Ch02: Configuring Cisco DSL Routers

From Linux Home Networking
Revision as of 06:34, 17 November 2010 by Admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

This is a simple guide on how to set up your Cisco DSL router for DHCP using PPPoE. The examples in this chapter also show how to configure NAT so you can also have a home / SOHO based website. This page should be suitable for the following Cisco routers:

With Built In DSL Modems

  • 800 series
  • 1700 / 2600 / 3600 series with the ADSL WIC installed

With External DSL Modems

  • 1700 / 2600 / 3600 series

Network Address Translation (NAT)

Network address translation is a method used to help conserve the limited number of IP addresses available for internet purposes. The Introduction to Networking page explains the concept in more detail in addition to other fundamental topics. We will return to the NAT discussion, specifically how to configure it, later on this page, but first a very basic introduction on how to configure and use the PIX.

Introduction to accessing the router command line

There are many ways to access the command line. Here are a few.

Via The Console Port

Your Cisco router will come with a console cable that will allow you to configure it using terminal emulation software such as Hyperterm. Once you've set up your router with an IP address you'll be able to access it via Telnet.

Via Telnet

  • One easy way to get access to any device on your network is using the /etc/hosts file. Here you list all the IP addresses of important devices that you may want to access with a corresponding nickname. Here is a sample in which the router "ciscorouter" has the IP address 192.168.1.1:
# Do not remove the following line, or various programs
# that require network functionality will fail.
#
127.0.0.1 localhost.localdomain localhost
192.168.1.1 ciscorouter
192.168.1.100 bigboy mail.my-site.com
  • Once connected to the network you can access the router via telnet
[root@bigboy tmp]# telnet ciscorouter
Trying 192.168.1.1...
Connected to ciscorouter.
Escape character is '^]'.
  • You'll be prompted for a password and will need another password to get into the privileged "enable" mode. If you are directly connected to the console, you should get a similar prompt too. There is no password in a fresh out of the box Cisco router and simply hitting the "Enter" key will be enough.
User Access Verification

Password:
Type help or '?' for a list of available commands.
ciscorouter> enable
Password: ********
ciscorouter#
  • Use the "show running" command to see the current configuration. You will want to change your "password" and "enable password" right after completing your initial configuration.
ciscorouter# show run
Building configuration...
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname ciscorouter
!
no logging console
no logging monitor
logging trap debugging
...
...
...
  • ALL router configuration commands need to be done in configuration mode, by issuing the "configure terminal" command from enable mode prompt.
ciscorouter# conf t
ciscorouter(config)# "Enter commands here"
ciscorouter(config)# exit
ciscorouter#
  • You can usually delete commands in the configuration by adding the word "no" to the beginning of the command you want to delete. Some commands that can only have a single value, won't accept a "no" to change them and will just be over-written when you issue the new command.

In the example below, we change the router's name and then delete one of its many access control list (ACL) entries.

ciscorouter# conf t
ciscorouter(config)# no access-list 150 deny ip host 10.1.2.1 host 10.3.2.5
ciscorouter(config)# hostname soho-router
soho-router(config)# exit
soho-router #
  • One of the first things you should do is change the default paswords for the router.
ciscorouter# conf t
ciscorouter(config)# enable secret "enable password here"
ciscorouter(config)# line con 0
ciscorouter(config-line)# password "console password here"
ciscorouter(config-line)# line vty 0 4
ciscorouter(config-line)# password "telnet password here"
ciscorouter(config-line)# ^z
ciscorouter#
  • When you've finished configuring, you can permanently save your changes by using the "write memory" command:
ciscorouter# wr mem
 Building configuration...
Cryptochecksum: 3af43873 d35d6f06 51f8c999 180c2342
[OK]
ciscorouter#

Sample Configurations

Here are some sample configurations that should be instructive.

DSL Router With Built-In Modem - DHCP

  • DHCP and DSL requires you to get a pppoe password and username from your ISP. Most ISPs have a homepage where you can register to get the username and password, ask customer service for the URL. You should substitute this username and password for PPP "username" and "password" listed below.
  • Cisco IOS doesn't support DHCP DSL and NAT. If this is so, then putting an Internet accessible web server on your home network would be impossible using the routers mentioned above in this configuration.
  • Here is a sample configuration for a Cisco home router. Some of the commands listed are part of Cisco's default settings. Do the "show run" command before starting to configure your router to see what commands you'll really need.
  • Remember to be in "config" mode to enter these commands and remember to do a "write memory" at the end to permanently save the configuration
!
vpdn enable
no vpdn logging
 
!--- Configure the router's PPPoE client so that it
!--- can setup a session with the ISP
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
 
!--- Configure the home / SOHO network interface's
!--- IP address
!--- The "ip nat" statement tells your router that
!--- this interface:
!--- 1) uses NAT
!--- 2) is the inside "private" interface
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 
!--- Configure the DSL interface
!--- Your ISP may provide you with a different pvc
!--- value not necesarily "1/1"
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 1/1
  pppoe-client dial-pool-number 1
 
 
 
!--- Cisco prefers to run the PPPoE client on a virtual
!--- "dialer" interface
!--- This is tied to the real ATM DSL interface with the !--- "dialer pool" command. The default ethernet MTU
!--- size has been reduced from 1500 to accommodate
!--- the PPPoE header overhead.
!
!--- The "ip nat" statement tells your router that
!--- this interface:
!--- 1) uses NAT
!--- 2) is the outside "public" interface
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 dialer pool 1
 
!--- Here are the commands to configure authentication
!--- with with your ISP. This example uses the "CHAP"
!--- method.
!--- Commands for using the "PAP" method are included at
!--- the end of this box
!
 ppp authentication chap callin
 ppp chap hostname <username>
 ppp chap password <password>
!
 
 
!--- Tells the router to NAT all traffic that passes
!--- through it:
!--- 1) From the inside to the outside,
!--- 2) And whose IP address is in the 192.168.1.0 network
!---    as given in access list 1
!--- 3) Giving it an outside "public" address that is the
!---    same as interface Dialer1 gets from the PPPoE
!---    connection
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 dialer1
no ip http server
!
access-list 1 permit 192.168.1 0.0.0.255

  • If your ISP tells you that you need to do the PAP, and not the CHAP, type of authentication then you'll have to replace the lines:
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password <password>

with only these two:

ppp authentication pap callin
ppp pap sent-username <username> password <password>

DSL Router With Built-In Modem - Static IP

Here is a sample configuration for a Cisco home router with a built-in modem. Some of the commands listed are part of Cisco's default settings. Do the "show run" command before starting to configure your router to see what commands you'll really need.

  • This example also shows how to use NAT so you can have a web server / mail server / FTP server etc. in your home network.
  • Remember to be in "config" mode to enter these commands and remember to do a "write memory" at the end to permanently save the configuration


Current Configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
!
hostname ciscorouter
!
ip subnet-zero
no ip domain-lookup
!
bridge irb
 
!--- Configure the home / SOHO network interface's IP address
!--- The "ip nat" statement tells your router that this
!--- interface:
!--- 1) uses NAT
!--- 2) is the inside "private" interface
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/35
 encapsulation aal5snap
 !
 bundle-enable
 dsl operating-mode auto
 bridge-group 1
!
!--- Cisco prefers to run the PPPoE client on a virtual
!--- "BVI" interface
!--- This is tied to the real ATM DSL interface with the
!--- "bridge-group" command above.
!--- (The BVI number always matches the bridge-group number)
 
!--- The "ip nat" statement tells your router that
!--- this interface:
!--- 1) uses NAT
!--- 2) is the outside "public" interface
!
interface BVI1
 ip address 97.158.253.25 255.255.255.248
 ip nat outside
 
!--- Tells the router to NAT all traffic that passes
!--- through it:
!--- 1) From the inside to the outside,
!--- 2) And whose IP address is in the 192.168.1.0 network
!---    as given in access list 1
!--- 3) Must get an outside "public" address that is the
!--- same as interface BVI1
!
ip nat inside source list 1 interface BVI1 overload
 
