Setting up a Cisco 2811 IS Router at Home

[Nerwin]

I have a Cisco 2811 Integrated Service Router and I been trying to use it to replace my Netgear SOHO Wireless Router with my new Cisco 2811.

I haven't really done this since school, about 2 years ago, so I don't remember a lot. What I should do is pull out my notes and review them again.

Anyways, So far I can ping google, my website, yahoo, etc. From the router. But I can not browse the web on a computer I have connected to it. FastEthernet0/0 is connected to the Modem and FastEthernet0/1 is connected to a computer.

I set up FastEthernet0/0 for DHCP and it does grab the IP address from Comcast.

Now, I set up FastEthernet0/1 DHCP also and the computer it is connected to picks a ip address, dns server, the gate, etc.

But I can't browse the web.

I haven't done this for a while so if someone could tell me what i'm doing wrong! I would really appreciate it.

If you need anymore info, please ask me.

Thanks guys, In the meantime i'll look at some guides, but I wanted to post a topic just for a fast solution, though I do have a couple months before I want to implement this into my network, but right now I am just testing it to see if it will work.

[macrohard]

Comcast has always given me the shivers.....

I guess the first couple of questions are, what OS are you running? Are there any proxy configs that are setup in the browsers you have?

[Nerwin]

Well the machine that is connected to the router is Windows XP, Which is basically my test box.

Also, no I don't have any proxy configs set up within the browsers.

I know theres I way to do it, I just don't remember how.

[macrohard]

I know that you said that you could ping from the router going outbound, can you open a command prompt and ping from the XP box to say Yahoo or Google?

If you cant ping past the router, then there is a issue in the way the router config is set up. I'd have to remember myself on Cisco, its been a bit.

[Nerwin]

Yeah same here, it's been 2 years since I touched a router like this.

But I can't ping past the router.

[macrohard]

Okay this is what your attempting to do I believe, you wan FastEth0 on the router to connect to the ISP, FastEth1 to your internal LAN:

Documentation Link

Configure router as DHCP client using external modem (#10953)

Suggested prerequisite reading:

»Cisco Forum FAQ »Things to expect when setup network for home or small business

For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them automatically. This means that the ISPs treat their subscriber's router as DHCP client.

When this is your case, then the following sample configuration is a good starting point to help you configure the router. Though the example uses 2514 router, the configuration applies to any router that uses or has two Ethernet interfaces for connection (one for WAN or facing the ISP, and another for LAN or facing your computers).

Typical network environment that might utilize following sample router configuration is as follows

* There is a modem in front of the router, which the modem connects to the ISP

* ISP is providing Public IP address to the router via DHCP

* The WAN interface (in this sample configuration, the Ethernet0) receives the ISP-provided Public IP address via DHCP process between the router and the ISP network.

* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address

* All internal IP addresses are NAT/PAT-ed to the ISP-provided Public IP address (or to the Ethernet0 interface IP address)

* The router is also acting as DHCP server, which provide dynamic IP info for hosts behind the router

Note:

Keep in mind that there are two DHCP process on this sample configuration. One is between your ISP and the router, and another is between the router and machines within your LAN. Your ISP would hand out specific IP address (i.e. 1.1.1.1) where your router would hand out completely different IP address for internal usage.

As mentioned, this sample configuration uses Ethernet0 interface as the WAN interface that receives the ISP-provided Public IP address via DHCP process between the router and the ISP network. You can however use any available and possible interface on your router, either Ethernet1, FastEthernet0/0, or GigabitEthernet1/0. When you do not use the exact same interface as sample configuration showed, make sure that you make necessary adjustment to fit your configuration.

This sample router configuration assumes the followings

* Internal private IP subnet (for hosts behind the router): 192.168.1.0/24

* All of the hosts' gateway would be the router inside interface IP address: 192.168.1.1

* The IP address range of 192.168.1.31-192.168.1.254 would be available for DHCP pool client

* The IP address range of 192.168.1.2-192.168.1.30 would be reserved for statically-assigned hosts, consequently

* The DHCP clients would also receive DNS IP addresses of 4.2.2.5, 4.2.2.6, and 4.2.2.66 automatically as part of the dynamically assigned IP address process

* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)

Note:

* The DNS server IP addresses used here are 4.2.2.5, 4.2.2.6, and 4.2.2.66 which may not reflect your ISP DNS server IP addresses. To match your ISP DNS server IP addresses, simply replace those IP addresses with your ISP DNS server IP addresses.

