Need help configuring 1841 Router with a WIC-ADSL1 Module

Unanswered Question
Aug 17th, 2011

Hello folks...

I am new to using this forum so please bare with me...

I only know a little about programming a CISCO router but I know the config I setup is not working...

Here is what I want to do...

  • The ISP provides us with IP Addresses via DHCP. Our public address is NOT static so the interface on the DSL Module needs to be provisioned to get a DHCP address with a CLASS C License.
  • The IP address of the Router should be 10.0.0.10 subnet=255.255.255.0
  • The LAN Clients need receive their IP address via DHCP EXCEPT for a range of 100 addresses. The lan Clients only need about 40 DHCP addresses.
  • ONE of the Lan Clients (10.0.0.3) needs to have ports 25, 1723, and others forwarded to it.

Below is the config I am trying to use but I can't even ping the router from the LAN. What am I doing wrong?

Can anyone tell me how to fix this and can you send examples or even rewrite my config for me? I would be grateful!

Please advise...

Dale Allen







I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Peter Paluch Wed, 08/17/2011 - 08:32

Dale,

Paste these commands directly to your router after being in the global configuration mode (you call it up using the configure terminal command):

ip routing

ip cef

interface FastEthernet0/0

ip route-cache

ip route-cache cef

duplex auto

end

I also have a question: Your ADSL PPP configuration is currently performed in the PPPoA style. There is also a more common approach used, the PPPoE. You have to verify with your ISP what kind of PPP is used, as these two encapsulations are not compatible nor interchangeable. Also, is the PVC 0/35 correct? Again, this must be verified against your ISP as there is no default setting.

After these changes, you should at least be able to receive an IP address automatically on your PC if connected to the Fa0/0 interface, and be able to ping the 10.0.0.10. If not, there are probably some physical problems with the connection - in that case, try using the show ip interface brief command and check whether the FastEthernet0/0 interface is reported as up/up. If not, there is a cabling problem.

Best regards,

Peter

dallen0 Wed, 08/17/2011 - 16:24

Thanks for writing back...

Now I can ping the Fast Ethernet interface and I can telnet into the router from the LAN side but I Cannot ping the Internet even from inside the router.

Here is additional information that might help you...

(BTW:  I am SURE it is PPPoA and not PPPoE.  And I am sure it is 0/35 because I got that off the router they give is for free...)

Please see attached.

Dale

johnlloyd_13 Wed, 08/17/2011 - 18:04

hi dale,

you're not getting an IP via IPCP from your SP.

Dialer1                    unassigned      YES NVRAM  up                    up

check with your SP again for the VPI/VCI. you should have inserted the below on your ATM: pvc 0/X ilmi

Router(config-if)#pvc 0/X ?

  ilmi  Configure the management PVC for this interface

interface ATM0/0/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

dallen0 Thu, 08/18/2011 - 09:34

John:

That appears to be the case...  The ISP  won't help me very much because they say they will only support the Thomson  SpeedTouch Modem that is shipped/packaged with the Service.

However they did say that they are providing us our IP address over DHPC and they never heard of "IPCP". Keep in mind that just because they never heard of it before, does not mean that is not what they are using..

In any case, we don't seem to be getting an IP address from them.  What debug can I run that will show the process as it progresses if we are even "Dialing" out to even attempt to get an IP address from them? 

Please advise....


Dale Allen

Peter Paluch Thu, 08/18/2011 - 11:09

Hi Dale,

Please run the following debugs:

debug ppp negotiation

debug ppp authentication

and then shutdown/unshutdown the Dialer interface. Capture the output and post it here please. You must be either connected directly to the console, or if you telnet into the router, use the terminal monitor command to divert all console messages to your Telnet session.

Thank you!

Best regards,

Peter

dallen0 Thu, 08/18/2011 - 14:33

First of all I want to thank you for the really great steps you have provided me with.. 

Can I ask you,  is it against the rules to offer you some cash for personal help?  Could I pay  you to get on my computer via Logmein and assist me faster than this forum or is that against someones rules? 

In any case, please see the attached file for the debug results....

Dale

dallen0 Thu, 08/18/2011 - 20:36

*Aug 18 23:46:04.991: Vi2 DDR: Dialer statechange to up

*Aug 18 23:46:04.991: %DIALER-6-BIND: Interface Vi2 bound to profile Di1

*Aug 18 23:46:04.991: Vi2 PPP: Using dialer call direction

*Aug 18 23:46:04.991: Vi2 PPP: Treating connection as a callout

*Aug 18 23:46:04.991: Vi2 PPP: Phase is ESTABLISHING, Active Open

*Aug 18 23:46:04.991: Vi2 PPP: Authorization required

*Aug 18 23:46:04.991: Vi2 PPP: No remote authentication for call-out

*Aug 18 23:46:04.991: Vi2 LCP: O CONFREQ [Closed] id 131 len 10

*Aug 18 23:46:04.991: Vi2 LCP:    MagicNumber 0x136DAF25 (0x0506136DAF25)

*Aug 18 23:46:06.987: %LINK-3-UPDOWN: Interface Dialer1, changed state to up

*Aug 18 23:46:04.991: Vi2 DDR: Dialer statechange to up

*Aug 18 23:46:04.991: %DIALER-6-BIND: Interface Vi2 bound to profile Di1

*Aug 18 23:46:04.991: Vi2 PPP: Using dialer call direction

*Aug 18 23:46:04.991: Vi2 PPP: Treating connection as a callout

*Aug 18 23:46:04.991: Vi2 PPP: Phase is ESTABLISHING, Active Open

*Aug 18 23:46:04.991: Vi2 PPP: Authorization required

*Aug 18 23:46:04.991: Vi2 PPP: No remote authentication for call-out

*Aug 18 23:46:04.991: Vi2 LCP: O CONFREQ [Closed] id 131 len 10

*Aug 18 23:46:04.991: Vi2 LCP:    MagicNumber 0x136DAF25 (0x0506136DAF25)

*Aug 18 23:46:06.987: %LINK-3-UPDOWN: Interface Dialer1, changed state to up

jakula Thu, 08/18/2011 - 21:17

could  you  please  send  output of  "sh  queuing int  atm0/0/0"?

dallen0 Thu, 08/18/2011 - 23:31

In addition to this information, please see the attached file...

Thanks in advance...

Dale

dma#sh queueing interface dialer1
Interface Dialer1 queueing strategy: fair
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/16 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 42 kilobits/sec

dma#sh queueing interface atm0/0/0
  Interface ATM0/0/0 VC 0/35
  Queueing strategy: fifo
  Output queue 0/40, 0 drops per VC

johnlloyd_13 Fri, 08/19/2011 - 06:56

Hi Dale,

Does Internet work using the Thomsom Speed Touch modem/router?

Either you should demand your ISP with a working config that applies to Cisco routers or hire a reputable IT vendor should you have the cash to spare.

Sent from Cisco Technical Support iPhone App

dallen0 Fri, 08/19/2011 - 07:12

Thanks John for writing back....

Yes the SpeedTouch connects but it has problems even after replacing it 3 times.  The ISP tells me to leave it plugged directly into the wall and don't use a UPS.  Thats NOT A solution for me because we lose power here a lot (for short periods at a time) and I need it to stay up and running all the time.

I did some digging and I found that the ISP was totally incorrect.  He said we were authenticating using CHAP however I looked at a log on the SPEEDTOUCH and I have listed the log output FROM THE SpeedTouch below...  I believe this sheds new light on our problem...

Special note is how the SPEEDTOUCH seems to RECEIVE a call first and how it says it is using PAP instead of CHAP.

Please review this log and give me some feedback...   AND BTW:  I bought a SmartNet Contract for the unit today.

Thanks again for all your time and attention... Now here is the log... 

(Note to you:  The dates in the event log are not correct because the router is not configured for NTP...)

Device:   Name       TG782
Serial #   1004NTT6Q


Device Configuration:
        Region     Puerto Rico
       
Provider   Basic

Service    Routed PPP   Description: Routed Connection.

Routed Internet Connection:
       
VPI/VCI    0.35
       
Connection Type PPP over ATM (PPPoA)


Internet Account Settings:
       
User Name  CP1004NTT6Q
       
Password   ********


Time  Message

Jan 1 08:41:16 PPP link up (Internet) [64.237.144.116]
Jan 1 08:41:15 PPP PAP Authenticate Ack received
Jan 1 08:41:15 PPP PAP Authenticate Request sent
Jan 1 08:41:00 xDSL linestate up (ITU-T G.992.5; downstream: 5118 kbit/s, upstream: 508 kbit/s; output Power Down: 19.0 dBm, Up: 12.0 dBm; line Attenuation Down: 16.0 dB, Up: 5.5 dB; snr Margin Down: 27.5 dB, Up: 29.5 dB)
Jan 1 08:38:52 PPP link down (Internet) [64.237.147.115]
Jan 1 08:38:10 xDSL linestate down
Jan 1 08:24:08 PPP link up (Internet) [64.237.147.115]
Jan 1 08:24:08 PPP PAP Authenticate Ack received
Jan 1 08:24:07 PPP PAP Authenticate Request sent
Jan 1 08:23:47 xDSL linestate up (ITU-T G.992.5; downstream: 5118 kbit/s, upstream: 508 kbit/s; output Power Down: 19.0 dBm, Up: 12.0 dBm; line Attenuation Down: 16.0 dB, Up: 5.5 dB; snr Margin Down: 27.5 dB, Up: 29.5 dB)
Jan 1 08:02:56 PPP link down (Internet) [65.23.231.32]
Jan 1 08:02:16 xDSL linestate down
Jan 1 05:25:32 PPP link up (Internet) [65.23.231.32]
Jan 1 05:25:32 PPP PAP Authenticate Ack received
Jan 1 05:25:31 PPP PAP Authenticate Request sent
Jan 1 05:25:18 xDSL linestate up (ITU-T G.992.5; downstream: 5118 kbit/s, upstream: 508 kbit/s; output Power Down: 19.0 dBm, Up: 12.0 dBm; line Attenuation Down: 16.0 dB, Up: 5.5 dB; snr Margin Down: 27.5 dB, Up: 29.5 dB)
Jan 1 05:14:23 PPP link down (Internet) [64.237.151.220]
Jan 1 08:38:52 PPP link down (Internet) [64.237.147.115]
Jan 1 08:38:10 xDSL linestate down
Jan 1 08:24:08 PPP link up (Internet) [64.237.147.115]
Jan 1 08:24:08 PPP PAP Authenticate Ack received
Jan 1 08:24:07 PPP PAP Authenticate Request sent

dallen0 Fri, 08/19/2011 - 07:18

OPPS!

I read the log incorrectly....

Jan 1 08:24:08 PPP PAP Authenticate Ack received

Jan 1 08:24:07 PPP PAP Authenticate Request sent

Jan 1 08:24:08 PPP PAP Authenticate Ack received
Jan 1 08:24:07 PPP PAP Authenticate Request sent

It seems to send first then receive....

Dale

johnlloyd_13 Fri, 08/19/2011 - 07:27

Hi Dale,

Thanks for this info! Unfortunately, your config is left on my laptop. Will review it again soon if your using the right aunthentication protocol.

In the meantime, since you've got a

Smartnet contract, why not open a TAC case?

Sent from Cisco Technical Support iPhone App

dallen0 Fri, 08/19/2011 - 07:50

I can't open a case for two more long weeks. It takes that long to get the contract

Dale

Sent from my iPhone

johnlloyd_13 Sat, 08/20/2011 - 21:22

hi dale,

got the opportunity to look again on your config, you seem to have used both authentication protocol - CHAP and PAP. looking at your thomson ST  modem logs, it uses PAP. kindly make the necessary changes in using only PAP  (verify this info with your ISP).

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

ppp chap hostname CP1004NTT6Q

ppp chap password 0 CP1004NTT6Q

ppp pap sent-username CP1004NTT6Q password 0 CP1004NTT6Q

-----

should look like this

ppp authentication pap callin

ppp pap sent-username password

Peter Paluch Sun, 08/21/2011 - 00:20

Hi John,

To my best knowledge, this change would not accomplish anything. The particular kind of PPP authentication is not enforced by a node willing to authenticate itself, rather, it is requested by the neighboring node that wants to authenticate its peer.

Dale's configuration is currently simply prepared to answer to both CHAP and PAP authentication requests, but it does not enforce any. If the remote end requires PAP during the LCP phase, Dale's router will use PAP. If the remote end negotiates CHAP during the LCP, the Dale's router will run CHAP. It is as simple as that.