!--- This statement performs the static address
!--- translation for the Web server. With this statement,
!--- users trying to reach 97.158.253.26 port 80 (www) will be
!--- automatically redirected to 192.168.1.100 port 80
!--- (www), which in this case is the Web server.
!---
!
ip nat inside source static tcp 192.168.1.100 80 97.158.253.26 80 extendable
!--- Set your default gateway as provided by your ISP
!
ip classless
ip route 0.0.0.0 0.0.0.0 97.158.253.30
!
access-list 1 permit 192.168.1.0 0.0.0.255
 
bridge 1 protocol ieee
bridge 1 route ip
!
end
 

DSL Router With External Modem - Static IP

  • Here is a sample configuration for a Cisco home router with an external modem. Some of the commands listed are part of Cisco's default settings. Do the "show run" command before starting to configure your router to see what commands you'll really need.
  • This example also shows how to use NAT so you can have a web server / mail server / FTP server etc. in your home network.
  • Remember to be in "config" mode to enter these commands and remember to do a "write memory" at the end to permanently save the configuration
Current Configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
!
hostname ciscorouter
!
ip subnet-zero
no ip domain-lookup
!
 
!--- Configure the home / SOHO network interface's IP address
!--- The "ip nat" statement tells your router that
!--- this interface:
!--- 1) uses NAT
!--- 2) is the inside "private" interface
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
 
 
!
interface Ethernet1
 ip address 97.158.253.25 255.255.255.248
 ip nat outside
 
!--- Tells the router to NAT all traffic that passes
!--- through it:
!--- 1) From the inside to the outside,
!--- 2) And whose IP address is in the 192.168.1.0 network
!---    as given in access list 1
!--- 3) Must get an outside "public" address that is the
!---    same as interface ethernet1
!
ip nat inside source list 1 interface ethernet1 overload
 
!--- This statement performs the static address translation
!--- for the Web server.
!--- With this statement, users trying to reach 97.158.253.26
!--- port 80 (www) will be automatically redirected to
!--- 192.168.1.100 port 80 (www), which in this case
!--- is the Web server.
!---
!
ip nat inside source static tcp 192.168.1.100 80 97.158.253.26 80 extendable
 
!--- Set your default gateway as provided by your ISP
!
ip classless
ip route 0.0.0.0 0.0.0.0 97.158.253.30
 
!
access-list 1 permit 192.168.1.0 0.0.0.255
 
!
end

Other NAT Topics

Commonly Used TCP And UDP Ports

Here are some additional TCP ports you may be interested in for NAT "ip nat inside source static" statements:

Protocol Port Type
FTP 20, 21 TCP
SMTP Mail 25 TCP
POP3 Mail 110 TCP
HTTPS / SSL 443 TCP
DNS 53 UDP
  • So for example, the command for SMTP mail would be:
ip nat inside source static tcp 192.168.1.100 25 97.158.253.26 25
  • DNS requires a UDP type NAT statement such as:
ip nat inside source static udp 192.168.1.100 53 97.158.253.25 53
  • To have all traffic trying to reach 97.158.253.26, regardless of port, to be NAT-ted to 192.168.1.100, then you can use the command:
ip nat inside source static 192.168.1.100 97.158.253.25

How To Verify That NAT Is Working Correctly

You can use the show ip nat translation command to determine whether NAT is actually occurring as expected:

ciscorouter> enable
Password: ********
ciscorouter#show ip nat translation
Pro Inside global     Inside local      Outside local      Outside global
tcp 97.158.253.26:80  192.168.1.100:80  --- ---
tcp 97.158.253.26:80  192.168.1.100:80  67.34.217.6:5698  67.34.217.6:5698
ciscorouter#

Cisco uses the following terms for the various IP addresses you'll find in any NAT translation process.

  • The Inside local address is the actual IP address of the local server on your home network.
  • The Inside global address is the IP address of the server presented to the Internet after NAT.
  • The Outside local the actual IP address of the remote computer on its local network.
  • The Outside global the IP address of the remote computer as presented on the Internet.

