Posted by: rolande | June 22, 2007

Configuring a Cisco Router for SBC at&t DSL Internet Access

Cisco AT&T

The following is a configuration example taken from my own personal Cisco router that I use for DSL Internet access at home using the Cisco WIC-1ADSL module. When I get a chance I will add a list of detailed comments on the relevant portions. Hopefully I will cover the majority of frequently asked configuration questions in one document here. I primarily used examples found on www.dslreports.com in the SBC Forum FAQs to get started with my config. So I figured I’d put this document out here to help anyone else save a little time.

The information supplied in this configuration is in no way guaranteed to work in every situation nor supported by the author. Every service provider has different default configurations and requirements so your mileage may vary. This document is meant to provide an example of generally accepted configuration practices for SBC ADSL service. The ! signifies a commented line in Cisco’s notation. Non-commented lines are the actual configuration syntax as it would be entered on the Cisco router.

In order to support the WIC-1ADSL module on the 2600 platform, you must run T Train IOS code. At the time of this post I am running 12.2(15)T10 Enterprise FW/IDS Plus IPSEC 3DES.

SBC uses ATM PVC 0/35 by default for all new bundled loop customers. If you are assigned a block of 5 static IP addresses, which is actually a /29, (or 8 addresses; first and last reserved for network and broadcast; 6 usable; 1 reserved as default for a router) assign the last usable address in the range to your dialer interface on your router. This is the address assigned by default during PPPoE negotiation. You must define your userID as username@static.sbcglobal.net in order to be assigned your static address block.

 


DISCLAIMER

No Warranty of any kind is expressed or implied with respect to the information contained in this document!

The information found here is compiled for the convenience of anyone looking for general guidelines and best practices for configuration based on my own professional experience, as well as industry standards.

Use this information at your own risk!