SAMPLE CONFIGURATION

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

!

ip subnet-zero

no ip finger

ip dhcp excluded-address 192.168.1.1 192.168.1.30

!

ip dhcp pool insideDHCP

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 4.2.2.5 4.2.2.6 4.2.2.66

!

!

!

!

!

interface Ethernet0

description Facing the ISP (the WAN)

ip address dhcp

ip nat outside

!

interface Ethernet1

description Facing my LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Serial0

no ip address

shutdown

!

interface Serial1

no ip address

shutdown

!

ip nat inside source list 1 interface Ethernet0 overload

ip classless

no ip http server

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

!

line con 0

exec-timeout 0 0

password 7 104308100F1E1C0C

logging synchronous

login

transport input none

line aux 0

password 7 082C4D4703100B10

login

line vty 0 4

password 7 050607062B45400E

login

!

end

Some DHCP discussions.

»[Config] my verizon DSL and cisco 2514 configuration

»[HELP] 2650XM Config for RR

Note:

* Watch the exclusion of the gateway of the last resort command (ip route 0.0.0.0 0.0.0.0). This command is not needed for dynamic public IP address assignment via DHCP since that's the whole point of using DHCP.

* Some ISP lock down IP address assigning mechanism off their IP address pool with certain MAC address. When this is the case, you may want to inform your ISP to replace the MAC address with the correct one (which is your router WAN interface MAC address) or "clone" MAC address from the working one into the router. Check out the following thread for illustration

»[help] 851W and ISP DHCP

I think this is what your looking at, in principal on the router config.

[bobdole369]

lulz - I actually started working on the config help here when this thread was at just the OP and the next guy :) Good help from the guys above.

If you want specifics, your gonna have to get more specific.

You need to use IOS to tell the cisco how to work. It doesn't "just work".

Specifically:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 x.x.x.x (the IP on the WAN side)

ip route x.x.x.x 255.255.255.x FastEthernet0/1 x.x.x.x (first set = LAN subnet, second x = subnet mask of LAN subnet, 3rd set is IP address of interface on FastEthernet0/1)

This tells the 2811 where everything is, and is the foundation to your router.

In most cases you will want to specify everything, including what ports are available (meaning source and destination ports, IP addresses, etc), but it seems like you want to use the 2811 like a consumer router - i.e. everything on the LAN subnet is allowed out, and already connected stuff is allowed back in.

You'll need the following:

ip nat pool (name_of_pool) x.x.x.x y.y.y.y prefix-length z

(name is anything, x is WAN IP range start, y is WAN IP range end - can be equal (/31), z is the / length of your address range in total. Most often 31

ip nat inside source list (ACL#) pool (name_of_pool) overload

(ACL# is the access list defining local addresses allowed to use this resource), (name_of_pool is the same name as above) overload indicates the type of translation (PAT here)

access-list (ACL#) permit ip host x.x.x.x any

(ACL# is the same as above, you make it up - x.x.x.x is the allowed host - use IOS ACL nomenclature to define the ACL)

Once done, you can do whatever you want from inside and have it work on the outside.

This is quite helpful:

http://www.cisco.com/en/US/tech/tk648/tk36...0800e523b.shtml

Post up the output from

sh running-config

if you would (censored of course)

[macrohard]

The only thing I wonder about is if Nerwin would have to clone the MAC add of the WAN interface. (Being that Comcast is who it is, I wouldn't be surprised)

[bobdole369]

The only thing I wonder about is if Nerwin would have to clone the MAC add of the WAN interface. (Being that Comcast is who it is, I wouldn't be surprised)

I've had that happen both ways believe it or not. At my mother in laws, she MUST have a particular MAC or have them update it. At my place, any MAC works. Different cable networks (physical lines) as its in neighboring municipalities, but both Comcast.

