Config for cisco 2621 using broadband modem

[gregworcester]

Hello,

You folks helped me with this router when I had trouble configuring it for an ADSL wic card.
My ISP is discontinuing the dsl and I have went with Time Warner access. ( Broadband )

The config is posted below, I can ping on the outside, but cannot get out.
Any help would be appreciated.
Thanks

Current configuration : 5269 bytes
!
! No configuration change since last restart
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname WP2621
!
boot-start-marker
boot-end-marker
!
logging rate-limit all 10
no logging console
enable secret 5 $1$kuy8$ed/RH1eDfnUjeUeVNX3be.
enable password 7 105D0C170216
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no ip source-route
ip cef
!
!
ip inspect name email pop3
ip inspect name smtp smtp
ip inspect name

http://www http

ip inspect name cu cuseeme
ip inspect name ftp ftp
ip inspect name dns dns
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.2 192.168.0.101
ip dhcp excluded-address 192.168.0.249 192.168.0.254
!
ip dhcp pool whitepine
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.101
!
!
no ip bootp server
ip domain name whitepine.local
ip name-server 208.67.222.222 (These are OPENDns)
ip name-server 208.67.220.220
ip ssh rsa keypair-name WP2621.whitepine.local
ip ssh version 2
!
!
username gregw privilege 15 password 7 070228545A0009091E0A
!
!
interface FastEthernet0/0
ip address dhcp client-id FastEthernet0/0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed auto
half-duplex
ntp disable
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.0.101 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
ip route 192.168.0.0 255.255.255.0 76.XXX.XXX.0
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
control-plane

privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 1 show ip
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show
!
line con 0
access-class 1 in
exec-timeout 5 0
password 7 060B0639584719150C0F
line aux 0
exec-timeout 0 1
password 7 00091A1E10521B0A0639
no exec
line vty 0 3
access-class 1 in
exec-timeout 5 0
password 7 00091A1E10521B0A0639
transport input ssh
line vty 4
access-class 1 in
exec-timeout 5 0
password 7 03095213120631404711
transport input ssh
line vty 5 15
password 7 12140C0F06021C082333
!
ntp clock-period 17180426
ntp source FastEthernet0/0
ntp master
ntp max-associations 20
ntp server 206.246.122.250
ntp server 64.90.182.55
ntp server 96.47.67.105
ntp server 165.193.126.229
!
end

 

[Viconsul]

Hello

You don't have a default route pointing out side.
"ip route 192.168.0.0 255.255.255.0 76.XXX.XXX.0" - this should be

ip route 0.0.0.0 0.0.0.0 76.XXX.XXX.XXX

HTH
-Viconsul

 

[gregworcester]

Thanks viconsul.

I added the correct ip route statement but this did not help matters.
By all rights this should be working.

Here is my config again a little shortened for clarity.
If antone sees anything that could be causing no connectivity, I
would appreciate some advice on how to proceed from here.

gregworcester

ip dhcp excluded-address 192.168.0.2 192.168.0.101
ip dhcp excluded-address 192.168.0.249 192.168.0.254
!
ip dhcp pool whitepine
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.101
!
!
no ip bootp server
ip domain name whitepine.local
ip name-server 24.29.99.35
ip name-server 24.29.99.36
ip ssh rsa keypair-name WP2621.whitepine.local
ip ssh version 2

!
interface FastEthernet0/0
ip address dhcp
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed auto
half-duplex
ntp disable
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.0.101 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
ip route 0.0.0.0 0.0.0.0 76.179.XXX.0

ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!

privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 1 show ip
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show
!

!
end

 

[Viconsul]

Hi

I need to understand your setup correctly, what do you have sitting in front of the Cisco router ?
Could you post the output of "show interface fa0/0" ?
Also, could you explain this better "I can ping on the outside, but cannot get out."
Can you ping from the router to outside?
Can you ping the ip of int fa0/0 from any device inside?

Viconsul

 

[imbadatthis]

*facepalm...

a - you dont need a default route when you have an IP address assigned by DHCP from your ISP. you will get a default route advertised by said DHCP server.

b - please do a :

show ip int brief
sh ip route
sh ip nat translations


and post it here for further trouble shooting.

Thank you kindly

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[burtsbees]

1. Not sure you should ref the same ACL for both your line filters and NAT...never tried it...likely not causing the issue (see 3.)
2. If you do create a different ACL for the lines, I would put in a deny any log to log hits to syslog, etc.
3. I would venture to guess your ISP requires some sort of authorization (CHAP, etc), esp since not just anyone can plug in and grab a DHCP config...
4. For securing the lines, I would do a
username xxxxxx priv 15 secret yyyyyyyyyyy
to secure the password w/MD5 rather than encryption based on a cipher that was developed in the 1500's (Vigenere)
and rather than using the old method of priv level command authorization, I would say check out setting up parser views for separate logins.
5. You absolutely need a default route...unless you have nothing connected in your network ---it's the gateway of last resort, and usually in a scenario where the outside interface grabs a DHCP ip address config, the default route should point to the interface itself...

ip route 0.0.0.0 0.0.0.0 fa0/0

HTH

--TIMMAY!

10 ? "TIMMAY!!!"
20 goto 10
run
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!

 

[gregworcester]

Hi Folks

It ended up being the statement

ip verify unicast reverse-path
on fa0/0 that was causing the issue.

Thanks everyone.

 

[burtsbees]

oooohhhhhh...lol

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY