Kostis
Netzwerkberatung
Konstantinos Kostis
Talstr. 25, D-63322 Rödermark
Tel. +49 6074 881056, FAX 881058
kosta@kostis.net, http://www.kostis.net/
You may use this information free of charge at your own risk.
I've been asked a number of times how to configure a Cisco ISDN router to connect to an ISP using ISDN PPP dial on demand. Despite the fact that consultancy is my business and not my hobby, I have decided to give out this information "for free" in order to save us time - both me and those asking anyway. :P
I have compiled this little page using the tons of info material provided by Cisco on their web site free of charge (in other words you can look it up, too). I will from now on ignore any further requests regarding "free of charge" Cisco configuration information. If you want to consult with me, you can hire me. ;)
This document describes a Cisco IOS12.0 NAT sample configuration for an ISDN dialup connection using PPP to T-Online, a major ISP in Germany. Cisco IOS 12.0 was the first Cisco IOS version with NAT included in the basic IP Feature Pack (no additional costly feature pack needed). Most of the configuration is generic and should work for any ISDN dialup PPP connection to ISPs.
This sample configuration is based on the following design assumptions:
| design assumption | remark |
|
LAN IP Subnet 192.168.1.0/24 (/24 aka 255.255.255.0) |
this a private network address (RFC1918) |
| router IP address 192.168.1.1 | this can be changed, of course |
| no routing to other subnets | |
| no DNS needed on router | |
| European DSS1 ISDN connection | aka Euro-ISDN |
| clients configured to use router as gateway | |
| clients configured to use external DNS server(s) |
Using a proxy, your clients won't need DNS servers for Internet access but at least your proxy will need to be configured to use DNS unless your proxy is configured to be a slave of some other proxy. Confused, yet? ;)
Depending on the operating system used on your clients and your infrastructure, your DNS servers may be local DNS servers (eg. Linux/FreeBSD/etc.) or DNS servers run by your ISP (Microsoft machines usually "like" this). If all you have is a number of PCs running a Microsoft OS and your Cisco router, you sure need to configure your clients to use your ISP's DNS servers. This information should be available from them.
T-Online provides DNS on 194.25.2.132 and 194.25.2.131 and 194.25.2.129 and who knows where else. These things can change so check them before you configure them on your clients. Better yet: run your own caching DNS server if you can.
In this sample configuration the router is named risp internally, you can change that to whatever you prefer with no impact on functionality, but please follow rules for hostnames (RFC1035).
Some changes must be made before you can use this configuration consisting basically of replacing placeholders for usernames by real usernames and placeholders for passwords by real passwords of your choice or given to you by your ISP. Placeholders that need to be changed are:
| Placeholder | Function |
| %enablepassword% | password needed to switch to Cisco enable mode |
| %consolepassword% | password for console logins |
| %telnetpassword% | password for telnet logins |
Depending on your ISP and the account information given to you by them, there is more to configure. The placeholders that need to be changed for ISP authentication are:
| Placeholder | Function |
| %aaaaaaaaaaaa% %tttttttttttt% %mmmm% | username for pap/chap |
| %pppppassword% | password for pap/chap |
T-Online usernames are comprised of three parts:
| Placeholder | Function |
| %aaaaaaaaaaaa% | "Anschlußkennung" - twelve digits |
| %tttttttttttt% | "T-Online Nummer" - twelve digits / if shorter, add " #" at the end |
| %mmmm% | Mitbenutzerkennung" - default is " 0001" |
After you enter passwords, they will be encrypted in router memory (that's what service password-encryption is for).
A Cisco configuration can only be viewed (eg. using 'write terminal' or 'show running-config') after giving the enable secret on your router so keep this enable secret password a real secret. All other passwords can be decrypted using certain tools (type 7 passwords can easily be decrypted, type 5 are tough to hack), so don't leave printouts of your configuration lying around. Secure all servers storing your configuration files. It's beyond the scope of this document to explain how to do this.
In this sample configuration design I assume you want to limit the configuration to use a single B-channel (hence 64000 bps max. bandwidth). If you want to use channel bundling (both B-channels resulting in twice the speed but usually also twice the cost, hence 128000 bps), add the following two lines from the configuration below in the interface Dialer1 section:
|
dialer load-threshold 10 outbound ppp multilink |
10 is the threshold at which the second channel kicks in. Possible values are from 1 to 255. The higher the value the heavier/longer traffic needs to be there before the second channel kicks in. 10 is a rather low value and is recommended only if you expect heavy use and want to prevent unnecessary delays.
The configuration sample is in a format compatible with the format your router stores its configuration on a TFTP server or what it would show when you do a 'write terminal'. It's not necessarily in the order in which you have to type in things, so if you get any error message that you need to define something before you can do whatever you were just about to do, define that something (most likely listed a few line below) and try again.
In order not to confuse you even more by giving you two versions and since the scope of this document does not include a tutorial on Cisco CLI (Command Line Interface) which is nicely documented by Cisco, I at least want to give you a hint there is something about the bush. You need to be able to navigate around 'enable', 'configure terminal' and such things without my help.
The following Cisco ISDN PPP dial on demand configuration sample has been created for IOS 12 and ISP T-Online. It has last been tested on a Cisco 1003 using IOS 12.0(21a) equipped with 2 MB Flash, 8 MB DRAM. Cisco asks for 4 MB Flash but the Cisco 1003 IOS 12.0 "IP Only" image fits into a 2 MB Flash card just fine. This configuration should work with any IOS >= 12.0.
|
! version 12.0 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname risp ! enable secret %enablepassword% ! ip subnet-zero no ip finger no ip domain-lookup no ip name-server isdn switch-type basic-net3 ! ! ! interface Ethernet0 description LAN connection ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast ip nat inside no cdp enable ! interface BRI0 description physical ISDN interface no ip address no ip directed-broadcast ip nat outside encapsulation ppp dialer rotary-group 1 isdn switch-type basic-net3 no cdp enable ! interface Dialer1 description connection to Internet via t-online ip address negotiated no ip directed-broadcast ip nat outside encapsulation ppp no ip split-horizon dialer in-band dialer idle-timeout 300 dialer string 0191011 dialer hold-queue 10 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname %aaaaaaaaaaaa% %tttttttttttt% %mmmm% ppp chap password %pppppassword% ppp pap sent-username %aaaaaaaaaaaa% %tttttttttttt% %mmmm% password %pppppassword% ! ip nat inside source list 1 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 1 permit any dialer-list 1 protocol ip permit no cdp run no ip http server ! line con 0 password %consolepassword% login line vty 0 4 password %telnetpassword% login ! end |
Make sure to store your configuration in NVRAM every time you make changes:
copy running-config startup-config
If you fail to do this, your changes will be lost the next time your router reboots (eg. due to power failure).
Things you may very likely want to change are highlighted like this:
| Configuration Line | Potential Change |
| hostname risp | you may want to change the internal name of the router |
| dialer string 0191011 | this is the ISP's MSN to call - depends on your ISP |
The following line needs to be changed if you want a different IP subnet on your LAN side:
| Configuration Line | Potential Change |
| ip address 192.168.1.1 255.255.255.0 | you may want to change the router's IP address and subnet mask |