Need assistance with PPP and CHAP

Tricon7Tricon7 Inactive Imported Users Posts: 238
I have a simple configuration between two routers and one host. I can get the routers to communicate with each other after I've configured everything, and the host can talk to its default router, but the host can't talk to the other router connected via serial cable. The host is connected to Remote1 Router, and that router is connected to HQ router via a serial connection. Here is my configuration:

HQ (server)

(config)#ip route 192.168.9.0 255.255.255.0 192.168.8.2

(config)#int s 0/0
(config-if)#ip address 192.168.8.1 255.255.255.0
(config-if)#clock rate 56000
(config-if)#no shut
(config-if)#exit

(config)#int s 0
(config-if)#encapsulation ppp
(config-if)#ppp encapsulation chap
(config-if)#username Remote1 password cisco
(config-if)#end

(config)#int loopback 7
(config)#ip address 1.1.1.1 255.255.255.255
(config)#no shut
(config)#exit


Remote1

(config)#ip route 0.0.0.0 0.0.0.0 192.168.8.1

(config)#int s 0/0
(config-if)#ip address 192.168.8.2 255.255.255.0
(config-if)#clock rate 56000
(config-if)#no shut
(config-if)#encapsulation ppp
(config-if)#ppp authentication chap
(config-if)#username HQ password cisco
(config-if)#int fa 0/0
(config-ifA)#ip address 192.168.9.1 255.255.255.0
(config-if)#no shut
(config-if)#exit


PC1 [connected to Remote1 router]

Gateway 192.168.9.1
Mask 255.255.255.0
IP address 192.168.9.9

Comments

  • LoteLote Member Posts: 2 ■□□□□□□□□□
    Quick question can you ping the outside IP address of the the local router?
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    Why do you have clock rate on both serial interfaces? You only need the clock rate on the DCE side of the link. Check your cable label, or issue a show controllers to find the dce. Post a show run.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • datchchadatchcha Member Posts: 265
    Tricon7 wrote:
    I have a simple configuration between two routers and one host. I can get the routers to communicate with each other after I've configured everything, and the host can talk to its default router, but the host can't talk to the other router connected via serial cable. The host is connected to Remote1 Router, and that router is connected to HQ router via a serial connection. Here is my configuration:

    HQ (server)

    (config)#ip route 192.168.9.0 255.255.255.0 192.168.8.2

    (config)#int s 0/0
    (config-if)#ip address 192.168.8.1 255.255.255.0
    (config-if)#clock rate 56000
    (config-if)#no shut
    (config-if)#exit

    (config)#int s 0
    (config-if)#encapsulation ppp
    (config-if)#ppp encapsulation chap
    (config-if)#username Remote1 password cisco
    (config-if)#end

    (config)#int loopback 7
    (config)#ip address 1.1.1.1 255.255.255.255
    (config)#no shut
    (config)#exit


    Remote1

    (config)#ip route 0.0.0.0 0.0.0.0 192.168.8.1

    (config)#int s 0/0
    (config-if)#ip address 192.168.8.2 255.255.255.0
    (config-if)#clock rate 56000
    (config-if)#no shut
    (config-if)#encapsulation ppp
    (config-if)#ppp authentication chap
    (config-if)#username HQ password cisco
    (config-if)#int fa 0/0
    (config-ifA)#ip address 192.168.9.1 255.255.255.0
    (config-if)#no shut
    (config-if)#exit


    PC1 [connected to Remote1 router]

    Gateway 192.168.9.1
    Mask 255.255.255.0
    IP address 192.168.9.9

    Thnk it should look like this

    en
    config t
    hostname
    password
    int s0/0
    encap ppp
    ppp auth chap
    ip address
    bandwidth
    clock rate
    no shut
    Arrakis
  • Noe84Noe84 Member Posts: 60 ■■□□□□□□□□
    You type ppp encapsulation chap, I do that sometime but I think on a real router it would of gave you an error.

    The right way for doing it should look like this

    HQ (server)

    (config)#ip route 192.168.9.0 255.255.255.0 192.168.8.2
    (config)#username Remote1 password cisco

    (config)#int s 0/0
    (config-if)#ip address 192.168.8.1 255.255.255.0
    (config-if)#encapsulation ppp
    (config-if)#ppp authentication chap
    (config-if)#no shut
    (config-if)#exit

    (config)#int loopback 7
    (config)#ip address 1.1.1.1 255.255.255.255
    (config)#no shut
    (config)#exit


    Remote1

    (config)#ip route 0.0.0.0 0.0.0.0 192.168.8.1
    (config)#username HQ password cisco

    (config)#int s 0/0
    (config-if)#ip address 192.168.8.2 255.255.255.0
    (config-if)#clock rate 56000
    (config-if)#encapsulation ppp
    (config-if)#ppp authentication chap
    (config-if)#no shut
    (config-if)#int fa 0/0
    (config-if)#ip address 192.168.9.1 255.255.255.0
    (config-if)#no shut
    (config-if)#exit


    PC1 [connected to Remote1 router]

    Gateway 192.168.9.1
    Mask 255.255.255.0
    IP address 192.168.9.9

    Yea and check your interface with the show controller int command to locate which side the DCE is on and then apply the clock rate command on it. Use show ip route and show interface command to check your work. Also are you sure the hostname is HQ and not HQ(server)? You have to make sure the hostname for the username is correct in order for chap to work.
    On to MCSA 2003.
  • Tricon7Tricon7 Inactive Imported Users Posts: 238
    Netstudent wrote:
    Why do you have clock rate on both serial interfaces? You only need the clock rate on the DCE side of the link. Check your cable label, or issue a show controllers to find the dce. Post a show run.

