ISDN dial up from Cisco 800 series to Cisco 4000

[nichols]

I am trying to configure an Cisco 800 series router to dial up from a remote site using an ISDN 2 line, to the Cisco 4000 on our hub site.

It is intended to only bring the ISDN connection up when the user at the remote site initiates a telnet or E-mail session.

The 800 series route has been configured using Cisco fast step and I have made some additional configuration manually (i.e. configured with ppp chap username and password).

I have a laptop connected to the mini hub within the 800 and it can ping the ethernet interface and the bri0 interface.

When it is attempted to ping or run trace route either the Bri1 interface or the ethernet 0 interface on the 4000 router, the red channel 1 light illuminates however the ping or trace route fails. I have had both ISDN2 lines checked by BT and they have come back without error.

When show ip route command is entered on both routers the it shows that the Bri port is going throught the correct remote gateway!

I have enclosed the two configurations

Cisco 800 series routerCurrent configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cabanasj
!
logging buffered 8192 debugging
enable secret 5 $1$vqHD$J40GTqvHKlNKAndlzZB5Q1
enable password 7 140713181F13253920
!
username haydock2 password 7 011007065A05071C2B
username cabanasj password 7 00341215174C04140B
!
!
!
!
!
pots country GB
ip subnet-zero
no ip source-route
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
!
!
interface Ethernet0
ip address 192.110.24.1 255.255.255.0
ip access-group 121 in
no ip directed-broadcast
no ip proxy-arp
!
interface BRI0
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication chap pap callin
ppp multilink
!
interface Dialer1
description RCN
ip address 192.110.98.2 255.255.255.0
ip access-group 121 in
no ip directed-broadcast
no ip proxy-arp
encapsulation ppp
no ip split-horizon
dialer remote-name haydock2
dialer pool 1
dialer idle-timeout 300
dialer string ########### class DialClass
dialer hold-queue 10
dialer load-threshold 10 either
dialer-group 1
pulse-time 0
ppp authentication chap pap callin
ppp chap hostname cabanasj
ppp chap password 7 0007120405550A1505
ppp pap sent-username cabanasj password 7 0508070D20424F1A13
ppp multilink
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.110.1.0 255.255.255.0 192.110.96.1

map-class dialer DialClass
access-list 121 deny udp any eq netbios-dgm any
access-list 121 deny udp any eq netbios-ns any
access-list 121 deny udp any eq netbios-ss any
access-list 121 deny tcp any eq 137 any
access-list 121 deny tcp any eq 138 any
access-list 121 deny tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
dialer-list 1 protocol ip permit
!
line con #
exec-timeout ##
transport input none
stopbits #
line vty ##
exec-timeout ##
login local
!
time-range TIME
periodic daily 0:00 to 23:59
!
end





Cisco 4000 series (hub router)

Building configuration...