As you can see, in this case, NAT seems to be functioning properly for the web server 192.168.1.100 on the home network

How To Troubleshoot NAT

To troubleshoot NAT after you have logged into the router via Telnet requires you to first activate logging to the telnet terminal with the terminal monitor command and then using the debug ip nat detailed command to visualize the translation process. The example below shows that translation occurs for port 80 traffic (HTTP / www) from address 97.158.253.26 to 192.168.1.100, and more specifically that remote host 67.34.217.6 was communicating with the inside global address of 97.158.253.26.

ciscorouter> enable
Password: ********
ciscorouter#term mon
ciscorouter#debug ip nat detailed
IP NAT detailed debugging is on
ciscorouter#
03:29:49: NAT: creating portlist proto 6 globaladdr 97.158.253.26
03:29:49: NAT: Allocated Port for 192.168.1.100 -> 97.158.253.26: wanted 80 got 80
03:29:49: NAT: o: tcp (198.133.219.1, 5698) -> (97.158.253.26, 80) [0]
...
...
...

Basic Troubleshooting Topics

There are many things you can do to troubleshoot your router when it doesn't work. Here are a few.

The "show interfaces" Command

The show interfaces command will show you the basic status of the router's interfaces. I've included some sample output below:

ciscorouter>show interface
Ethernet0/0 is up, line protocol is up
 Hardware is AmdP2, address is 0008.e3a0.7e80 (bia 0008.e3a0.7e80)
 Internet address is 172.16.1.1/24
 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
 Encapsulation ARPA, loopback not set
 Keepalive set (10 sec)
 ARP type: ARPA, ARP Timeout 04:00:00
 Last input 00:00:00, output 00:00:00, output hang never
 Last clearing of "show interface" counters never
 Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue :0/40 (size/max)
 5 minute input rate 0 bits/sec, 1 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
    303 packets input, 19256 bytes, 0 no buffer
    Received 13 broadcasts, 0 runts, 0 giants, 0 throttles
    1 input errors, 1 CRC, 1 frame, 0 overrun, 0 ignored
    0 input packets with dribble condition detected
    60718 packets output, 5770201 bytes, 0 underruns
    0 output errors, 0 collisions, 2 interface resets
    0 babbles, 0 late collision, 0 deferred
    0 lost carrier, 0 no carrier
    0 output buffer failures, 0 output buffers swapped out
...
...
...
ciscorouter>

Your basic physical connectivity should be OK if the interfaces are seen as being in an "up" state with line protocol being "up". If line protocol is down, you probably have your router incorrectly cabled to the Internet or your home network.

If the interfaces are seen as "administratively down", then the router configuration will most likely have the interfaces configured as being "shutdown" like this:

...
...
...
interface ethernet0
 shutdown
...
...

This can be easily corrected. First use the "show running" command to confirm the shutdown state. Then you should enter "config" mode and enter the "no shutdown" command. Here is an example for interface ethernet0.

ciscorouter(config)# interface ethernet0
ciscorouter(config-if)# no shutdown
ciscorouter(config-if)#end
ciscorouter# write memory

The "show interfaces" is also important as it shows you whether you have the correct IP addresses assigned to your interfaces and also the amount of traffic and errors associated with each.

Using syslog

A really good method for troubleshooting access control lists (ACLs) and also to view the types of methods people are using to access your site is to use syslog. The Ch05 Troubleshooting Linux with syslog chapter explains how to configure a Linux server as a centralized syslog server. The appendix has sample syslog configurations for the PIX.

Other Things To Check

Always make sure your router has a:

  • correct default route. The default is the one with the lots of zeros.
ciscorouter>sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 97.158.253.30 to network 0.0.0.0

    192.168.0.0/24 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, Ethernet1
S*   0.0.0.0/0 [1/0] via 97.158.253.30
ciscorouter>
  • default gateway that you can "ping". In the case above the gateway is 97.158.253.30.