04-04-2013 07:42 AM - edited 03-04-2019 07:29 PM
I have a Cisco 857W router that I would like to setup as follows:
- All wireless clients should have internet access only
- All wired clients should have VPN access only
The wired/VPN side of things is working fine. A wired client can access the VPN and all seems to work.
My problem is on the wireless side. Wireless clients connect successfully and receive a DHCP address. Name resolution also seems to work as I can ping www.google.com (for instance) and it resolves to an IP address. That though is were things stop and no internet browsing work further on.
Please have a look if you spot the (I think obvious) problem ....
"show ip nat trans" does show translations:
start#sho ip nat trans
Pro Inside global Inside local Outside local Outside global
udp 196.209.34.158:16403 10.0.0.21:16403 17.173.254.222:16384 17.173.254.222:16
384
udp 196.209.34.158:16403 10.0.0.21:16403 17.173.254.222:16385 17.173.254.222:16
385
udp 196.209.34.158:16403 10.0.0.21:16403 17.173.254.223:16386 17.173.254.223:16
386
tcp 196.209.34.158:51901 10.0.0.21:51901 173.194.41.80:443 173.194.41.80:443
tcp 196.209.34.158:51902 10.0.0.21:51902 173.194.41.80:443 173.194.41.80:443
tcp 196.209.34.158:51903 10.0.0.21:51903 173.194.41.80:443 173.194.41.80:443
tcp 196.209.34.158:51904 10.0.0.21:51904 173.194.41.80:443 173.194.41.80:443
tcp 196.209.34.158:51905 10.0.0.21:51905 173.194.41.69:443 173.194.41.69:443
tcp 196.209.34.158:51906 10.0.0.21:51906 173.194.34.178:443 173.194.34.178:443
Also my route table looks ok (to me):
start#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 196.209.34.1 to network 0.0.0.0
196.209.34.0/32 is subnetted, 2 subnets
C 196.209.34.1 is directly connected, Dialer0
C 196.209.34.158 is directly connected, Dialer0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Dot11Radio0
41.0.0.0/32 is subnetted, 1 subnets
S 41.165.4.154 [1/0] via 196.209.34.1
S* 0.0.0.0/0 [1/0] via 196.209.34.1
[1/0] via 0.0.0.0, Virtual-Access2
S 192.168.0.0/16 [1/0] via 0.0.0.0, Virtual-Access2
And my config as attached.
Even if I remove ACL 102 from Dialer0 it still does not work. So I suspect it is not ACL related ...
04-04-2013 10:25 AM
Hello Oliver,
Can you confirm that you can reach internet?
#ping 8.8.8.8
Verify that DNS work:
#ping www.google.com
Try to replace dns 10.0.0.2 from DHCP configuration to google DNS 8.8.8.8
Best Regards
Please rate all helpful posts and close solved questions
04-04-2013 11:54 PM
From Router:
Pinging any website resolves to an IP address. Also I can ping 8.8.8.8. So my internet is working.
From Wireless PC:
Pingning also resolves to an IP and I can ping 8.8.8.8. However, I can not browse the internet.
04-05-2013 01:18 AM
It will be probably problem with MTU.
Try this test from your router:
podhorany-024#ping
Protocol [ip]:
Target IP address: 8.8.8.8
Repeat count [5]: 1
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: v
Loose, Strict, Record, Timestamp, Verbose[V]:
Sweep range of sizes [n]: y
Sweep min size [36]: 1400
Sweep max size [18024]: 1500
Sweep interval [1]:
What was the last successful packet size?
Best Regards
Please rate all helpful posts and close solved questions
04-05-2013 01:26 AM
Last successfull size was 1492.
For what it was worth I dropped the MTU to 1452 and the MSS to 1412, made no difference unfortunately.
This one has me stumped now. Everything looks and seems right, I just can browse the net.
04-05-2013 01:33 AM
Now it is getting interesting. I tried to browse to www.microsoft.com, which failed, but then my browser converted it into a search and google actually returned search results for microsoft.com.