Scott S. 2007


Example Configuration for SBC ADSL Service

version 12.2
service nagle
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname my_Hostname
!
logging queue-limit 100
logging buffered 50000 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip source-route
!
!
ip domain name my_Domain.com
ip name-server a.b.c.d
ip name-server a.b.c.d
ip name-server a.b.c.d
ip dhcp ping packets 5
ip dhcp ping timeout 5000
!
ip dhcp pool Home
   network x.x.x.0 255.255.255.0
   default-router x.x.x.1
   netbios-node-type h-node
   domain-name my_Domain.com
   dns-server a.b.c.d
   lease 30
!
ip inspect max-incomplete low 100
ip inspect max-incomplete high 300
ip inspect dns-timeout 8
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 8
ip inspect tcp max-incomplete host 100 block-time 1
ip inspect name Internet tcp alert on audit-trail on timeout 7200
ip inspect name Internet udp alert on audit-trail on timeout 60
ip inspect name Internet http alert on audit-trail on timeout 120
ip inspect name Internet smtp alert on audit-trail on timeout 30
ip inspect name Internet ftp alert on audit-trail on timeout 120
ip inspect name Internet fragment maximum 250 timeout 15
ip audit attack action alarm drop
ip audit notify log
ip audit po max-events 50
ip audit smtp spam 100
ip audit name Internet attack action alarm drop
ip ssh time-out 30
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
interface ATM0/0
 no ip address
 atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
!
interface ATM0/0.35 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 0/35
  random-detect
  pppoe-client dial-pool-number 2
!
!
interface FastEthernet0/0
 ip address x.x.x.1 255.255.255.0
 ip access-group inside-out in
 ip access-group inside-in out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip tcp adjust-mss 1452
 speed 100
 full-duplex
 no cdp enable
!
interface Dialer1
 mtu 1492
 bandwidth 1200
 ip address x.x.x.x 255.255.255.248
 ip access-group internet-in in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect Internet out
 ip audit Internet in
 encapsulation ppp
 ip tcp adjust-mss 1460
 dialer pool 2
 dialer-group 2
 no cdp enable
 ppp authentication chap pap callin optional
 ppp chap hostname username@static.sbcglobal.net
 ppp chap password 7 xxxxxxxxxxxxxxxxxxx
 ppp pap sent-username username@static.sbcglobal.net password 7 xxxxxxxxxxxxxxxxxxx
!
ip nat translation tcp-timeout 7200
ip nat pool GlobalHide x.x.x.x x.x.x.x netmask 255.255.255.248
ip nat inside source list 111 pool GlobalHide overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
!
!
ip access-list extended inside-in
 permit icmp any any net-unreachable
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 deny   icmp any any
 deny   tcp any range 0 65535 any range 0 65535 log-input
 deny   udp any range 0 65535 any range 0 65535 log-input
 deny   ip any any log-input
ip access-list extended inside-out
 permit ip x.x.x.0 0.0.0.255 host x.x.x.1
 deny   ip any 0.0.0.0 0.255.255.255 log-input
 deny   ip any 10.0.0.0 0.255.255.255 log-input
 deny   ip any 127.0.0.0 0.255.255.255 log-input
 deny   ip any 169.254.0.0 0.0.255.255 log-input
 deny   ip any 172.16.0.0 0.15.255.255 log-input
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip any 224.0.0.0 15.255.255.255 log-input
 deny   udp any any eq netbios-ns
 deny   udp any any eq netbios-dgm
 deny   udp any any eq netbios-ss
 permit ip x.x.x.0 0.0.0.255 any
 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps log-input
ip access-list extended internet-in
 deny   53 any any log-input
 deny   55 any any log-input
 deny   77 any any log-input
 deny   pim any any log-input
 deny   ip 0.0.0.0 0.255.255.255 any log-input
 deny   ip 10.0.0.0 0.255.255.255 any log-input
 deny   ip x.x.x.x 0.0.0.7 any log-input
 deny   ip 127.0.0.0 0.255.255.255 any log-input
 deny   ip 169.254.0.0 0.0.255.255 any log-input
 deny   ip 172.16.0.0 0.15.255.255 any log-input
 deny   ip 192.168.0.0 0.0.255.255 any log-input
 deny   ip host 255.255.255.255 any log-input
 deny   ip 224.0.0.0 15.255.255.255 any log-input
 deny   ip host 0.0.0.0 any log-input
 permit icmp any any net-unreachable
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 deny   icmp any any
 deny   udp any any eq netbios-ns log
 deny   udp any any eq netbios-dgm log
 deny   udp any any eq netbios-ss log
 permit ip any any
!
access-list 10 permit x.x.x.x
access-list 10 permit x.x.x.x
access-list 11 permit x.x.x.0 0.0.0.255
access-list 13 permit x.x.x.x
access-list 50 permit x.x.x.x log
access-list 50 permit x.x.x.0 0.0.0.255 log
access-list 50 permit x.x.x.0 0.0.0.255 log
access-list 111 permit ip x.x.x.0 0.0.0.255 any
dialer-list 2 protocol ip permit
no cdp run
!
!
snmp-server community blah RO 13
snmp-server location my_Address
snmp-server contact my_Name
snmp-server enable traps tty
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
banner motd ^CC

                                  Property of
                                    Scott S.
                         Unauthorized Use Is Prohibited

                       You should not be here unless you
                  have been given explicit permission to do so

^C
!
line con 0
 exec-timeout 0 0
 password 7 xxxxxxxxxxxxx
 logging synchronous
 login
 transport preferred none
line aux 0
 exec-timeout 5 0
 password 7 xxxxxxxxxxxxx
 logging synchronous
 login
 modem InOut
 no exec
 stopbits 1
 speed 19200
 flowcontrol hardware
line vty 0 4
 access-class 50 in
 exec-timeout 0 0
 password 7 xxxxxxxxxxxxxx
 logging synchronous
 login local
 transport preferred ssh
 transport input ssh
!
ntp clock-period 17208727
ntp source FastEthernet0/0
ntp access-group peer 10
ntp access-group serve-only 11
ntp server a.b.c.d
ntp peer a.b.c.d
!
end

DISCLAIMER

No Warranty of any kind is expressed or implied with respect to the information contained in this document!

The information found here is compiled for the convenience of anyone looking for general guidelines and best practices for configuration based on my own professional experience, as well as industry standards.

Use this information at your own risk!

Scott S. 2007


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: