslookup
*** Can't find server name for address 10.10.10.150: Non-existent domain
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 24.93.41.127: Timed out
*** Default servers are not available
Default Server:  UnKnown
Address:  10.10.10.150

>

What do you think is wrong?

 

[Minue]

Try putting a DNS server under the DHCP pool:

ip dhcp pool VLAN11
dns-server XXX.XXX.XXX.XXX

It looks like the "import all" command isn't doing it's job.
Also try ping 4.2.2.2 to see if you can get the WEB,in case it's not a DNS problem.

Regards

 

[sackohammers]

Thank you. I noticed that there was no place in my configuration where I had specified a DNS server, but I wasn't sure if I was supposed to do it globally or for each DHCP pool. I also wasn't clear if making a DNS statement was just for the router itself, or for the clients connecting.
Your recommendation above clears up all of those questions quite nicely.

I also notice this statement in my config:
multilink bundle-name authenticated

Is there any reason I would need that for my setup? I googled the statement and did some reading. While I didn't understand the terms being used, I gathered that perhaps I don't need this line. Is that true?

Thanks again. Both of you have been a great boost to my sanity so far.

 

[sackohammers]

Hello.

I added the line for the DNS server as directed above. It improved things, but I am still not able to reach outside.

C:\Documents and Settings\ken>nslookup
Default Server:  wampeter.karass.com
Address:  10.10.10.150

> [URL unfurl="true"]www.google.com[/URL]
Server:  wampeter.karass.com
Address:  10.10.10.150

DNS request timed out.
    timeout was 2 seconds.
*** Request to wampeter.karass.com timed-out
>

I tried to ping 4.2.2.2 from a Windows workstation. It failed to get any reply. So, I believe the problem is not just with DNS.

I was able to ping inside hosts by IP address or by name and it worked fine.

Any ideas why I'm not getting outside?

Thanks,
Hammers

 

[Minue]

Try putting "ip nat outside" under the WAN interface "FastEthernet4"

Also post a "show ip nat translations"

Regards

 

[sackohammers]

Hello,

I added "ip nat outside" under F4, but I am still unable to reach ouside.

"show ip nat translations" yields the following:

FW#show ip nat translations

FW#

I can still see everyone inside and hit everything inside by name or IP address. Cannot hit anything outside by name or IP address. Pinging 4.2.2.2 timesout.

Thanks

 

[Minue]

It seems I am getting lazy not reviewing the conf's carefully anymore.Your'e missing all the NAT statements.

ip route 0.0.0.0 0.0.0.0 FastEthernet0/4
!
aceess-list 1 permit 10.10.10.254 0.0.0.255
aceess-list 1 permit 10.10.20.254 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/4 overload

Regards

 

[sackohammers]

Thanks again for the quick reply. I will enter these when I get home from work this evening.

I have a few questions. Do I enter these commands from the "conf t" prompt, or do I need to be at the prompt where I'm configuring the interface. In other words, do I issue a "int FastEthernet4" command before I enter the above commands or not?

Also, the interface is called "FastEthernet4". I want to verify that I am to enter it as "FastEthernet0/4" as you instructed.

Also. I know relatively little about access lists. At the bottom of my config I have:

ip access-list extended Internet-inbound-ACL
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any

It looks like you're having me create "access list 1". Should all these statements be combined into one ACL?

Thanks!

 

[unclerico]

minue, I'm with ya man, I completely glossed over that stuff lol

sack, you'll enter those in privileged exec mode (at the Router(config)# prompt). acl 1 is infact a new acl. the acl that you have in your config is not applied to an interface so it is not doing anything.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sackohammers]

Alrighty.

Would it then be reasonable move the commands that I had in the access list I quoted above to acl 1?

 

[unclerico]

no acl 1 in this configuration is used solely for the NAT process to identify the networks that should be NATed. keep the other stuff in its own acl, but be sure to apply it to the interface

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sackohammers]

Ok. I'm guessing that since FastEthernet4 is my outbound interface to the world, thats where I should apply that other acl. I'm not sure how I do that.

I was confused between applying an ACL to an interface, versus using the inspection firewall to control everything.

 

[unclerico]

holy crap i totally missed your CBAC config, my bad...it's been one of dem days. disregard what i said about applying hte acl to your interface...

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sackohammers]

Ok I added this:

ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
aceess-list 1 permit 10.10.10.254 0.0.0.255
aceess-list 1 permit 10.10.20.254 0.0.0.255
ip nat inside source list 1 interface FastEthernet4 overload

Now I can get out. I can ping out and access websites - sporadically. However, the performance is very poor. I'm getting a lot of timeouts... things seem... bursty.

When I go back to my old little D-link router, everything seems to be operating at normal speed.

Any ideas?

 

[burtsbees]

Post a sh int fa1 and fa4

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[sackohammers]

Gladly.
Please note that currently I have nothing connected to the ports. The web is pretty much useless while on the Cisco so I have to use the old router to make this post.
As a result, fa4 doesn't have an IP at the moment.

Please find below:

FW#sh int fa1
FastEthernet1 is down, line protocol is down
  Hardware is Fast Ethernet, address is 0024.14db.0e65 (bia 0024.14db.0e65)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     5297 packets input, 890611 bytes, 0 no buffer
     Received 325 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     4651 packets output, 3090408 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

FW#sh int fa4
FastEthernet4 is up, line protocol is down
  Hardware is PQUICC_FEC, address is 0024.14db.0e6e (bia 0024.14db.0e6e)
  Internet address will be negotiated using DHCP
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto Speed, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 10:54:33, output 00:00:31, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     37832 packets input, 5091116 bytes
     Received 34203 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     6114 packets output, 2035243 bytes, 0 underruns
     0 output errors, 0 collisions, 7 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

 

[burtsbees]

We need to see results with them connected, but if the counters have not cleared, then this is ok.

Is this going to ADSL? If so, on fa4 and the vlans, you need

ip tcp adjust-mss 1452

or

ip mtu 1492

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[sackohammers]

The router hasn't been reloaded since I had been connected.

But, I can connect up again , gather the information, then post it. I'll be busy tonight with birthday plans, but can post that information tomorrow.

Not using ADSL - Time Warner cable to a cable modem.

Thanks