If you have a DSL Connection than often times you’re going to have a DSL modem provided by your ISP. This modem however is fairly standardized in which case you can replace it with the HWIC-1ADSL which supporst up to the aDSL2+ Standard. Often times when you browse through your modem management page it shows very little information with regards to troubleshooting and basic monitoring of the circuit. the aDSL WIC/HWIC provides deteiled information when it comes to the actual underlying ATM circuit.
First off lets make sure you’re aware of the difference between the WIC-1ADSL and the HWIC-1ADSL. The WIC-1ADSL only supports ADSL over POTS with Annex A ITU 992.1 which is limited to 8Mbps due to the WIC shared bus architecture. The HWIC-1ADSL however supports ADSL over basic telephone service with Annex A ITU G. 992.1 (ADSL), G.992.3 (ADSL2), and G.992.5 (ADSL2+).
If you only have a WIC-1ADSL, newer standards such as aDSL2+ is backwards compatiable with ITU 992.1 so no worries. Keep in mind if you want to use an HWIC-1ADSL you’re going to need an Integrated Services Router (1800, 2800, 3800) or newer.
Quick Blog Summary
In this blog I’m going to discuss, demonstrate and verify the configuration of an aDSL Circuit terminated using a HWIC-1ADSL on a Cisco 2811. I will also be configuring this router to perform basic home office functions such as DHCP, ATM Interface Config, Dialer Interface Config, NAT, ZBF (Zone Based Firewall) and Port forwarding.
In order to utilize the Zone Based Firewall feature you’re going to need the Adv Security or greater IOS Image on your ISR.
If you’re using this blog to configure your very own router than you’re going to need a few pieces of information before you get started. First being your PPPoE Username and Password along with the VPI/VCI information used by your ISP. In this blog we’re using Verizon DSL Services so our VCI/VPI is 0/35
General Router Config
Before we get started in configuring the DSL stuff lets first start with some basic router configuration such as hostname, local logging, ssh configuration, local username/passwords, vty access-list, dns proxy and inside interface. Most of the general router configuration is fairly common so I wont get into the details, just review the config provided below;
service password-encryption ! hostname 2811-ADSL-ROUTER ! logging buffered 1048576 notifications ! aaa new-model aaa authentication login default local aaa authorization console aaa authorization exec default local if-authenticated ! username jsmith privilege 15 password Cisco$123 ! ip domain-name FREECCNAWORKBOOK.COM ip dns server ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip virtual-reassembly in no shut ! no ip http server no ip http secure-server ! crypto key gen rsa general-keys modulus 2048 ! ip access-list extended VTY_ACCESS permit ip 192.168.1.0 0.0.0.255 any ! line vty 0 4 access-class VTY_ACCESS in transport input ssh ! end
In a nut shell, SSH has been enabled and telnet has been disabled along with an SSL access-list and the local LAN interface has an IP Address of 192.168.1.1/24 and DNS Proxy has been configured.
Next up is the DHCP Configuration
ip dhcp pool SOHO_NETWORK network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 192.168.1.1
ATM Interface Config
So now we’re getting into the nitty gritty and configuring the actual HWIC-1ADSL Interface which if installed into slot0 of the Cisco 2811 will be ATM0/0/0
In a nut shell the ATM interface configuration is extremely simple. It is recommended by best practice to create a sub-interface which represents the PVC that will be used for the DSL Service. In this case with Verizon the PVC is 0/35 so we’re going to use sub-interface ATM0/0/0.35 as shown below;
interface ATM0/0/0 no ip address no atm ilmi-keepalive ! interface ATM0/0/0.35 point-to-point pvc 0/35 pppoe-client dial-pool-number 1 !
Also note the pppoe-client dial-pool-number 1 command that is configured under the PVC. This command is used to bind the PVC to the dial pool member 1 using the PPPoE Client.
Dialer Interface Config
Next up is where most of the WAN interface configuration resides. The Dialer Interface is responsible for authenticating via PPPoE using PAP or CHAP and negotiating an IP Address. Because PPPoE utilizes an MTU of 1492 this is where that would be set.
The Dialer interface is where you must provide your CHAP and/or PAP username configuration.
interface Dialer1 description ### aDSL PPPoE Dialer Interface ### mtu 1492 ip address negotiated ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer idle-timeout 0 dialer persistent ppp authentication chap pap callin ppp chap hostname email@example.com ppp chap password Cisco$123 ppp pap sent-username firstname.lastname@example.org password Cisco$123 ppp ipcp route default ppp ipcp dns accept !
You’ll should notice the dialer pool 1 command which is used to associate the dialer interface with pool. Pool 1 is also associated to interface ATM0/0/0.35 PVC 0/35. With the dialer persistent command configured, the interface will automatically attempt to dial, in this case authenticate via PPPoE over the ATM PVC.
The ip tcp adjust-mss 1452 is extremely important and most people commonly forget to configure it or configure it in the wrong location. This command is configured on the Dialer interface, not the local LAN physical interface as this would affect ALL traffic traversing the router and not just traffic passing through the PPPoE Dialer Interface. In a nut shell this command is used to ensure that TCP sessions negotiate an MTU lower than the maximum MTU needed to send/receive traffic on the dialer interface. If you forget to configure this command you’ll notice that some websites load and some don’t.