The ppp authentication pap callin command is actually quite dangerous in this situation. What it means is that "I will want the other end to authenticate to myself but only if it is calling me, not if I am calling it". Note the problems related to this command:

  • We are requested the remote end to authenticate to us, in other words, we want the ISP to authenticate itself. That is a totally opposite direction of authentication than that which should take place.
  • We do not know any username nor password that the ISP should use to prove its identity to us. The username/password combination that is configured on the interface is our credential, not ISP's. If the ISP was indeed to authenticate to us, we would have to record its credentials using the username password global configuration command.
  • The callin parameter tells Dale's router to authenticate the ISP only if it calls us. Note that this direction of PPP connection creation never occurs on DSL lines. It is valid for dialed lines and callback scenarios, but never in a stable provider environment.

What is interesting is that precisely this kind of configuration seems to persist all around. I see it all the time configured on client devices and I wonder where does it come from. To me, it appears to be patently wrong. I guess I have seen it somewhere in some Cisco configuration example that got it wrong in the first place, and it is simply being propagated further and further.

Please correct if I am wrong here!

Best regards,

Peter

johnlloyd_13 Sun, 08/21/2011 - 01:04

hi peter,

the 2 lines which i provided are required for PAP to work. the optional "callin" keyword is up to OP to add if one or the other works for his connection.

this kind of set up is very common with our 1841s with the same ADSL WIC module. it's also common with PPPoE and PPPoA setup.

Peter Paluch Sun, 08/21/2011 - 02:29

Hi John,

Hmmm... I am sorry but I still do not agree with your reasoning.

the 2 lines which i provided are required for PAP to work.

This depends on the direction of the authentication. I maintain that these two lines are not required if Dale's router should authenticate to the ISP and not vice versa. The ppp authentication pap command will request that the other party authenticates to us. It does not influence whether we agree on a particular type of authentication requested from the other party. If we wanted to refuse a particular authentication type we would use the ppp pap refuse or ppp chap refuse commands, but it is always the other party that requires authentication from us.

Quoting from the IOS Security Command Reference for 12.4T at

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p2.html#wp1032515

When you enable Password Authentication Protocol  (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible  Authentication Protocol (EAP) authentication (or all three methods),  the local router requires the remote device to prove its identity before  allowing data traffic to flow.

In other words, using the plain ppp authentication pap on Dale's router would cause Dale's router to send PPP PAP Request to the ISP, and Dale's router would expect a PAP Response from ISP, then compare the received username and password to the local username database. Is this what we want - to authenticate the ISP to us? Surely not! The authentication should go the other way around!

Let me also quote the Linux manpage about pppd that puts it quite nicely:

The  PPP  protocol, being symmetrical, allows both peers to require the

other to authenticate itself.  In that case, two separate and  indepen‐

dent  authentication exchanges will occur.  The two exchanges could use

different authentication protocols, and in principle,  different  names

could be used in the two exchanges.

So, if I request authentication from the other party, it has absolutely no effect whether I will have to authenticate myself to the other party as well, and what kind of authentication that will be.

The configuration as used and suggested by you works because, just by a happy coincidence, a DSL connection is not treated as incoming PPP call, and thus the command ppp authentication pap callin actually has no effect - as if you never entered it at all. I am very sure that if you removed the callin keyword, your clients would not be able to connect as they would request PAP authentication from the ISP's access concentrators. That would require setting up local username databases on your clients' routers so that the username/password of the ISP access concentrators could be verified against it.

Best regards,

Peter

johnlloyd_13 Sun, 08/21/2011 - 04:31

Hi Peter,

Very interesting points indeed! I wish I was wrong.

With due respect, I'd gladly drop off this thread and leave it up to you since you have more expertise

Sent from Cisco Technical Support iPhone App

Peter Paluch Sun, 08/21/2011 - 04:58

Hello John,

No, no, please do not leave this thread! All your suggestions are welcome!

Regarding this particular configuration snippet I  originally commented, I am simply going against a popular but incorrect  belief I am seeing far too often. Being a teacher, I have a strong  propensity to point out inaccuracies and put things into their correct  place - not as a nitpicker I would like to hope, but rather out of my  desire to help people understand and use things correctly. I apologize  if I embarassed you by my argument or if I was in any way inappropriate.

You are most welcome here, and I definitely want you to continue submitting suggestions how to help solve Dale's problem.

Best regards,

Peter

jakula Wed, 08/17/2011 - 21:26

Hello  Dale  if  it's  pppoe  over  ATM,  then  apply  below  config,

interface ATM0/0/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/35  <<<  Verify  this  value  with  ISP

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

protocol  ppp  dialer  <<<  Add this  one

!

Regards,

Jyoti

Peter Paluch Thu, 08/18/2011 - 01:09

Hello Jyoti,

I am not sure about that addition you have suggested. It is still PPPoA, not PPPoE. If PPPoE was to be configured, the configuration would be

interface ATM0/0/0

pvc 0/35

pppoe-client dialer-pool-member 1

i.e. it would need to reference PPPoE explicitly.

Best regards,

Peter

dallen0 Thu, 08/18/2011 - 09:39

I HAVE verified this value...

pvc 0/35 <<< Verify this value with ISP

Thanks

Dale Allen

Peter Paluch Fri, 08/19/2011 - 06:24

Dale,

According to your outputs you have provided us with, the PPP on the other side simply does not respond. You are trying to bring up a PPP link and the other side sits there totally quiet.

I suggest verifying that your DSL interface has correctly trained to the DSLAM - use the commands

show controllers atm 0/0/0

show controllers dsl 0/0/0

and post the results here please. If the modem is trained correctly then I surmise that your provider probably uses PPPoEoA instead of PPPoA (if they don't know that they are using IPCP which they are then I also doubt their competency in distinguishing PPPoA from PPPoEoA).

Best regards,

Peter

dallen0 Fri, 08/19/2011 - 08:20

Thanks for writing back and for your attention...

I don't think I got all of the data but here is what I did get...(See attached) . 

And there is no command for show controllers DSL

Dale

dallen0 Fri, 08/19/2011 - 08:22

Couple of quick questions...

How do you shut off Term Monitor ? 

How do you inccrese the buffer to help hold more output from show controllers or show tech support?

Please advise,,,

Dale

Peter Paluch Sat, 08/20/2011 - 16:02

Dale,

If you want to capture the output, the best way to do it is to use your HyperTerminal or PuTTY function to log everything into a file. This way, you do not need to change the logging buffer size.

Your show controllers atm output is sadly truncated so I am not able to see the most important part of the output whch I was interested in.

The terminal monitor can be deactivated using the no terminal monitor command - however, this is usable only on Telnet and SSH sessions. The console port still receives the logging output. It can be deactivated, but by a different command, and it is something I would rather not do at the moment.

So please try to use the logging function in your terminal emulator software to capture the entire output of the necessary commands and be so kind to post it here.

An additional info: I have sent you a private message - click on the Account link up at the top of the page. Please check it. Thanks!

Best regards,

Peter

Peter Paluch Sun, 08/21/2011 - 08:16

Dale,

Thanks for the untruncated version of the show controllers output. Sadly, I am still missing some information from that output.

You are telling me that there is no command similar to the show controllers dsl right? Does the show controllers dsl command alone exist? Try using the question mark sign to verify its correct syntax (perhaps it requires a special number or additional keyword after it).

Also, can you see if there is a command show dsl interface atm0 or show dsl interface atm0/0/0 or - again - a similar command you could run and post the output?

Best regards,

Peter

Peter Paluch Sun, 08/21/2011 - 11:01

Dale,

Thank you for the output. I wanted to verify whether your DSL modem is able to link to the DSLAM, and apparently, it is - the speeds are 5120 Kbps download/512 Kbps upload. Nice!

However, the debugs still show that you are trying to start the PPP link negotiation but the opposite side simply does not respond. It is as if it was not receiving your PPP datagrams at all.

Let us try to make a change: the PPP can be encapsulated into ATM cells either using direct AAL5 and devoting the virtual circuit to a single protocol only, or a SNAP header can be added. These two methods are called aal5mux and aal5snap, respectively. They are not compatible - a mismatch in this encapsulation may result in the other party not understanding your datagrams.

Can you try to modify your ATM configuration as follows?

interface ATM0/0/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/35

  encapsulation aal5snap ! THIS IS THE CHANGED LINE

  dialer pool-member 1

!

