Cisco SOHO97 Router problem

[bfisher]

OK. I wiped the config. Tried doing setup again, but still can't access web setup. Doesn't even assign me an ip address.

Either I could do a manual configure or maybe there is something that needs to be fixed for me to connect to the router through ethernet.

I did the intial setup through the console, and the rest in the web interface. The same this time after wiping it, setup the ethernet, but now don't get assigned an ip.

 

[bfisher]

OK, it mysteriously started working again. Although I did wipe the config and try to manually set it up using the online guide on the cisco website. Not sure what got it going.

Now I have done some basic configuration manually, and the rest using the web interface to set up the ATM interface, etc.

But I still can't connect to the internet. Strangely, when I go to do a test in the troubleshooting section of the web setup, it passes successfully. It tests the dsl sync and pings the isp. So maybe I need to ring my isp about it? What do you think? I have tried another pc connected to the network which also can't access the internet, but can access the router, just like this computer.

At least I can access the web interface now...

 

[jdabbs]

Can you post the config and sh ip route output?

 

[bfisher]

show ip route:

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

118.0.0.0/32 is subnetted, 1 subnets
C 118.90.101.209 is directly connected, Dialer1
58.0.0.0/32 is subnetted, 1 subnets
C 58.28.15.31 is directly connected, Dialer1
10.0.0.0/16 is subnetted, 1 subnets
C 10.10.0.0 is directly connected, Ethernet0
S* 0.0.0.0/0 is directly connected, Dialer1
C 200.200.0.0/16 is directly connected, Loopback0

show run:

Building configuration...

Current configuration : 3259 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname kurma
!
boot-start-marker
boot-end-marker
!
logging buffered informational
enable secret ---
!
username kurma password ---------------
username CRWS_Prem privilege 15 password -------------
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
import all
network 10.10.0.0 255.255.0.0
default-router 10.10.10.1
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
no aaa new-model
!
!
!
!
no crypto isakmp enable
!
!
!
interface Loopback0
ip address 200.200.100.1 255.255.0.0
ip nat outside
!
interface Ethernet0
ip address 10.10.10.1 255.255.0.0
ip access-group 122 out
ip nat inside
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 128
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address dhcp
encapsulation ppp
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ---------
ppp chap password --------
ppp pap sent-username ------ password --------
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
ip nat inside source list WORD interface Dialer1 overload
!
!
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any log
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
line vty 0 4
exec-timeout 120 0
login
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end

When I was connected the firewall did block an ip a couple of times:

*Mar 1 17:03:30.967: %SEC-6-IPACCESSLOGP: list 111 denied tcp 61.164.126.104(23
) -> 118.90.101.209(11000), 2 packets

 

[jdabbs]

Static route looks good.

Things that immediately strike me as wrong:
loopback0 assigned public IP;
loopback0 assigned NAT outside.

Not as bad things:
Don't see the need for two dialer interfaces.
DHCP lease is set to only two hours.

conf t
int loopback0
no ip nat outside
no ip address
Ctrl-Z

Once that's done, post show ip nat statistics

If you can try pinging from your PC 10.10.10.1, your WAN IP, and 4.2.2.2 and report results, that'd be cool too.

 

[jdabbs]

Oh, and looks like access list 111 is a hindrance. And do you really need to filter outbound LAN traffic? Let's at least get basic functionality before we start blocking traffic.

conf t
int dialer1
no ip access-group 111 in
int ethernet0
no ip access-group 122 out
Ctrl-Z

 

[bfisher]

OK, so when I entered no ip nat outside, I got:
%NAT: Error activating CNBAR on the interface Loopback0

All the other commands went through fine. I remember getting the error somewhere in the past, maybe it was on bootup.

show ip nat statistics:

Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Dialer1
Inside interfaces:
Ethernet0
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 2
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list WORD interface Dialer1 refcount 0

I'll do the pings after I've posted this, as I only have one line.

OK I've done the commands for access lists.

I'll switch the connection to the soho97 now and try the pings. Report back here soon.

Update: ping to router address and wan address was successful, but ping to 4.2.2.2 was unsuccessful.

Here was the sh ip route output when I was just connected:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

118.0.0.0/32 is subnetted, 1 subnets
C 118.90.72.36 is directly connected, Dialer1
58.0.0.0/32 is subnetted, 1 subnets
C 58.28.15.31 is directly connected, Dialer1
10.0.0.0/16 is subnetted, 1 subnets
C 10.10.0.0 is directly connected, Ethernet0
S* 0.0.0.0/0 is directly connected, Dialer1

 

[jdabbs]

OK, so when I entered no ip nat outside, I got:
%NAT: Error activating CNBAR on the interface Loopback0

That's ok--I believe the change took regardless, sh run can confirm.

I should have caught this earlier, but NAT is still messed up as well. NAT is relying on a nonexistent list ("WORD") to tell it what traffic to translate. Let's fix that:

conf t
ip nat inside source list 10 interface Dialer1 overload
access-list 10 permit 10.10.0.0 0.0.255.255
Ctrl-Z

Check pings and NAT again?

 

[bfisher]

Ah hah... It's working.
Ping to 4.2.2.2 went through, and now I'm posting this through the cisco router.

Thanks for your helps jdabbs. What was the problem? Something in the NAT configuration?

 

[jdabbs]

Ah hah... It's working.
Ping to 4.2.2.2 went through, and now I'm posting this through the cisco router.

Thanks for your helps jdabbs. What was the problem? Something in the NAT configuration?

Now that we have the luxury of hindsight:

first config:
no DHCP
no NAT
no routes configured
no dialer interface/configuration

second config:
ACL 111 overly restrictive: would allow ping back through, and netbios (the last thing you want from the Internet), but web surfing would be impossible). That wouldn't have stopped the routing table from being populated. Not sure what caused the instability problem.

third config:
Similar to second config, but with the addition that NAT was mapped to the wrong interface, and not actively translating traffic (thanks to "WORD" group).

There's a bit of cruft left in your config (like the ACLs), but they're not going to impact operation. They can be removed by no access-list xxx, where xxx is the ACL in question. What you do need to do is save your config to NVRAM, that's done by copy run start. From there you can make changes, and if something breaks, just reboot. I think a DHCP lease of only two hours would get aggravating, I believe it's
conf t
ip dhcp pool CLIENT
lease 7 0
Ctrl-Z

for a week-long lease.

I'm glad you stuck it out to the end. I certainly learned a lot from the experience--my comfort zone w/ IOS is much narrower than I realized. Fortunately things did work out for the best, even if it did take a week.

 

[bfisher]

OK.

I've since worked out the online installation manual a bit more, found here: http://www.cisco.com/en/US/docs/routers/access/800/820/software/configuration/guide/Preface.html

I can see what I missed before. When I configured the router manually last time I started from the Basic Router Configuration section, whereas I should have started at the section beforehand, which contained some of the commands I missed.

There's a bit of cruft left in your config (like the ACLs), but they're not going to impact operation. They can be removed by no access-list xxx, where xxx is the ACL in question.

Which access lists need to be removed?

 

[jdabbs]

Which access lists need to be removed?

None of them need to go, but you won't get much use out of 111 and 122.