Cisco DHCP

[y2kc]

My cisco 1605r does not appear to be getting an IP address from my Internet provider (comcast) via DHCP. Before comcast switched me over to their network (from @home) I had two statics, one I applied to my E0 interface, the other was used for my NAT pool. yesterday, prior to the switch, I configured the router to obtain an IP (E0) but for some reason it would not. As soon as I would plug straight into my nic I received an IP from comcast. I've never done DHCP with my router, I flashed the router yesterday, so the router is definately capable, the config shows that I'm set up for DHCP at E0 but it just won't obtain the IP. I do a "sh int e0" and all it says is ip address assigned via DHCP but it does not have an IP address....any clue? I've applied the IP assigned (via my nic) to the E0 interface for now and I'm getting out, but this IP is going to change weekly so I don't want to have to do this every week if I don't have to (I will if I have to as I have two nics, one in the DMZ so this makes obtaining the IP pretty simple) I would like to just set it and forget it if possible....Thanks.

 

[Saltin]

I'm just guessing.
Perhaps the new ISP is looking for a specific MAC ( i.e the one on your NIC)?
I'm not familiar with the model router you are using now, but is there a way to clone the MAC from the nic to the router? I know cheaper routers (linksys) have this feature, so a Cisco router should, no?

 

[y2kc]

That's the thing....If I unplug the modem for 20-30 seconds, the IP will be assigned to a different MAC address so I don't think that's the problem. I have two nics and I can switch betwwen the two as long as I completely disconnect the power from the modem before switching devices.

 

[EasyE]

Have you tried doing a sniffer trace to see if the routers sending out DHCP requests or anything, getting anything back? If you need a sniffer go to www.ethereal.com. I take it the cable modem is hanging off E0 somewhere.

Post your cisco config... but the config for getting a DHCP address is pretty simple (ip address dhcp) so not really much there that could go wrong unless it is a buggy IOS or something.

 

[sml]

last time I ran into an issue similar to this I was using a PIX 515 with a class C address space NAT'd behind it and was serving DHCP addresses for that range off the PIX which got it's Interface0 IP via DHCP from a cable modem; problem ended up being a filter on packets coming from 255.255.255.255 that got stuck into the rulebase - check your router for something similar.

 

[y2kc]

Thanks for your suggestions guys...

Here's my current config. my next step is to take this router down and connect it to a DHCP server on my LAN and see if it will obtain from there so I can test that the router can obtain an address.


interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address dhcp
ip access-group 100 in
ip nat outside
ip inspect Serial_In in
ip inspect Serial_Out out (inspect statements ommited)
!
interface Ethernet1
ip address 10.0.0.1 255.0.0.0
ip nat inside
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 50 permit any
access-list 75 permit 10.0.0.0 0.255.255.255
access-list 100 permit gre any any
!
line con 0
access-class 75 in
line vty 0 4
access-class 75 in
password 7 xxxxxxxxxxx
login
!
end

Router#

 

[y2kc]

bumpage....just in case.

 

[FFC]

You're only permitting gre packets to come in from e0 in access list 100.

As a quick test take off the follwing statements from e0

ip access-group 100 in
ip inspect Serial_In in

For security disconnect E1 and watch what happens via th console port.

To see exactly what is going on run debug from a console session with the command
debug ip packet detail to see what's coming in. Also either set logging buffered 32384 to log what comes in that interface to the routers log buffer or simply log the session via the terminal emulator on your PC. If you're not sure what's happening post the results back here so other can help.

 

[y2kc]

FFC, thanks I'll give it a try and post the results.

 

[y2kc]

FFC....It worked!!!! I removed the access-group from E0 and changed the ip address to "dhcp", unplugged the modem for 30 seconds and voila! I am now obtaining an IP at e0 from my isp. Now I have to find out what to permit (ports) in to allow dhcp. For now I have zonealarm performing my firewall duty....Thanks a million!

 

[Damaged]

Of course it worked .Your acl was only allowing gre packets from the inside (anything connected to that int). Remember, there's an implicit deny statement on all cisco acl's. And if you apply the acl as an in filter it filters anything coming into that interface directly, as an out filter, in this case, it's going to filter anything forwarded to it from another interface.

 

[y2kc]

That's why come here Damaged..... you guys are brilliant.....now it's time get my inspect statements right.....

 

[y2kc]

My new config.....works like a charm.....but my vpn isn't connecting. oh well, back to work.

interface Ethernet0
ip address dhcp
ip access-group 100 in
ip nat outside
ip inspect Serial_In in
ip inspect Serial_Out out
!
interface Ethernet1
ip address 10.0.0.1 255.0.0.0
ip nat inside
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 50 permit any
access-list 75 permit 10.0.0.0 0.255.255.255
access-list 100 permit gre any any
access-list 100 permit udp any any eq bootpc
access-list 100 deny ip any any
!
line con 0
access-class 75 in
line vty 0 4
access-class 75 in
password 7 xxxxxxxxx
login
!
end

Router#

 

[Damaged]

There's a number of debugging statements you could try, however, you may want to try changing your last statement in acl 100 from access-list 100 deny ip any any, to: access-list 100 deny ip any any log.

Now:

conf t
service timestamps debug datetime
service timestamps log datetime
end
write

I hate looking at local logs on a cisco router relative to router uptimes. Just mho though.

Now, try some vpn conns, then sh logging on the router and scrool through it to get an idea of what's getting denied and why.

 

[y2kc]

<< ...but my vpn isn't connecting. oh well, back to work >>



found the problem, software firewall (ZA). I installed before I had my router configured for dhcp (I was wide open before I applied the ip address comcast gave me to my e0) I remembered having a problem with ping last time I installed ZA despite closing the app. Uninstalling ZA did the trick..