!

This is just a blind shot but I guess it is worth trying. When this change is performed, please again run the debugs as before - you may need to shutdown and reactivate the ATM0/0/0 interface.

Can you also inspect the "official" modem settings for AAL5MUX/AAL5SNAP hints? Is it actually possible to dump the configuration of the "official" modem?

Best regards,

Peter

dallen0 Sun, 08/21/2011 - 14:21

Well Peter!

Today, YOU ARE THE MAN!

As you can see from the attached capture, you hit the nail on the head and I am connected now. I am SOOOO much happier but we are not quite there yet...

As you can see from my origional posts,

  • ONE of the Lan Clients (10.0.0.3) needs to have ports 25, 1723, and others forwarded to it.

How do you do that?

AND...

The ISP Issues an IP address for the DHCP to use for a DNS server. In other words, the LAN interface, gets the DNS Server to use from the ISP's DSL connection when we use the Thomson Modem. How can we do that for this Cisco Router?

AND:

How can we tell the DHCP server on the Router to use more that ONE DNS Server

AND how can we issue the Time to the DHCP clients on my LAN?

So as I said, we are not yet where I want to be but we ARE A HECK OF A LOT CLOSER now that we were before THANKS TO YOU!

Please get back to me ASAP.


Thanks in advance...

Dale Allen

Peter Paluch Sun, 08/21/2011 - 15:03

Hi Dale,

Well, your ISP is running a strange kind of encapsulation... the SNAP has quite a large overhead with respect to ATM cell size. The AAL5MUX would be more effective, but well, I guess nobody's perfect.

ONE of the Lan Clients (10.0.0.3) needs to have ports 25, 1723, and others forwarded to it.

Add the following lines to your configuration:

ip nat inside source static tcp 10.0.0.3 25 interface Dialer1 25

ip nat inside source static tcp 10.0.0.3 1723 interface Dialer1 1723

and continue with other ports as appropriate. Note, however, that the port 1723 is used for PPTP tunnel signalling but the PPTP itself is a GRE-derived protocol that has no concept of ports. It is practically impossible to run PPTP tunnels over NAT/PAT.

The ISP Issues an IP address for the DHCP to use for a DNS server. In  other words, the LAN interface, gets the DNS Server to use from the  ISP's DSL connection when we use the Thomson Modem. How can we do that  for this Cisco Router?

In your ip dhcp pool dhcppool01 section, remove the dns-server line and instead, enter the import all configuration command so that the entire DHCP pool configuration looks as follows:

ip dhcp pool dhcppool01

   import all

   network 10.0.0.0 255.255.255.0

   default-router 10.0.0.10

How can we tell the DHCP server on the Router to use more that ONE DNS Server

Using the import all command, that depends solely on the number of DNS servers provided by the ISP. Alternatively, you could use the dns-server command in which you would list mutiple DNS servers, for example:

dns-server 4.2.2.2 8.8.8.8

AND how can we issue the Time to the DHCP clients on my LAN?

We could configure the router to run NTP and provide exact time to your stations. However, I do not believe it is reasonable because each Windows station is already capable of contacting timeservers out there on internet, and it does not care about the NTP service on your router. In fact, it would be more tedious to direct your Windows stations to use your router as a time service than to leave them to make their own time synchronization. The DHCP itself is not capable of providing time service. At most, it is capable of providing the IP address of an NTP server but I am not sure if the Windows stations honor that setting.

Best regards,

Peter

dallen0 Mon, 08/22/2011 - 10:14

Ok folks:

We have the hurricane behind us now so we dont have power. But I have my iPhone!

I have to ask this question...

How does the router know that the ISP has changed ip addresses as they so often do? I see that the router inserts an ip address into the routing table when it establishes it's first call.

But how does it know to change it's public ip address? It's automated, right?

Please advise...

Dale Allen

Sent from my iPhone

Peter Paluch Mon, 08/22/2011 - 10:21

Hello Dale,

Oh, a hurricane? I am so sorry to hear about that. I hope you are OK and the power outage is the only damage you've been exposed to...

