Solved: Cisco 2911 ISR G2 as PPOE NAT router blocking access to other websites

EdwinSibambo · ‎02-05-2021

Hi Everyone,

Kindly assist me with an issue i'm currently facing. I have a Cisco 2911 ISR in my network configured as NAT gateways for my LAN subnets. Its configured as ppoe to the provider network.For some strange reasons i cant access other https and http websites in the internet.

I looked into my access list for those tcp traffics and i can see im matching traffic but on the clients connected i get Timed out on the web browsers.Initial the router was running firmware release 15.4.2 M i upgraded it to 15.7(3)M7 still no luck. i thought it might be a bug on 15.2.4.

I tried enabling and disabling : ip cef and ip classless [Still not working]

See show version output below

+++++++++++////////////////////////////++++++++++++++++++++++///////////////////////////////+++++++\\\\\\\\\\\\\\\\\\

vEDGE#sh version
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.7(3)M7, REL EASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 01-Sep-20 15:17 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)

vEDGE uptime is 46 minutes
System returned to ROM by power-on
System image file is "flash:c2900-universalk9-mz.SPA.157-3.M7.bin"
Last reload type: Normal Reload
Last reload reason: power-on

Device# PID SN
-------------------------------------------------
*1 CISCO2911/K9 FCZ152470YK

Suite License Information for Module:'c2900'

--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
datak9

AdvUCSuiteK9 None None None
uck9
cme-srst
cube

Technology Package License Information for Module:'c2900'

------------------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc uck9 EvalRightToUse uck9
data None None None

Configuration register is 0x2102

Georg Pauwen · ‎02-05-2021

Hello,

the first link in your last post gives me a 'unsafe website' security warning...

Either way, MTU settings often cause website problems. Try and change the MTU size, in fact, make the changes marked in bold:

Current configuration : 3371 bytes
!
! Last configuration change at 14:53:45 UTC Fri Feb 5 2021 by admin
!
version 15.7
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.157-3.M7.bin
boot system flash c2900-universalk9-mz.SPA.152-4.M7.bin
boot-end-marker
!
no aaa new-model
no ip source-route
!
ip name-server 8.8.4.4
ip name-server 8.8.8.8
ip name-server 4.2.2.2
!
ip cef
ip classless
!
no ipv6 cef
multilink bundle-name authenticated
!
voice-card 0
!
vxml logging-tag
license udi pid CISCO2911/K9 sn FCZ152470YK
license boot module c2900 technology-package uck9
!
interface GigabitEthernet0/0
description SURF4LIFE
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
no mop enabled
!
interface GigabitEthernet0/1
description LAN-Access
ip address 10.16.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
--> no ip route-cache same-interface
duplex auto
speed auto
no mop enabled
!
interface Dialer1
--> mtu 1400
ip address negotiated
--> no ip access-group 120 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
--> ip tcp adjust-mss 1360
no cdp enable
ppp chap hostname XXXXXXXXX
ppp chap password 0 XXXXXXX
ppp pap sent-username XXXXXXXX password 0 XXXXXX
ppp ipcp route default
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
--> ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 102.22.247.255
!
--> access-list 1 permit 10.16.X.0 0.0.0.255
!
--> dialer-list 1 protocol ip permit

View solution in original post

EdwinSibambo · ‎02-05-2021

Configurations below

Building configuration...

Current configuration : 3371 bytes
!
! Last configuration change at 14:53:45 UTC Fri Feb 5 2021 by admin
!
version 15.7
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.157-3.M7.bin
boot system flash c2900-universalk9-mz.SPA.152-4.M7.bin
boot-end-marker
!
!
no aaa new-model
no ip source-route
!
ip name-server 8.8.4.4
ip name-server 8.8.8.8
ip name-server 4.2.2.2
!
ip cef
ip classless
!
no ipv6 cef
multilink bundle-name authenticated
!
voice-card 0
!
vxml logging-tag
license udi pid CISCO2911/K9 sn FCZ152470YK
license boot module c2900 technology-package uck9
!
interface GigabitEthernet0/0
description SURF4LIFE
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
no mop enabled
!
interface GigabitEthernet0/1
description LAN-Access
ip address 10.16.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip route-cache same-interface
duplex auto
speed auto
no mop enabled
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group 120 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname XXXXXXXXX
ppp chap password 0 XXXXXXX
ppp pap sent-username XXXXXXXX password 0 XXXXXX
ppp ipcp route default
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 120 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 102.22.247.255
!
access-list 120 permit tcp any any eq 8443
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any
access-list 120 permit udp any any range 16384 32767
access-list 120 permit ip any any
!