Current configuration:
!
version 11.1
service udp-small-servers
service tcp-small-servers
!
hostname haydock2
!
enable secret 5 $1$C3x/$YuVrS3ZraJ2RE7JDeqgrc0
enable password ############
!
username wythenshawe password 7 120F0C1A0604
username central password 7 070C24425A1B1809
username cabanasj password 7 055C050E234D40080A0F
ip subnet-zero
no ip domain-lookup
ipx routing 0000.0c99.3892
isdn switch-type basic-net3
!
interface Ethernet0
description Ethernet i/f @ Haydock2
ip address 192.110.1.2 255.255.255.0
media-type 10BaseT
ipx network 1
ipx output-sap-filter 1000
!
interface Serial0
description Kilostream to Chertsey 2503
ip address 192.110.15.1 255.255.255.0
bandwidth 64
ipx network 15
ipx output-sap-filter 1000
no fair-queue
!
interface Serial1
description Kilostream to Glasgow 2503
ip address 192.110.16.1 255.255.255.0
ipx network 16
ipx output-sap-filter 1000
no fair-queue
!
interface Serial2
description Support from Datel
ip address 100.0.0.2 255.0.0.0
no fair-queue
!
interface Serial3
no ip address
shutdown
!
interface BRI0
description Dial-up connection from Cabana Central
ip address 192.110.94.1 255.255.255.0
encapsulation ppp
bandwidth 64
dialer-group 1
no fair-queue
ppp authentication chap
!
interface BRI1
description Dail-up connection from Cabana SJ
ip address 192.110.98.1 255.255.255.0
encapsulation ppp
bandwidth 64
dialer map ip 192.110.98.2 name cabanasj #############
dialer-group 1
ppp authentication chap
ppp chap hostname cabanasj
ppp chap password 7 13521413090D0A2B382E
!
interface BRI2
no ip address
encapsulation ppp
shutdown
!
interface BRI3
no ip address
shutdown
!
router rip
network 192.110.1.0
network 192.110.15.0
network 192.110.16.0
network 192.110.94.0
network 192.110.20.0
network 192.110.96.0
network 192.110.22.0
network 10.0.0.0
network 100.0.0.0
network 192.110.98.0
network 192.110.24.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.110.1.253
ip route 10.0.0.0 255.255.0.0 100.0.0.1
ip route 192.110.20.0 255.255.255.0 192.110.94.2
ip route 192.110.22.0 255.255.255.0 192.110.96.2
ip route 192.110.24.0 255.255.255.0 192.110.98.2
access-list 1000 permit FFFFFFFF 4
access-list 1000 permit FFFFFFFF 278
access-list 1000 permit FFFFFFFF 26B
access-list 1000 permit FFFFFFFF 237
access-list 1000 permit FFFFFFFF 107
access-list 1000 deny FFFFFFFF
!
!
!
snmp-server community public RO
snmp-server enable traps isdn
snmp-server enable traps config
snmp-server enable traps bgp
snmp-server enable traps frame-relay
dialer-list 1 protocol ip permit
alias exec preston telnet 192.110.4.1
alias exec stockpack telnet 192.110.6.1
alias exec wythenshawe telnet 192.110.2.1
alias exec vimtobackup telnet 192.110.2.2
alias exec chertsey telnet 192.110.5.1
alias exec solent telnet 192.110.3.1
alias exec glasgow telnet 192.110.8.1
!
line con #
exec-timeout ##
line aux #
line vty ##
password ###########
login
!
end


I am now very Stuck so any ideas would be welcome!!!!

 

[wybnormal]

First thing is to dump all access lists and other "tweaks" other then is exactly needed for ISDN to work. ONce ISDN is working, go ahead and start adding back your security.

access-list 121 deny udp any eq netbios-dgm any
access-list 121 deny udp any eq netbios-ns any
access-list 121 deny udp any eq netbios-ss any
access-list 121 deny tcp any eq 137 any
access-list 121 deny tcp any eq 138 any
access-list 121 deny tcp any eq 139 any
access-list 121 permit ip any any time-range TIME

the top 2 deny UDP, but there is an implied DENY ALL UDP since you started to deny certain UDP. You need to specify what UDP you will allow.. keep in mind that traceroute is both ICMP and UDP based. UDP on the outbound and ICMP coming back. Again, TCP is being denied for ports 137-139 but you have not specify what TCP is allowed. The router will take the packet, examine it, work through the list and branch out when a match occurs. Your UDP or TCP packet will be examined, matched against the first 6 lines, no match, drop to the last line, again no match and then the unsaid DENY ALL at the end will dump it.



show ISDN status

THis will give us the status of the ISDN interface.. connected etc..

show interface BRI<port>
shows status of the actual ISDN port
show interface BRI<port> <B channel 1 or 2>


You can also run a debug on the ISDN to see where the connection fails.

debug isdn q921

Gives layer 2 debug of ISDN connection. Details are at:

http://www.cisco.com/warp/public/129/bri-layer2.html

Troubleshooting ISDN

http://www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/tr1917.htm

MikeS &quot;Diplomacy; the art of saying 'nice doggie' till you can find a rock&quot; Wynn Catlin

 

[aceman]

As far as I can tell the two username passwords for each router do not match.