At this point you should be able to authenticate and receive an IP Address and ping to 126.96.36.199 because you’re accepting the default route provided via PPPoE Authentication due to the ppp ipcp route default command being configured on the dialer interface. You should also be accepting the DNS servers being provided via DHCP from your ISP.
2811-ADSL-ROUTER#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.1 YES unset up up FastEthernet0/1 unassigned YES unset administratively down down ATM0/0/0 unassigned YES unset up up ATM0/0/0.35 unassigned YES unset up up Dialer1 188.8.131.52 YES IPCP up up Virtual-Access1 unassigned YES unset up up 2811-ADSL-ROUTER# 2811-ADSL-ROUTER#ping 184.108.40.206 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms 2811-ADSL-ROUTER
If you are not able to obtain an IP Address first verify physical connectivity. This can be done via the show dsl interface atm0/0/0 command as demonstrated below;
2811-ADSL-ROUTER#show dsl interface atm0/0/0 ATM0/0/0 Alcatel 20190 chipset information ATU-R (DS) ATU-C (US) Modem Status: Showtime (DMTDSL_SHOWTIME) DSL Mode: ITU G.992.1 (G.DMT) Annex A ITU STD NUM: 0x03 0x1 Vendor ID: 'STMI' 'ALCB' Vendor Specific: 0x0000 0x0000 Vendor Country: 0x0F 0x0F Chip ID: C196 (3) DFE BOM: DFE3.0 Annex A (1) Capacity Used: 99% 84% Noise Margin: 6.0 dB 8.0 dB Output Power: 14.0 dBm 12.0 dBm Attenuation: 62.5 dB 31.5 dB FEC ES Errors: 0 0 ES Errors: 1258 140 SES Errors: 0 0 LOSES Errors: 0 0 UES Errors: 0 0 Defect Status: None None Last Fail Code: None Watchdog Counter: 0xAF Watchdog Resets: 0 Selftest Result: 0x00 Subfunction: 0x00 Interrupts: 57826 (0 spurious) PHY Access Err: 0 Activations: 10 LED Status: OFF LED On Time: 0 LED Off Time: 0 Init FW: init_AMR-4.0.015_no_bist.bin Operation FW: AMR-4.0.015.bin FW Source: embedded FW Version: 4.0.15 Interleave Fast Interleave Fast Speed (kbps): 992 0 448 0 DS User cells: 1677 0 US User & Idle cells: 7865597 0 Reed-Solomon EC: 44165 0 0 0 CRC Errors: 57 0 2 0 Header Errors: 38 0 1 1 Total BER: 1600E-9 0E-0 Leakage Average BER: 1278E-9 0E-0 ATU-R (DS) ATU-C (US) Bitswap: enabled enabled LOM Monitoring : Disabled DMT Bits Per Bin 000: 0 0 0 0 0 0 0 6 7 7 7 6 6 6 6 6 010: 6 5 5 5 5 6 6 7 7 6 6 6 5 4 0 0 020: 0 0 0 0 0 0 0 5 5 6 6 6 7 0 7 7 030: 7 7 8 8 8 8 8 8 8 7 8 7 2 7 7 7 040: 7 5 5 4 5 5 5 5 5 5 5 2 5 5 5 4 050: 4 4 4 4 4 4 5 5 5 5 4 0 2 2 2 3 060: 3 3 3 2 2 2 2 0 0 0 0 0 0 0 0 0 070: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 080: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 090: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0A0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0B0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0C0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0D0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0E0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0F0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 DSL: Training log buffer capability is not enabled 2811-ADSL-ROUTER#
If the CD LED on your HWIC card is illuminated than that means the Carrier is Detected in which case you should be able to verify the signal attenuation, noise margin and other circuit information using the show dsl interface atm0/0/0
If your DSL circuit successfully trained you’ll also notice your Speed (kbps), in this case its 992 down and 448 up. After the circuit is trained and you’re still not getting an IP Address make sure your authentication configuration is correct and you can debug the authentication using the debug ppp authentication
Because ISP’s typically only give you a single DHCP IP Address you can use NAT Overload (Dynamic NAT) to NAT multiple inside nodes to a single outside IP Address. This configuration is relatively simple and provided in the example below;
interface FastEthernet0/0 ip nat inside ! interface Dialer1 ip nat outside ! ip access-list extended DYNAMIC_NAT_ACL permit ip 192.168.1.0 0.0.0.255 any ! ip nat inside source list DYNAMIC_NAT_ACL interface Dialer1 overload !