++++++++++///////////////////+++++++++//////////////+++++++\\\\\\\\\\\\\\++++++

XXXX(config)#do sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 102.22.247.255 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 102.22.247.255
[1/0] via 102.22.247.255, Dialer1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.16.0.0/24 is directly connected, GigabitEthernet0/1
L 10.16.0.2/32 is directly connected, GigabitEthernet0/1
102.0.0.0/32 is subnetted, 2 subnets
C 102.22.244.153 is directly connected, Dialer1
C 102.22.247.255 is directly connected, Dialer1

Dialer interface Status

XXXX(config)#do sh ip int br d1
Interface IP-Address OK? Method Status Protocol
Dialer1 102.22.244.153 YES IPCP up up

Richard Burts · ‎02-05-2021

You mention that access on Internet for http and https from LAN connected devices does not work. Can the LAN connected devices access Internet resources using other protocols (ping etc)?

acl 120 is pretty odd. It has a series of permit statements ending with permit ip any any. If you have no deny statements and are going to permit everything then why have more than 1 statement in the acl?

I have seen issues develop when the acl used to identify traffic for address translation used the any parameter for the source and destination. I would suggest that you change the acl for nat to be a standard access list and to specify your inside network addresses in that acl.

It is unusual to use the same acl for nat and as the outbound filter on the outside interface. I suggest having different access lists for these functions. And if the outbound acl is going to permit ip any any then why have the acl on the interface anyway?

HTH

Rick

EdwinSibambo · ‎02-05-2021

Hi Richard,

Just to phrase my statement correctly. I can access other website but not all website from this network setup. Please see screen shots attached. the strange thing is PING to these websites works without any issues.

Somehow http/s to these website is not working at all, whether by fqdn name or ip public address does not work.

Not working Websites

by Public IP : https://156.38.137.210/

by FQDN: https://stax.co.za

I have removed the Extended ACL replaced with standard ACL still does not work, see updated configs as per your recommendation below.

interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname XXXXXX
ppp chap password 0 XXXXX
ppp pap sent-username XXXXX password 0 XXXXX
ppp ipcp route default
end
!
ip nat inside source list 10 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 102.22.247.255
!
!
!
access-list 10 permit 10.16.0.0 0.0.255.255

Georg Pauwen · ‎02-05-2021

Hello,

the first link in your last post gives me a 'unsafe website' security warning...

Either way, MTU settings often cause website problems. Try and change the MTU size, in fact, make the changes marked in bold:

Current configuration : 3371 bytes
!
! Last configuration change at 14:53:45 UTC Fri Feb 5 2021 by admin
!
version 15.7
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.157-3.M7.bin
boot system flash c2900-universalk9-mz.SPA.152-4.M7.bin
boot-end-marker
!
no aaa new-model
no ip source-route
!
ip name-server 8.8.4.4
ip name-server 8.8.8.8
ip name-server 4.2.2.2
!
ip cef
ip classless
!
no ipv6 cef
multilink bundle-name authenticated
!
voice-card 0
!
vxml logging-tag
license udi pid CISCO2911/K9 sn FCZ152470YK
license boot module c2900 technology-package uck9
!
interface GigabitEthernet0/0
description SURF4LIFE
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
no mop enabled
!
interface GigabitEthernet0/1
description LAN-Access
ip address 10.16.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
--> no ip route-cache same-interface
duplex auto
speed auto
no mop enabled
!
interface Dialer1
--> mtu 1400
ip address negotiated
--> no ip access-group 120 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
--> ip tcp adjust-mss 1360
no cdp enable
ppp chap hostname XXXXXXXXX
ppp chap password 0 XXXXXXX
ppp pap sent-username XXXXXXXX password 0 XXXXXX
ppp ipcp route default
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
--> ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 102.22.247.255
!
--> access-list 1 permit 10.16.X.0 0.0.0.255
!
--> dialer-list 1 protocol ip permit

EdwinSibambo · ‎02-05-2021

Hi Georg,

Thank you, Its working now.

adjusted the mtu on the pppoe d1 interface and added those other commands.

Thank you for your assistance.

-Edwin

Richard Burts · ‎02-05-2021

Edwin

Thanks for confirming that the suggestions from Georg did provide the solution to your problem. When I saw your response clarifying that some sites did work but other sites did not work I immediately thought of issues with MTU. Glad to know that this was the issue.

Even though your problem did not involve the access list I do believe that the change that you made in the acl is beneficial.

HTH

Rick