    Sorry - meant to make that correction on my submission. I only have the clock rate on the DCE side. And my host can ping both the ethernet and serial ports of its local router.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Did you make the changes suggested by Noe84? That should do the trick. If not try to take the chap commands out and see if you still have the problem. Its easier to narrow the problem down and check things one at a time instead of troubleshooting the whole network at once, even one this small!
    An expert is a man who has made all the mistakes which can be made.
  • mikearamamikearama Member Posts: 749
    Tricon, you said the routers can communicate... do you mean that when connected via console you can ping/telnet from Remote1 to HQ?

    If so, leave CHAP the way it is, it's fine. So are your DCE settings.

    I'd put money on some problem then with your default routes. I don't think it's anything obvious, but when you connect from the PC, the HQ router is having an issue sending the packets on to the .9 subnet. Actually, I'd put money on the Remote1 router not knowing what to do with the packets it receives back from Hq (since you don't have routing set up yet).

    So, play around with your default routes a bit... ie,

    On Remote1, add this route: ip route 192.168.9.0 255.255.255.0 int f0/0
    This way, anything Remote1 receives on it's s0 int for your pc will get forwarded out f0.

    And on HQ, change your default route to 0.0.0.0 0.0.0.0 s0/0 (or leave it as 8.2, that's fine)
    just to rule out HQ mistakenly sending your responses anywhere else.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • Tricon7Tricon7 Inactive Imported Users Posts: 238
    Noe84 wrote:
    You type ppp encapsulation chap, I do that sometime but I think on a real router it would of gave you an error.

    The right way for doing it should look like this

    HQ (server)

    (config)#ip route 192.168.9.0 255.255.255.0 192.168.8.2
    (config)#username Remote1 password cisco

    (config)#int s 0/0
    (config-if)#ip address 192.168.8.1 255.255.255.0
    (config-if)#encapsulation ppp
    (config-if)#ppp authentication chap
    (config-if)#no shut
    (config-if)#exit

    (config)#int loopback 7
    (config)#ip address 1.1.1.1 255.255.255.255
    (config)#no shut
    (config)#exit


    Remote1

    (config)#ip route 0.0.0.0 0.0.0.0 192.168.8.1
    (config)#username HQ password cisco

    (config)#int s 0/0
    (config-if)#ip address 192.168.8.2 255.255.255.0
    (config-if)#clock rate 56000
    (config-if)#encapsulation ppp
    (config-if)#ppp authentication chap
    (config-if)#no shut
    (config-if)#int fa 0/0
    (config-if)#ip address 192.168.9.1 255.255.255.0
    (config-if)#no shut
    (config-if)#exit


    PC1 [connected to Remote1 router]

    Gateway 192.168.9.1
    Mask 255.255.255.0
    IP address 192.168.9.9

    Yea and check your interface with the show controller int command to locate which side the DCE is on and then apply the clock rate command on it. Use show ip route and show interface command to check your work. Also are you sure the hostname is HQ and not HQ(server)? You have to make sure the hostname for the username is correct in order for chap to work.

    Yeah, I think that did the trick. My host can now ping the loopback and serial interface of the HQ router. However, the HQ router can't ping the host. Is this supposed to happen with PPP/CHAP? Or is something still not right, you think?
  • Noe84Noe84 Member Posts: 60 ■■□□□□□□□□
    Can you post a show run on both the router?

    From my configuration it looks like everything should work. But you have to make sure the username points to the correct hostname of the remote router. Both username and password are case sensitive. So remote1 and Remote1 is two different thing and Cisco and cisco is also.

    If your have HQ and Remote1 then my config should work. But if you have HQ(server) and Remote1 then my config might not work depending if this is a simulator or real routers.

    You also have to make sure the clock rate command is place on the right port (the DCE), some sim are very buggy and will probably let you do this on both but on a real cisco router it will give you an error saying clock rate can only be applied on DCE.

    If this is a sim it's probably a bug or something. You might want to start from scratch again.
    On to MCSA 2003.
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    when a router can't ping a host, but there is a route to that network that the host is on, it usually means your windows Firewall is blocking ICMP requests.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • Noe84Noe84 Member Posts: 60 ■■□□□□□□□□
    If you can't ping the host than you want to backup and ping Remote1 fa0/0 interface. If pinging fa0/0 is successful then you can conclude there is something wrong with the host. Probably is a firewall if these were real equipments.

    Don't forget about the debug ip icmp and debug ip packet command, it's very helpful.
    On to MCSA 2003.
  • Tricon7Tricon7 Inactive Imported Users Posts: 238
    Netstudent wrote:
    when a router can't ping a host, but there is a route to that network that the host is on, it usually means your windows Firewall is blocking ICMP requests.

    Bingo. Either the Windows firewall or the McAfee firewall/antivirus program was blocking the host. Once disabled, I pinged out fine. I just remembered, too, that some in my class during the hands-on tests had problems with Windows firewalls. Thanks.
Sign In or Register to comment.