Regarding the change of an IP address: the IP address is assigned to your router's Dialer interface during the PPP link initialization, and after that, it stays the same. In fact, until the PPP session is terminated and reestablished, you are constantly in possession of the same IP address you have been assigned at the beginning. If the ISP decides for whatever reason that your IP address must change, he will simply terminate your PPP session. Your router will build it anew in a couple of seconds or minutes, and obtain a new IP address in the process.

Best regards,

Peter

dallen0 Tue, 08/23/2011 - 08:06

Hello again Peter!

There seems to be another problem that has risen after we got everything else working....

I use DDNS.  My domain (domain.com) uses ZONEEDIT for the DNS Servers.  My Exchange server is on the inside of my network.

The problem is that I cannot connect to the Exchange server while inside the network.  If I type https://www.domain.com/remote it will usually give me the expected certificate error and then I get a 404 error.   (I think it is 404, the page cannot be found).

However when I establish a VPN connection, and then I try the web address, it will work.  And when I use a computer OUTSIDE of my network, IT WORKS GREAT.  (Fast too!)

I ran into this problem once before and we all thought it was because I was behind a PIX Firewall.  They used something called DNS Doctor, to fix the problem.  Can this be the same kind of problem? 

How can I fix this issue?

Please advise....

Dale Allen

Please see attached current config...

Peter Paluch Tue, 08/23/2011 - 15:40

Dale,

I am sorry but i do not quite understand your setup here. What you are telling me that if you connect to the server from your internal network, it behaves differently than to connections initiated from outside. Yet, you are able to talk to that server from both inside and outside, am I correct?

Assuming that the connections initiated from inside and outside land on the same server (verify that using the ping and verifying what IP address is being pinged, or better, using WIreshark on the server to see if the ping packets are arriving and are being answered), I would say this is a problem of the server configuration, not on the router. If you can talk to the server both from inside and outside, then the IP connectivity is working. This may require diving into more depths of your website configuration. Are you running MS webserver or Apache? Is it configured to provide virtual web sites? How is it matching the virtuals when a connection comes in?

Sorry for not being able to answer more precisely but this issue is, so far, very vague.

Best regards,

Peter

dallen0 Wed, 08/24/2011 - 06:31

What you are telling me that if you connect to the server from your internal network, it behaves differently than to connections initiated from outside.

Yes, that is correct...

Yet, you are able to talk to that server from both inside and outside, am I correct? 

No, not exectly....  I can talk to it inside the network if I use a local IP address.  I CANNOT use the public FQDN inside the network.  It fails to show the page.

However if I use a VPN connection, the router thinks I am coming in from the outside and it will work OR if I connect to the site from the outside,  again, it will work.

However if I connect the old SpeedTouch from Thomson, EVERYTHING works, no matter if your inside or outside of the LAN. So this is not a server issue. It most certainly is an issue with the NAT on the Cisco router....

If you read up on doctor DNS or DNS Doctor, it tells about the problem when using NAT on a CISCO router.  I don't however, totally understand all of that.

Any ideas?

Dale Allen

Peter Paluch Wed, 08/24/2011 - 06:48

Hello Dale,

I cannot find / connect to a page referenced to as "dns doctor" via Google so I am relying on the information you can provide me with.

In my last post, I have asked you for a couple of technical information. I still need it. Do you believe you could pass me the answers? I will repeat my questions here for better overview:

  1. Can you ping the internal server from inside by referring to its name (not to its address)?
  2. Regardless of the previous step, when you try ping the internal server from inside by its name, what IP address does the ping command appear to send packets to?
  3. What kind of webserver are you running - Apache or MS?
  4. Can you tell me any details its config, especially with respect to virtual websites?

Thanks!

Best regards,

Peter

johnlloyd_13 Sun, 08/21/2011 - 16:46

Hi Peter,

Was reading again your posts from yesterday while on my way to work. I learned a lot from this discussion and the way how our 1841s are configured.

as you can see, my approach is more of the trial and error type. This will encourage me to lab up PAP/CHAP.

My respect and +5 goes to you sir!

Sent from Cisco Technical Support iPhone App

Actions

Login or Register to take actions

This Discussion

Posted August 17, 2011 at 8:12 AM
Stats:
Replies:41 Avg. Rating:5
Views:2903 Votes:0
Shares:0
Categories: Routers
+

Related Content

Discussions Leaderboard