[digip]

I haven't read through all the config file above, but sounds to me like you need to set up NAT, Gateway for the router itself and DNS. Also, I have to think for a sec, but wouldnt you need a crossover with that type of Eth port on the router? A switch to pc use straight cable, and switch to router use stratight cable, but pc to router, I think need a crossover, because the ports are already switched(the same).

[macrohard]

It's just me, but I too would throw in a layer-2 switch in between the router and the test PC........

[digip]

Switch isnt exactly needed, just the correct cabling from PC to Router and from Router to Modem + correct config on router itself for DNS, Gateway and NAT.

[Nerwin]

Well guys, I got it to work! So happy now! Well when I switch routers I gotta reboot the cable modem.

But It works so wonderfully. Much better than my old Netgreat router. Internet seems a little snappy.

Though this router is an overkill, I don't mind it much! I do go to school for computer networking so it is a great learning tool.

Everything was working fine, but what happened was I set up the port that was connected to the modem as a LAN, I set it up as a WAN and set up PAT and it worked perfectly.

I didn't do this via code, but I did use SDM to get it to work.

I hope this makes sense because I am tired. lol

But thank you guys so much for helping me!

-ALSO, I have a Cisco Catalyst 2900 switch. But the fans are shot, so I gotta replace those before I can use the switch. Though it's not gigabit, it will still work fine.

[macrohard]

No problem, glad it worked out for you. B)

[bobdole369]

SDM works look at that!

I'd LOVE to have a 2811 to just put in my house. At work we only have an 1811 and thats WAY overkill for us. Good job and gratz2u!

[h3%5kr3w]

Damn!!! someone beat me to it.. but really I didn't even think about nat/pat setup, I was thinking you have to set your routes properly to jump from network to network (if on a different network)

Never used SDM though, so dunno how that works. Saw pix of it though :P

btw, make sure you fortify that router a little!!!

here's a little bit that would help..

>en

>conf t

>li c 0

>password (type the password)

>logi

>li vty 0 ? (type the question mark to see how many virtual terminal lines it has)

>li vty 0 x (with x being the last vty line)

>password (type the password)

>logi

>exi

you don't really have to worry about line console 0 (li c 0) cause that's your rollover cable port, but it's always ALWAYS a major + to secure your terminal lines.

Any other issues, holla @ me

[digip]

Damn!!! someone beat me to it.. but really I didn't even think about nat/pat setup, I was thinking you have to set your routes properly to jump from network to network (if on a different network)

Never used SDM though, so dunno how that works. Saw pix of it though :P

btw, make sure you fortify that router a little!!!

here's a little bit that would help..

>en

>conf t

>li c 0

>password (type the password)

>logi

>li vty 0 ? (type the question mark to see how many virtual terminal lines it has)

>li vty 0 x (with x being the last vty line)

>password (type the password)

>logi

>exi

you don't really have to worry about line console 0 (li c 0) cause that's your rollover cable port, but it's always ALWAYS a major + to secure your terminal lines.

Any other issues, holla @ me

SDM is ciscos Security Device Manager, which basically is just a web gui to config the router, instead of using the console/cli interface. It more or less makes it feel like a consumer router, so you can manage it via the web browser doing your dhcp, firewall rules, etc.

[Nerwin]

The great thing about SDM is that it shows you the commands as well. It's a great piece of software and works really well.

However, I am just testing this router right now and it's going to work very well. We have a security system in our home and say when ever my mom logs onto the DVR to view the cameras, our network/internet is really really slow. I'm hoping this router will fix some of that.

But when I fully implement this, it's going to be locked down alright.

I guess I could of used Packet Tracer to set up my network first, which is what I might do in the matter of fact. I wish I new my login info for Cisco, I have a certain level of access, so I can access a ton of software from Cisco for free. But I don't remember what they are. haha.

But again, thanks guys for your help! It totally pointed me in the right direction.

[bobdole369]

You really ought to recall your login info from cisco. If you have access to IOS images and whatnot that is killer. I struggled for a month trying to find a more current IOS and had to blindly trust some rapidshare post. But I had no choice. Bug identified in the version we were running, Router OOW, boss unwilling to pay the ridiculous service contract, I know noone with IOS image access, and even more unwilling to pay a certed person, or to pay to get me certed.

QOS is hard, but not impossible to understand. It'll help you in that instance with the cameras. I can help you.