With the dynamic nat configuration completed you should now be able to ping out to 18.104.22.168 sourced from your LAN interface as shown below;
2811-ADSL-ROUTER#ping 22.214.171.124 source fa0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 126.96.36.199, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/44 ms 2811-ADSL-ROUTER#
Zone Based Firewall (ZBF Configuration)
Because NAT alone will not protect you on the internet, Cisco IOS offers a Zone Based Firewall feature which we’re going to configure. This blog will not go into depth regarding ZBF but if you want to know more about ZBF than check out the Zone Based Firewall Configuration lab found in the CCNA Security Workbook
zone security TRUSTED zone security INTERNET ! interface FastEthernet0/0 zone-member security TRUSTED ! interface Dialer1 zone-member security INTERNET ! zone-pair security TRUSTED->INTERNET source TRUSTED destination INTERNET zone-pair security TRUSTED->TRUSTED source TRUSTED destination TRUSTED ! class-map type inspect match-any TRUSTED_TO_INTERNET_PROTOCOL_INSPECTION match protocol http match protocol ftp match protocol smtp match protocol https match protocol dns match protocol ssh match protocol pop3 match protocol imap match protocol telnet match protocol sip match protocol rtsp match protocol tcp match protocol udp match protocol icmp ! policy-map type inspect TRUSTED_TO_INTERNET class type inspect TRUSTED_TO_INTERNET_PROTOCOL_INSPECTION inspect ! policy-map type inspect TRUSTED class class-default pass ! zone-pair security TRUSTED->INTERNET service-policy type inspect TRUSTED_TO_INTERNET zone-pair security TRUSTED->TRUSTED service-policy type inspect TRUSTED_TO_TRUSTED !
In order to verify that the Zone Based Firewall Configuration is working correctly we’ll use the show policy-map type inspect zone-pair command as demonstrated below while pinging 188.8.131.52 from FastEthernet0/0
2811-ADSL-ROUTER#show policy-map type inspect zone-pair policy exists on zp TRUSTED->INTERNET Zone-pair: TRUSTED->INTERNET Service-policy inspect : TRUSTED_TO_INTERNET Class-map: TRUSTED_TO_INTERNET_PROTOCOL_INSPECTION (match-any) Match: protocol http 4 packets, 95 bytes 30 second rate 0 bps Match: protocol icmp 1 packets, 40 bytes 30 second rate 0 bps Match: protocol ftp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol smtp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol https 7 packets, 140 bytes 30 second rate 0 bps Match: protocol dns 2 packets, 122 bytes 30 second rate 0 bps Match: protocol ssh 0 packets, 0 bytes 30 second rate 0 bps Match: protocol pop3 0 packets, 0 bytes 30 second rate 0 bps Match: protocol imap 0 packets, 0 bytes 30 second rate 0 bps Match: protocol telnet 0 packets, 0 bytes 30 second rate 0 bps Match: protocol sip 0 packets, 0 bytes 30 second rate 0 bps Match: protocol rtsp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol tcp 10 packets, 256 bytes 30 second rate 0 bps Match: protocol udp 1 packets, 56 bytes 30 second rate 0 bps Inspect Packet inspection statistics [process switch:fast switch] tcp packets: [0:13] udp packets: [12:2] icmp packets: [0:48] Session creations since subsystem startup or last reset 5 Current session counts (estab/half-open/terminating) [4:0:0] Maxever session counts (estab/half-open/terminating) [4:1:1] Last session created 00:00:06 Last statistic reset never Last session creation rate 5 Maxever session creation rate 5 Last half-open session total 0 TCP reassembly statistics received 0 packets out-of-order; dropped 0 peak memory usage 0 KB; current usage: 0 KB peak queue length 0 Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes policy exists on zp TRUSTED->TRUSTED Zone-pair: TRUSTED->TRUSTED Service-policy inspect : TRUSTED_TO_TRUSTED Class-map: class-default (match-any) Match: any Pass 0 packets, 0 bytes 2811-ADSL-ROUTER
Port Forwarding (PAT Configuration)
There are many cases where people may want to perform port forwarding to network resources inside the network. Such as Web Servers, FTP Servers, DNS Servers or other services that should be publicly accessible.
In this example we’re going to configure port forwarding of TCP port 8080 on the IP Address assigned to the Dialer Interface to the server 192.168.1.25 port 80
ip nat inside source static tcp 192.168.1.25 80 interface dialer1 8080
Now that the NAT statement is configured you must keep in mind that we have ZBF configured and thus we’re required to “punch a hole” through the firewall. The following configuration is an example of a ZBF policy permitting INTERNET traffic to the TRUSTED zone which references an ACL named INTERNET_TO_TRUST_PERMITTED_TRAFFIC;
class-map type inspect match-any INTERNET_TO_TRUSTED match access-group name INTERNET_TO_TRUSTED_PERMITTED_TRAFFIC ! policy-map type inspect INTERNET_TO_TRUSTED class type inspect INTERNET_TO_TRUSTED inspect class class-default drop ! zone-pair security INTERNET->TRUSTED source INTERNET destination TRUSTED service-policy type inspect INTERNET_TO_TRUSTED ! ip access-list extended INTERNET_TO_TRUSTED_PERMITED_TRAFFIC permit tcp any host 192.168.1.25 eq www !
Note that the access control list entries should reference the REAL IP Address. Once this is all configured you can verify the configuration by having someone attempt to test the PAT statement.
If it is unsuccessful than verify your ZBF Configuration and NAT Statement. You should know that some ISP’s will prevent you from hosting your own network servers unless you have a business class account.