Setting up a 871W with a static IP

Unanswered Question
Dec 27th, 2007
User Badges:

Hi All,


I'm trying to setup a cisco 871W as a wireless router. It has an external IP, a gateway provided by our ISP, and two DNS servers. I can ping domains and IPs from within the router (via telnet), but I can't pint anything but the internal and external IP addresses of the 871W when connected through the WLAN or any fast ethernet port. I've tried to use SDM express and Cisco Configuration Assistant to get it working and can't seem to get it to pass any network traffic.


Here's my configuration. Any help would be greatly appreciated. This is my first cisco experience.


Using 3592 out of 131072 bytes

!

! Last configuration change at 16:55:53 PST Tue Dec 11 2007 by admin

! NVRAM config last updated at 16:56:00 PST Tue Dec 11 2007 by admin

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CiscoWireless

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret xxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

!

resource policy

!

clock timezone PST -8

ip subnet-zero

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 192.168.0.1

!

ip dhcp pool sdm-pool

import all

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 216.x.x.254 216.140.17.254

lease 0 2

!

!

ip inspect log drop-pkt

ip domain name yourdomain.com

ip name-server 216.140.16.254

ip name-server 216.140.17.254

!

!

crypto pki trustpoint TP-self-signed-1700522519

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1700522519

revocation-check none

rsakeypair TP-self-signed-1700522519

!

!

crypto pki certificate chain TP-self-signed-1700522519

certificate self-signed 01 nvram:IOS-Self-Sig#3905.cer

username admin privilege 15 secret xxx

!

!

!

bridge irb

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$

ip address [external IP removed for privacy] 255.255.255.224

duplex auto

speed auto

!

interface Dot11Radio0

no ip address

!

encryption vlan 1 mode ciphers tkip

!

ssid GuestNet

vlan 1

authentication open

authentication key-management wpa

wpa-psk ascii 0 885kqed9

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no snmp trap link-status

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface BVI1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.0.1 255.255.255.0

ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 65.91.82.33

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login (removed to save space)

!

line con 0

no modem enable

line aux 0

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Thu, 12/27/2007 - 17:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I believe that you need to confiugre NAT unless your ISP is going to issue dhcp to your clients.

gpetroski Sat, 12/29/2007 - 22:45
User Badges:

Hey man. You need the nat. do this:


config t

int fa4

ip nat outside

end

wr mem


config t

int BVI1

ip nat inside

end

wr mem


You should be good to go. Also, it looks you have no firewall and no IPS enabled on this device. Create some basic ACLs atleast to protect your self.Also, disable CDP on all interfaces. Use this


config t

int FA4

no cdp run

end

wr mem

Now it is all writen to the nvram startup-config and you are good to go. Here is the sample of my FA4


interface FastEthernet4

description TO_WAN_COMCAST$ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet4

ip access-group 105 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect SDM_MEDIUM out

ip ips sdm_ips_rule in

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

service-policy input sdmappfwp2p_SDM_MEDIUM

service-policy output sdmappfwp2p_SDM_MEDIUM

Access group 105 is actualy access list 105 applied inbound to the FA4 which is controling access to the router from the outside.


Here is the sample of 105 extended access list


access-list 105 permit udp host 68.87.77.130 eq domain any

access-list 105 permit udp host 68.87.72.130 eq domain any

access-list 105 permit udp host 4.2.2.1 eq domain any

access-list 105 permit udp host 131.107.1.10 eq ntp any eq ntp

access-list 105 permit udp host 209.81.9.7 eq ntp any eq ntp

access-list 105 deny ip 192.168.0.1 0.0.0.255 any

access-list 105 permit udp any eq bootps any eq bootpc

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any any time-exceeded

access-list 105 permit icmp any any unreachable

access-list 105 deny ip 10.0.0.0 0.255.255.255 any

access-list 105 deny ip 172.16.0.0 0.15.255.255 any

access-list 105 deny ip 192.168.0.0 0.0.255.255 any

access-list 105 deny ip 127.0.0.0 0.255.255.255 any

access-list 105 deny ip host 255.255.255.255 any

access-list 105 deny ip any any log




In essence, you can substitute my DNS servers with yours (where it says eq domain) and then i have 2 time servers alowed in. you can omit this if not using NTP to synch your clock. Bootps and bootpc is for the DHCP to be able to dish out an IP for my FA4 interface from comcast. If you have a static IP from your ISP omit this. The line:

access-list 105 deny ip 192.168.0.1 0.0.0.255 any

is very important and needs to be there so you dont block your own subnet. To implement the ACL do this

config t

then paste the text from the top.


exit


then config t

int fa4

ip access-group 105 in

end

wr mem

that should do it


Let me know if you have any more questions.


Actions

This Discussion