Re: Help with Cisco 857 ADSL configuration

Jobin Varghese · ‎02-07-2010

I have a DSL connection in our office and just found a Cisco 857 router while doing an inventory and thought of using the device as an ADSL modem for my connection instead of the present US Robotics but little did I know that my lack of experience is goona make this a tough task.

Here I am posting my start-up configuration:

Building configuration...

Current configuration : 3546 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SAHARANET
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$RWKB$DXerOxv.9UZNo0/E2yMpk1
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-364691165
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-364691165
revocation-check none
rsakeypair TP-self-signed-364691165
!
!
crypto pki certificate chain TP-self-signed-364691165
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363436 39313136 35301E17 0D303230 33303130 32323134
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 34363931
31363530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
88AED869 BF4146E2 0CCFBDCE E3FF1749 DAED60CC 561DBCB8 AC38D0E1 08EE50B6
22CA77DE 378BE869 3B9EE13A D868DF91 2EED88C0 B156650A FD5280D9 5F629396
3529CA75 952E889A C0B3571C 153BA656 8125F70E D5283B9F B251A9EC B2D9DDFA
6C044576 10A45249 2B835875 E1E3BA8C 3BC9528E C56A615C F1D29D92 FA6055BF
02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
11040D30 0B820953 41484152 414E4554 301F0603 551D2304 18301680 14EBA9A2
E5172B65 AE5001CE 64429064 FED78163 F2301D06 03551D0E 04160414 EBA9A2E5
172B65AE 5001CE64 429064FE D78163F2 300D0609 2A864886 F70D0101 04050003
8181004F B0D43AC8 63A1372B 547E30C0 6A5D2069 C1F24D3E 34447486 4E2754EE
2CDD103B 0DF5BB1B DF97E12A 65BF310B E26C11D6 15E3D972 7E7FF96F DF87CB70
BC55D83A 49691535 7D0B9949 1F5882D8 13CA2FC3 E49B18A8 1B15FC2B 3C04BF3B
7034D89B 441ED09E 2901DC2D CF4845C0 75B085FE 14697425 4B29ECA6 BC0C7CA8 C26626
        quit
dot11 syslog
!
!
ip cef
ip name-server 212.76.68.200
ip name-server 212.76.68.201
!
!
!
username jobin privilege 15 secret 5 $1$VorZ$AJVnnkKBsDvi0pG7xF5QX0
username pacs privilege 15 secret 5 $1$B4lk$q8tfMXH9O1ofAzLEMNZzB1
username admin privilege 15 secret 5 $1$P2y3$Qff5r3Qg135IKKfABBUWC/
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
ip virtual-reassembly
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.6.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ***@**.sahara.net.sa
ppp chap password 0 ******
ppp pap sent-username ***@**.sahara.net.sa password 0 ******
ppp ipcp wins request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.6.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
password cisco
logging synchronous
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

I have used two IP on VLAN 1 as the 192.168.1.1 is supposed to be for our bluecoat device and the 192.168.6.1 is for another UTM device.

I get connected and I get an external IP assigned also. The problem starts from there.

When I telnet the router and ping 4.2.2.2, it is successful. So is it successful when I ping few other domains like facebook.com, gmail.com, google.com, our mail server but the ping fails when I try hotmail.com. The second problem is while I try to surf the net. If I enter any qualified domain address like www.google.com, mail.google.com, or any other I cannot access the page but if I try surfing to Google using the IP address I am shown the page or any other web site with their IP address I am taken to the webpage except hotmail.

Could someone help me as to why I can’t access hotmail and why I am not able to surf using the domain name.

paolo bevilacqua · ‎02-07-2010

On the PC, set DNS to router VLAN, then

conf t

ip dns

int dialer0

ppp ipcp dns request

ppp ipcp route default

no ppp ipcp wins request

int vlan1

ip tcp adjust-mss 1452

no hold-queue 100 out

no ip route 0.0.0.0 0.0.0.0 Dialer0

Note, most ISP that work as PPPoE, do work as PPPoA also, that would allow you use default MTU of 1500.

Jobin Varghese · ‎02-08-2010

Thanks for the Help bevilacqua. The IP dns was the solution.

The new configuratio is:

Building configuration...

Current configuration : 3820 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SAHARANET

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$RWKB$DXerOxv.9UZNo0/E2yMpk1

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-364691165

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-364691165

revocation-check none

rsakeypair TP-self-signed-364691165

!

crypto pki certificate chain TP-self-signed-364691165

certificate self-signed 01

3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33363436 39313136 35301E17 0D303230 33303130 32323134

365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 34363931

31363530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

88AED869 BF4146E2 0CCFBDCE E3FF1749 DAED60CC 561DBCB8 AC38D0E1 08EE50B6

22CA77DE 378BE869 3B9EE13A D868DF91 2EED88C0 B156650A FD5280D9 5F629396

3529CA75 952E889A C0B3571C 153BA656 8125F70E D5283B9F B251A9EC B2D9DDFA

6C044576 10A45249 2B835875 E1E3BA8C 3BC9528E C56A615C F1D29D92 FA6055BF

02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D

11040D30 0B820953 41484152 414E4554 301F0603 551D2304 18301680 14EBA9A2

E5172B65 AE5001CE 64429064 FED78163 F2301D06 03551D0E 04160414 EBA9A2E5

172B65AE 5001CE64 429064FE D78163F2 300D0609 2A864886 F70D0101 04050003

8181004F B0D43AC8 63A1372B 547E30C0 6A5D2069 C1F24D3E 34447486 4E2754EE

2CDD103B 0DF5BB1B DF97E12A 65BF310B E26C11D6 15E3D972 7E7FF96F DF87CB70

BC55D83A 49691535 7D0B9949 1F5882D8 13CA2FC3 E49B18A8 1B15FC2B 3C04BF3B

7034D89B 441ED09E 2901DC2D CF4845C0 75B085FE 14697425 4B29ECA6 BC0C7CA8 C26626

quit

dot11 syslog

!

ip cef

ip name-server 212.76.68.200

ip name-server 212.76.68.201

!

username jobin privilege 15 secret 5 $1$VorZ$AJVnnkKBsDvi0pG7xF5QX0

username pacs privilege 15 secret 5 $1$B4lk$q8tfMXH9O1ofAzLEMNZzB1

username admin privilege 15 secret 5 $1$P2y3$Qff5r3Qg135IKKfABBUWC/

!

archive

log config

hidekeys

!

interface ATM0

no ip address

ip virtual-reassembly

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.6.1 255.255.255.0 secondary

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ***@**.sahara.net.sa

ppp chap password 0 ******

ppp pap sent-username ***@**.sahara.net.sa password 0 ******

ppp ipcp dns request

ppp ipcp route default

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip dns server

ip nat inside source list 1 interface Dialer0 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.6.0 0.0.0.255

dialer-list 1 protocol ip permit

!

control-plane

!

banner motd ^C#############################################################

************************************************

#############################################################^C

!

line con 0

password cisco

logging synchronous

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

en

A new problem that I am facing now is that I cannot telnet using 192.168.1.1 but it is possible through 192.168.6.1. Also I am not able to ping the 1 range from within my network.

Can i get some help on this too.

Haris P · ‎02-08-2010

Dear Joby ,

Please apply the below config. on Dialer 1

interface Dialer10

ip mtu 1442
ip tcp adjust-mss 1394

Another thing instead of standard acl use extended access-list

access-list 123 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 123 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 123 permit ip 192.168.1.0 0.0.0.255 any

access-list 123 permit ip 192.168.6.0 0.0.0.255 any

ip nat inside source list 123 interface Dialer0 overload

and let me know if it solves your problem or not

Regards,

Haris P

Sahara Net

paolo bevilacqua · ‎02-08-2010

Please apply the below config. on Dialer 1

interface Dialer10

ip mtu 1442
ip tcp adjust-mss 1394

Incorrect, MTU and TCP MSS values for PPPoE are 1492, and 1452 respectively. Furthermore, TCP MSS must be configured on LAN interface, not dialer.

Another thing instead of standard acl use extended access-list

access-list 123 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 123 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 123 permit ip 192.168.1.0 0.0.0.255 any

access-list 123 permit ip 192.168.6.0 0.0.0.255 any

Incorrect, it is not necessary to use extended ACL for NAT control.

Haris P · ‎02-09-2010

Dear bevilacqua,

I respect your answer , but the MTU value 1442 was recommened by our Telco in Saudi Arabia . Before we were using the default setting (ie MTU 1442) and we face some problem with some applications and our Telco recommended to change the MTU on ADSL modem to 1442 . The issue was due to some intermediate device in Telco that was not passing packets greater than 1442 and i don't know whether they fixed the issue with Telco or not .

Now I have a question , Is there is any problem if I reduce my MTU size to 1442 other than fragmentation issue

I always prefer using extended ACL instead of standard ACL this will give more control .For standard ACL you will be only able to specify source , but on extended you can specify source ,destination and port number . In this case I want to make sure that the traffic from 192.168.1.0/24 to 192.168.6.0/24 and vice versa is not NATed , that ''y I put the extended ACL . But since this the same interface , the traffic will not pass undergo NAT just as a trial i exclde this traffic from NAT

Regards

Haris P

paolo bevilacqua · ‎02-08-2010

Check settings on computers using 192.168.1.x

Please remember to rate useful posts clicking on the stars below without being shy of using 5 where appropriate.

Jobin Varghese · ‎02-10-2010

Well I don't know what made it work but I changed my primary IP from 192.168.1.1 to 192.168.1.254. So now both the IPs are giving ping and I am able to surf the web too. But a few problems I am facing I am putting it down here.

1. I keep getting this error.

Network Error (dns_server_failure)

Your request could not be processed because an error occurred contacting the DNS server.
The DNS server may be temporarily unavailable, or there could be a network problem.

For assistance, contact your network support team.

This error sometimes appear on pages that are displayed like in places where ads appear an like. Also this error comes up when I try to search a word direct from Firefox address bar, which previously used to give a list of Google results. However Google is loaded without any problem when I type in its address in the address bar.

2.

I would like to configure Dynamic DNS on the device and how do i go about this. I am still a beginner and I would like all the help I can in this.

3.

I have noticed that the device at times hangs with the PPP lights out while the others are still up. Is this a device problem or is there any values that I need to change. I also see the device usage at 100%.

Thanks for all the response.

My present configuration is:

Building configuration...

Current configuration : 4004 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SAHARANET
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$RWKB$DXerOxv.9UZNo0/E2yMpk1
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-364691165
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-364691165
 revocation-check none
 rsakeypair TP-self-signed-364691165
!
!
crypto pki certificate chain TP-self-signed-364691165
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363436 39313136 35301E17 0D303230 33303431 38333730
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 34363931
  31363530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  88AED869 BF4146E2 0CCFBDCE E3FF1749 DAED60CC 561DBCB8 AC38D0E1 08EE50B6
  22CA77DE 378BE869 3B9EE13A D868DF91 2EED88C0 B156650A FD5280D9 5F629396
  3529CA75 952E889A C0B3571C 153BA656 8125F70E D5283B9F B251A9EC B2D9DDFA
  6C044576 10A45249 2B835875 E1E3BA8C 3BC9528E C56A615C F1D29D92 FA6055BF
  02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
  11040D30 0B820953 41484152 414E4554 301F0603 551D2304 18301680 14EBA9A2
  E5172B65 AE5001CE 64429064 FED78163 F2301D06 03551D0E 04160414 EBA9A2E5
  172B65AE 5001CE64 429064FE D78163F2 300D0609 2A864886 F70D0101 04050003
  8181004E 533447D2 F33A90C0 373C8778 DD75BDB8 F2314F65 234A3796 4E4D5224
  AF2407A1 AD460E39 89D0914A 30CD7FD3 A9D69436 1BA548B1 97910770 A13E4B2E
  DF827780 55193E71 5951B910 AEA20F78 03049027 FB801634 2C5B31E7 493AFD7B
  3930E8C5 506AFDEC AD44B0F6 70CE78E4 F44EB7AE 4A20A717 1CC9C5D0 ABFE8C8A F94501
        quit
dot11 syslog
!
!
ip cef
ip name-server 212.76.68.200
ip name-server 212.76.68.201
!
!
!
username jobin privilege 15 secret 5 $1$VorZ$AJVnnkKBsDvi0pG7xF5QX0
username pacs privilege 15 secret 5 $1$B4lk$q8tfMXH9O1ofAzLEMNZzB1
username admin privilege 15 secret 5 $1$P2y3$Qff5r3Qg135IKKfABBUWC/
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 ip virtual-reassembly
 no atm ilmi-keepalive
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.6.1 255.255.255.0 secondary
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer remote-name redback
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname ***@**.sahara.net.sa
 ppp chap password 0 ******
 ppp pap sent-username ***@**.sahara.net.sa password 0 ******
 ppp ipcp dns request
 ppp ipcp route default
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 123 interface Dialer0 overload
!
access-list 123 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 123 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 123 permit ip 192.168.1.0 0.0.0.255 any
access-list 123 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 123 protocol ip permit
!
control-plane
!
banner motd ^C#############################################################
   ***********************************
#############################################################^C
!
line con 0
 password cisco
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Haris P · ‎02-10-2010

Dear Jobin

1. I keep getting this error.

Configure ISP DNS on your PC statically and see whether it fixes your issue or not ?
Also make sure that you can ping to ISP DNS without any problem .

also you can try Google public DNS servers with below IP

8.8.8.8
8.8.4.4

2.I would like to configure Dynamic DNS on the device and how do i go about this. I am still a beginner and I would like all the help I can in this.

Check the below link
http://www.firewall.cx/tk-cisco-routers-ddns.php

3.I have noticed that the device at times hangs with the PPP lights out while the others are still up. Is this a device problem or is there any values that I need to change. I also see the device usage at 100%.

Check the output of "sh interfaces dialer 0 " and make sure about the utilization and make sure that there is no infected PC in network . If the utilization is too high try connecting only one PC and check whether it solves the problem or not ? .Also if you can just put an email to me

Regards,

Haris

haris123@gmail.com

paolo bevilacqua · ‎02-11-2010

You need to upgrade IOS. Hopefully you can find an image as normally you need a support contract for that.