The CHAP PPP process is a three way handshake that transfers the hostnames and the passwords, checks, encrypts and returns the corresponding information for authentication.

The passwords do no match so I cannot see how the link will open ?

I would amend the passwords. There is a 7 infront of the one for cabanasj but not on haydock.

I agree that it is best to keep the config to a simple level first prior to access-list application so you are sure that the PPP process is working. However, using SHO ISDN STAT and SHO DIALER along with debug will capture most information if no calls are generated.

Hope this helps.

 

[wybnormal]

The 7 refers to the password being encrypted. You would take the string of letters and numbers after the 7 and decrypt them in order to see the &quot;real&quot; password.

MikeS
&quot;Diplomacy; the art of saying 'nice doggie' till you can find a rock&quot; Wynn Catlin

 

[jacro]

Hi nichols!

What aceman says about the passwords is right you have an extra 7 in front of
username cabanasj password 7 055C050E234D40080A0F
in your 4000 router. So retype the all usernames and passwords
(in your 800 you have 8 letters and in 4000 9 letters)
It looks that there is some other errors in you password too.

http://www.boson.com

(Get Pass v1.1) you can find a decrypt program for Cisco Level 7 encrypted passwords.

 

[nichols]

Cheers for all those who have helped so far it is appreciated!

I have followed the advice above and downloaded the getpass utility suggested by Jacro - Cheers that is a top quaulity utility. This showed that my passwords were not the same which was confusing because they were done through the wizard on the cisco fast step ( apart from the 4000 to which the config was appended to).

I have now rectified this and all the passwords are correct however I still cannot ping I followed a document that was suggested above on troubleshooting and debugging ppp.

When I set the 800 to debug ppp chap and I tried to ping the 4000 the ping failed giving me the following output:-

cabanasj#debug ppp chap
PPP authentication debugging is on
cabanasj#ping 192.110.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.110.1.1, timeout is 2 seconds:

00:02:77309411328: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
00:02:81604378624: %DIALER-6-BIND: Interface BRI0:1 bound to profile Dialer1.
00:02:81610619700: BR0:1 PPP: Treating connection as a callout
00:02:85899345919: BR0:1 CHAP: Using alternate hostname cabanasj
00:02:19: BR0:1 AUTH: Started process 0 pid 46
00:02:19: BR0:1 CHAP: I CHALLENGE id 1 len 29 from &quot;cabanasj&quot;
00:02:19: BR0:1 CHAP: Using alternate hostname cabanasj
00:02:19: BR0:1 CHAP: Ignoring Challenge with local name...
00:02:25: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 01942272230 .
Success rate is 0 percent (0/5)
cabanasj#
00:02:30: BR0:1 CHAP: I CHALLENGE id 2 len 29 from &quot;cabanasj&quot;
00:02:30: BR0:1 CHAP: Using alternate hostname cabanasj
00:02:30: BR0:1 CHAP: Ignoring Challenge with local name
00:02:40: BR0:1 CHAP: I CHALLENGE id 1 len 29 from &quot;cabanasj&quot;
00:02:40: BR0:1 CHAP: Using alternate hostname cabanasj
00:02:40: BR0:1 CHAP: Ignoring Challenge with local name


I think this is stating that chap is still not working but I cannot find any documentation to explain this output.

Does any one out there understand this and will it help me resolve my situation

cheers
Nichols (scratching my head ever more frequently at the moment)

P.S. Learning is good but mighty frustrating when it is not as fast as you would like!!!!!

 

[jacro]

Hi nichols!

Try this one:

http://www.cisco.com/warp/public/131/ppp_callin_hostname.html

I think that you have to use different hostname or ppp chap hostname.