09-04-2003 08:10 AM - edited 03-02-2019 10:06 AM
All,
I was wondering is the following possible to configure on Cisco Routers;
Currently I have a dialup networking account with My ISP so that when I dial in with My PC using PSTN I get challenged for a username and password ( PAP ) and then the ISP assigns my Session an IP address.
Is it possible to do the same with a Cisco Router using ISDN and PPP( using the same ISP account ) so that the Router dials in and gets authenticated with PAP and it gets assigned an IP address?
I know I'll have to use NAT overload but whats getting me is the assigning of the inside global address that will vary each time it connects to the ISP. Is there any way it can be dynamically assigned? Any configs out there?
Thanks
Paul
09-04-2003 11:27 AM
Paul,
Your NAT statement should read
ip nat inside source list (access-list name) interface (type number)
This will assign the interface's address, whatever it may be at a given time, as the outside NAT address.
HTH
Mark
09-05-2003 10:54 AM
Mark,
thanks for your reply. I've used your NAT suggestion but no the problem I find is that DDR is not being activated by IP traffic. Think this could be a routing issue but not sure, I've put my config below so if you or anyone else has any suggestions it would be greatly appreciated.
Slán
Paul
Config of Cisco 1700 Router;
sh run
Building configuration...
Current configuration : 1223 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CLI_WWW
!
enable secret 5 $1$L5gF$K18j4OvJ4j7/rU7ZMwLUU/
!
username paulk password 0 balally
ip subnet-zero
!
isdn switch-type basic-net3
!
!
!
interface Loopback1
no ip address
!
interface BRI0
ip address 192.168.1.2 255.255.255.0
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication pap
ppp multilink
!
interface FastEthernet0
ip address 10.20.20.1 255.255.255.0
ip nat inside
speed 10
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer idle-timeout 300
dialer string 91891121121
dialer load-threshold 1 either
dialer-group 2
no cdp enable
ppp authentication pap
ppp multilink
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
!
access-list 1 permit 10.20.20.0 0.0.0.255
access-list 101 permit ip any any
dialer-list 2 protocol ip list 101
!
line con 0
password infinity
login
line aux 0
line vty 0 4
password 7 104A0616011B17
end
09-05-2003 11:23 AM
Paul,
Two things: your default static route needs to point to interface Dialer1 instead of to 192.168.1.1, and BRI0 should have no IP address.
Also, you have PPP authentication enabled. This means that after you dial in, and the far end authenticates you, you will authenticate the far end. I don't know if the far end will stand for that.
HTH
Mark
09-08-2003 03:37 AM
So to avoid that your router requests the remote to authenticate, add this:
interface Dialer1
ppp authentication pap callin
Also, you'll have to configure the username and password of your ISP account:
interface Dialer1
ppp pap sent-username
hth
Herbert
09-08-2003 05:26 AM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
All,
thanks for your interest and help. I'm not getting as far as activating the ISDN call. Say I try and ping an off net IP address say 192.168.1.1 this does not seem to activate "interesting traffic" from the access-list. Is there anything you can see worng with my access-lists or routing?
Thanks a mill
sh run
Building configuration...
Current configuration : 1223 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxxxxxxx
!
enable secret 5 xxxxxxxxxxxx
!
username xxxxxxxxxxxxxxx password 0 xxxxxxxxx
ip subnet-zero
!
isdn switch-type basic-net3
!
!
!
interface Loopback1
no ip address
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
!
interface FastEthernet0
ip address 10.20.20.1 255.255.255.0
ip nat inside
speed 10
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer idle-timeout 300
dialer string xxxxxxxxxx
dialer load-threshold 1 either
dialer-group 2
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxxxx password xxxxxxxxxxxx
ppp multilink
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 1 permit 10.20.20.0 0.0.0.255
access-list 101 permit ip any any
dialer-list 2 protocol ip list 101
!
line con 0
password xxxxxxxxxxxxx
login
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxx
end
09-08-2003 10:30 AM
I don't see anything wrong. I'd try some debugs:
debug dialer
debug ppp authentication
debug isdn q931
and then try the ping. See what the resulting messages indicate.
HTH
Mark
09-08-2003 12:15 PM
Your configuration looks fine. You should verify that your ISDN line is up "show isdn status". Make sure that your Layer 1 is active and that your layer 2 status is TEI assigned. If this check's out I would proceed with
debug isdn q931
debug ppp neg
debug dialer
Daniel
09-09-2003 12:25 AM
Lads,
I did a sh isdn status, Layer1 was active and Layer2 showed Multi-frame established but there was nothing for Layer3. Also I turned on the following debugs;
debug isdn q921
debug ppp neg
debug dialer
and performed the ping but nothing happened except that the ping timing out. a "show dialer" did not indicate a call to the number had been made nor did a "show isdn active". I'm a bit confused now. Thanks for your help though.
09-09-2003 01:49 AM
Does "debug isdn q921" give no output at all? That would mean there is a layer 2 problem since you should see periodic q921 messages. (You do have "terminal monitor" turned on I hope).
Furthermore, if your layer2 is ok then "debug isdn q921" will not show anything useful, so change that to "debug isdn q931".
Also "show isdn history" will include terminated calls (including failed calls) whereas "show isdn active" only shows currently active calls.
If all that doesn't learn you more, and if your router is not used for anything else, try "debug ip packet detail" to see what happens with your ping packets. DO NOT do this on a production router since it may produce so much output that the router can hang or crash.
hth
Herbert
09-09-2003 03:02 AM
Lads,
I got rid of the dialer interface and applied all the info to the BRI interface, also I didnt use the access-list 101 but instead used;
dialer-list 1 protocol ip permit
Once I did this it all worked i.e debug alarms came up and ISDN connected and the ISP assigned me an IP address. Thanks so much for all your help. Hope I can do the same some time.
regards
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: