Cisco 877 (800 serie) RFC 2684 (before 1483) multi-protocol over ATM, config Dommel CityConnect (Wan DHCP, ADSL2+)
Config I use for the Belgium provider Dommel with the Cityconnect ADSL2+ they offer.
- WAN IP: DHCP (ATM0.1 point-to-point)
- LAN Router IP: 10.10.10.1
- DHCP Range: 10.10.10.10 10.10.10.240
- DNS Server forwarding requests to OpenDNS
- NTP Server forwarding requests to 81.246.92.140 and 212.68.213.7 (be.pool.ntp.org ip's)
- Timezone Paris
- Incoming ACL: 101
- Outgoing ACL: 100
- SSH via WAN on port 822
- SNMP Private string: privateString
- SNMP Public string: publiekeString
- Logging previous 300 console commands
!* cisco-axelius.axelius.be.CiscoConfig
!* IP Address : 10.10.10.1
!* Community : privateString
!* Downloaded 21/03/2010 19:07:58 by SolarWinds Config Transfer Engine Version 5.5.0
!
! Last configuration change at 19:06:47 Paris Sun Mar 21 2010 by admin
! NVRAM config last updated at 19:06:53 Paris Sun Mar 21 2010 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco-axelius
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ...
!
no aaa new-model
!
resource policy
!
clock timezone Paris 1
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.9
ip dhcp excluded-address 10.10.10.241 10.10.10.254
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name axelius.be
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto pki trustpoint TP-self-signed-4008809079
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4008809079
revocation-check none
rsakeypair TP-self-signed-4008809079
!
!
crypto pki certificate chain TP-self-signed-4008809079
certificate self-signed 01
30820250 ...
quit
username admin privilege 15 secret 5
archive
log config
logging enable
logging size 300
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
description Fysieke ADSL (ATM) Interface
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description ATM Routed Bridge Encapsulation (RBE) Subinterface t.b.v. Internet
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 8/35
encapsulation aal5snap
protocol ip inarp
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
no ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 822
ip dns server
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=17
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any any established
access-list 101 permit udp host 212.68.213.7 eq ntp any eq ntp
access-list 101 permit udp host 81.246.92.140 eq ntp any eq ntp
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit tcp any any eq 822
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip any any
snmp-server community privateString RW
snmp-server community publiekeString RO
snmp-server location Hasselt
snmp-server contact GregoryBE
!
control-plane
!
banner login Authorized access only!
Gretech Configured router. Unauthorized access will be logged.
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17179862
ntp master
ntp server 81.246.92.140 prefer
ntp server 212.68.213.7
end
Links:
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a008071a5d0.shtml
http://forums.overclockers.com.au/showthread.php?t=460519
May 31st, 2010 - 18:41
Really decent post… I love it. Keep ‘em coming…
November 3rd, 2010 - 19:18
ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 822
Ik snap deze regel niet helemaal: interface Dialer0 in een route-bridged ip configuratie..?
Grt, Alge
November 3rd, 2010 - 20:13
This line redirects public port 822 (on the Dialer0 site) to port 22 on the private ip 10.10.10.1 (the address of the router in this case)
(So you can access the SSH server of the router from the internet on port 822.)
Gr Greg
November 4th, 2010 - 19:58
How would I go about this with a cityconnect fixed wan ip? I tried this using your example but this isn’t working yet as I do not understand enough yet.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WAN
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 warnings
logging console alerts
enable secret 5 lalaladelidoe
!
no aaa new-model
clock timezone Paris 1
!
crypto pki trustpoint TP-self-signed-3350390588
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3350390588
revocation-check none
rsakeypair TP-self-signed-3350390588
!
!
crypto pki certificate chain TP-self-signed-3350390588
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
quit
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.241 192.168.1.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
!
no ip bootp server
no ip domain lookup
ip domain name cool.be
ip name-server 193.109.184.72
ip name-server 193.109.184.75
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username mutepower privilege 15 secret 5 oiuy.
!
!
archive
log config
logging enable
logging size 400
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 5
!
bridge irb
!
!
interface ATM0
description Fysieke ADSL (ATM) Interface
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
description ATM Routed Bridge Encapsulation (RBE) Subinterface 4 Internet
ip address 83.101.77.77 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly
atm route-bridged ip
pvc 8/35
encapsulation aal5snap
protocol ip inarp
!
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description de default vlan
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
no ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip default-gateway 83.101.77.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 83.101.77.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 822
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=17
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any any established
access-list 101 permit udp host 212.68.213.7 eq ntp any eq ntp
access-list 101 permit udp host 81.246.92.140 eq ntp any eq ntp
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit udp host 193.109.184.72 eq domain any
access-list 101 permit udp host 193.109.184.75 eq domain any
access-list 101 permit tcp any any eq 822
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip any any
snmp-server community privateString RW
snmp-server community publiekeString RO
snmp-server location Hasselt
snmp-server contact GregoryBE
!
!
!
!
control-plane
!
bridge 1 route ip
banner login #Authorized access only!
#
!
line con 0
exec-timeout 0 0
logging synchronous
login local
no modem enable
transport output telnet
line aux 0
login local
no exec
transport input all
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17179862
ntp master
ntp server 81.246.92.140 prefer
ntp server 212.68.213.7
end
November 5th, 2010 - 20:08
It is not necessary the configure your fixed IP, the fixed IP will be assigned by Dommel.
Greets,
Greg
November 5th, 2010 - 20:50
Ah Okay thanks for the tip Gregory I’ll try that
November 5th, 2010 - 21:41
Yup cheers not trying to fix an IP did the trick