Cisco 877W ADSL Setup

[dewdneys]

Hi folks

Got a working ST 330 DSL connection, but want to go wireless so bought a Cisco 877W; however I'm having a bit of a nightmare setting it up to talk to my ISP (Orange)...wondered if anyone could help? This should have been the easy bit!

Got the PC to talk to the Router no problem & Orange helpfully tell me that I need:
encap. PPP over ATM
Multiplex. VC-based
VPI=0, VCI=38
Modulation - multimode
Auth = CHAP

So set up the ATM port as PPPoA AAL5MUX 0/38, CHAP with my orange username etc.

1st problem - don't know if should be using IP negotatiated (think so as diagnostics get the furthest here) or Dyn IP (looks for DHCP server, but no IP assigned to interface)...

Diag report for IP neg indicates that the ATM got an IP address - good, but checking exit interface test failed - "Exit Interface not found"

Report helpfully tells me the following...
"To test connectivity, SDM tries to ping the configured DNS servers. However, there is no configured route to any of the DNS servers through the selected interface. Select 'User-specified' option or add a 'host specific/network specific/default' route through this interface and retest connection. "

Fair enough, but how!

Suspect whatever the answer is will be the missing step to getting my PC to access the internet.

I entered the DNS servers as static addresses based on the Orange DNS server IPs provided.

Feeling slightly stupid now, but any suggestions on what to try?

many thanks
Simon

[hbroomhall]

I thought I'd look that unit up. When I saw the price I nearly fell off my chair! Nearly 10X the price I would expect to pay for home use these days!

To rub salt into the wound - there seem to have been issues with this unit on UK ADSL connections, and people are suggesting upgrades to IOS plus some patches.

As this unit is new I'd suggest that you go back to where you bought it and get them to set it up for you, or demonstrate it working.

Harry.

[hbroomhall]

I see that jodsclass has set one of these up - see the thread here.

Might be worth dropping him a PM.

Harry.

[dewdneys]

Thanks Harry - there's hope then!

[Spice_Weasel]

Post your config, with any sensitive bits changed (username, password, etc). If you are getting an ip address assigned, it appears from the bit you posted that you don't have a route to your dns servers, in particular no default route, which is all you really need for a simple home setup. Your default route should generally point out the dialer interface. But a copy of your current config will make it much easier to help.

Spice_Weasel

[EvilDaz]

Hi

This should work. This assumes you are using the network 192.168.0.0/24 with the router IP 192.168.0.1.
Just ammend / replace anything in between <>'s as you need
Also add other IP's to access list 1 for external access to the router. Let me know if you want any Port Mappings added:

Code:

no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname <hostname>
!
enable secret <password>
username <username> password <password>
no aaa new-model
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ftp-server write-enable
!
interface vlan1
 description <description>
 ip address <192.168.0.1> <255.255.255.0>
 ip nat inside
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer0
 description <description>
 ip address negotiated
 ip nat outside
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp chap hostname <adsl username>
 ppp chap password <adsl password>
!
ip nat inside source list 100 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
dialer-list 1 protocol ip permit
access-list 1 permit <external ip address to access telnet from> <mask>
access-list 100 permit ip <192.168.0.0> <0.0.0.255> any
!
line con 0
 password <console password>
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 1 in
 exec-timeout 0 0
 password <telnet password>
 login
!
scheduler max-task-time 5000
!
end

Let me know if it doesn't work.

Daz

[dewdneys]

Guys - thanks for the replies, sorry for the slow response back, but I've been away on business.

First off, tried the default route as suggested by Spice Weasel - this has some success as now the router can ping both the DNS server and my laptop. Sadly the laptop is not getting beyond the router at present!

Next had a look at your config EvilDaz - most of it seems to be covered by the more complex config created by my route config software (SDM) with the exception of the access-lists (intend to take up the good advice as set within here once I've got the thing working) and in the Dialer0 section you have "ip nat outside" followed by "ip nat inside source list 100 interface Dialer0 overload" just before the default route entry...not sure what this does?

Anyway, I've attached my config and the current route table from the router...hopefully will cast some light for you on what's going on.

many thanks
Simon

[Spice_Weasel]

dewdnys - currently you have no nat configured. Your internal hosts can send packets outbound, but they will be dropped by your isp as the source address will be a private ip.

Configuring nat is fairly easy - you need an inside interface, an outside interface and a way of deciding what gets natt'ed.

For example:

The interfaces participating in NAT:
int bvi1
ip nat inside

int dialer0
ip nat outside


Selecting traffic to NAT:
ip nat inside source route-map nonat int di0 over

route-map nonat permit 10
match ip address 100

access-list 100 permit ip 1.2.3.0 0.0.0.255 any

You can also use the nat from EvilDav's sample config, it is a bit simpler than above, but I tend to like using a route-map. Either will work fine.

ip nat inside source list 100 interface Dialer0 overload
access-list 100 permit ip <192.168.0.0> <0.0.0.255> any


That should get you going. One thing - please put an access list on your vty lines, right now anyone can log in to your router:

access-list 15 per 1.2.3.0 0.0.0.255
access-list 15 deny any log

line vty 0 4
access-class 15 in

Also, use ssh only:

line vty 0 4
transport input ssh

Also, if you are not using the wireless make sure it is shutdown. If you are using it we can give you a proper config for the wireless portion to use at least wpa.

After you have a working setup there are a few things that can be added to improve the configuration.

Spice_Weasel

[dewdneys]

Thanks for this guys - and the explanation of what NAT is all about...I'll give it a try this evening and let you know how I get on.

cheers
Simon

[dewdneys]

nice one -thanks for all your advice.

configured Default route and NAT and all works hunky dorey. Even set up Wireless configuration without any problems.

The Cisco SDM works well in terms of setup once you know which elements to set up. Not sure if the firewall is working yet, but seems fine. Amusingly, when I set it to high (filters out malformed HTM), the BBC news pages stop working!

Anyway, everything inside my network now wireless and talking to the router, although I have a slight glitch with connecting to my wireless printer - suspect that's a firewall issue though.

thanks again & keep up the good work.
Simon

[turbolad]

Sorry to piggy back this thread but didn't see the point of a new thread as the problem is so similar to mine.

I'm new to cisco gear, I've just had two cisco 877 Routers thrown at me by the boss.

I'm using Cisco SDM as I have little CLI experience.

Basically I can connect to router through a browser and use SDM to configure but cannot get any Internet access on the pc I have connected without using an IP. I can ping a web IP address (not a name) through the routers ping option and PC - so I am connected to my ISP.

I think my issues are; no DNS configured on the router and no proper default route but I dont have a clue how to get them working. Here is my running config> (excuse me if there is useless information in there)
Building configuration...

Current configuration : 4698 bytes
!
! Last configuration change at 15:21:25 PCTime Wed Oct 17 2007 by admin
! NVRAM config last updated at 15:06:47 PCTime Wed Oct 17 2007 by cisco
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$KFpQ$dQ72q.s8K.wqBz278Ng9X0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-633710060
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-633710060
revocation-check none
rsakeypair TP-self-signed-633710060
!
!
crypto pki certificate chain TP-self-signed-633710060
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36333337 31303036 30301E17 0D303630 37313831 32353433
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3633 33373130
30363030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AA7E0863 1E016995 7504E293 F1657305 038E1541 E3DDC119 D2ABDB92 4FE9BEB6
9C209590 926C9815 0B264D4D 164160E0 AA2B0174 E7D762FB C26EF9E1 70069858
3FF684A6 69B2146F 408CEBA5 58C1E2DB D82DE653 C739268F C00138CD 97BCDB25
6123FA2A 298A8362 8F0210EF EF555863 5EAB79C6 D7391AD4 204BB01E D677FD95
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 16801471 AF934650 7D2ACCFA 3F914931 0D98CA52 A6FB4D30
1D060355 1D0E0416 041471AF 9346507D 2ACCFA3F 9149310D 98CA52A6 FB4D300D
06092A86 4886F70D 01010405 00038181 003D7256 7B2874F5 B6428DDC 95139A92
B8764E65 6D01527A 09E90068 6084B420 BCC41F7B 49A2A950 6C0D7C2D F4E0C7A7
A3145256 E702D88F 25C95302 7F94F6B9 9D97F4F3 A3C11AD2 44B4F426 46B3D7BF
82CCBDC6 A0DCA3E5 656140F8 59B284CB 8CD9D6B1 D20D12D1 63A42919 7807D655
CC395D16 4CAFE02D D70D772D 72DAF1B7 4B
quit
username admin privilege 15 secret 5 $1$wxN1$CvEW8ZXlCmZ.W3QY2g6Je.
!
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email]************
ppp chap password 7 **********
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

[BosonMichael]

Can you ping anything on the Internet from your PC?

[turbolad]

I can ping via the pc and access the website through a browser using the IP.

Also if I add primary and secondary dns settigns into windows ip configuration then everything works fine.

I just cant seem to get them onto the router so that the pc can use those.

[Spice_Weasel]

Your config looks good but you need a dns server entry in your dhcp setup. You have this configured:

ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1

You will need to specify a dns server, e.g.:

ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server a.b.c.d <-- for example, isp dns server
domain-name something.whatever <-- you might also want a domain name assigned. Optional, not needed.

You pc should be able resolve names after you release and renew your dhcp ip address. Your router will not resolve names since no ip domain lookup has been configured, which is usual.

Spice_Weasel

[BosonMichael]

Spicey's correct... that'll do it.