I then tested a few other sites. I can access google.com and test.com, but almost no other sites. My Win7 pc suddenly showed that it has an internet connection for about two minutes, then it disappear again and is now a Local only connection again.
Weird ...
04-05-2013 01:42 AM
Hello
Try:
Saving your config and reload the router
Turning off the sotware FW of the pc ?
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
04-05-2013 01:45 AM
As another test I removed the outside crypto from the Dialer0 interface and the browsing started working immediately. So it seems that when the VPN is up that perhaps the internet traffic gets sent over the VPN link as well (sometimes). But I have split tunneling, or is there perhaps a problem with that config on ACL 100 ?
04-05-2013 01:49 AM
Hi,
can you post your entire config along with the details.
Regards
Alain
Don't forget to rate helpful posts.
04-05-2013 01:43 AM
Can you also verify MTU size from LAN (wireless PC).
- did you try another PC, maybe problem will be with PC.
- try connect your PC/Laptop instead of cisco router if there will be still problem
I am not sure what else you can try.
Best Regards
Please rate all helpful posts and close solved questions
04-05-2013 01:44 AM
Hi,
you should set your MTU to 1492 and your MSS to 1452.
Regards
Alain
Don't forget to rate helpful posts.
04-05-2013 01:48 AM
I reverted the MTU 1492 and MSS 1452 and it made no difference.
Here is my crypto :
crypto ipsec client ezvpn VPN
connect auto
group (details)
mode network-extension
peer (details)
acl 100
virtual-interface 1
username (details)
xauth userid mode local
04-05-2013 01:55 AM
And my whole config :
!
version 12.4
no service pad
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
!
hostname start
!
boot-start-marker
boot-end-marker
!
logging buffered 65535
!
no aaa new-model
clock timezone ZAT 2
!
!
no dot11 syslog
!
dot11 ssid START
authentication open
guest-mode
!
ip dhcp excluded-address 192.168.41.1 192.168.41.19
ip dhcp excluded-address 10.0.0.1 10.0.0.19
!
ip dhcp pool SMS_VPN_Pool
network 192.168.41.0 255.255.255.0
domain-name (details)
dns-server 192.168.1.200 192.168.1.201
option 150 ip 192.168.1.15
default-router 192.168.41.1
!
ip dhcp pool SMS_IP_Pool
network 10.0.0.0 255.255.255.0
dns-server 10.0.0.2
default-router 10.0.0.2
!
!
ip cef
ip ddns update method SMS_DynDNS
HTTP
add (details)/nic/update?hostname=
interval maximum 0 0 15 0
!
!
!
!
username (details)
!
crypto isakmp key (details)
crypto isakmp invalid-spi-recovery
!
!
!
!
!
crypto ipsec client ezvpn SMS_VPN
connect auto
group (details)
mode network-extension
peer (details)
acl 100
virtual-interface 1
username (details)
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
no ip ftp passive
ip ftp source-interface Vlan1
ip tftp source-interface Vlan1
!
ip tcp path-mtu-discovery
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
oam-pvc 0
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
no ip address
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
!
interface Dot11Radio0
ip address 10.0.0.2 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
!
encryption key 1 size 40bit 0 (details) transmit-key
encryption mode wep mandatory
!
ssid START
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country ZA indoor
!
interface Vlan1
ip address 192.168.41.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn SMS_VPN inside
!
interface Dialer0
ip ddns update hostname (details)
ip ddns update SMS_DynDNS
ip address negotiated
ip access-group 101 out
ip access-group 102 in
ip mtu 1492
ip nat outside
ip nat enable
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp (details)
ppp ipcp dns request accept
ppp ipcp route default
crypto ipsec client ezvpn SMS_VPN
!
no ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
!
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
access-list 100 remark CCP_ACL Category=16
access-list 100 permit ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.255.255
!
access-list 101 remark DSL OUT
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip any any
!
access-list 102 remark DSL IN
access-list 102 remark CCP_ACL Category=1
access-list 102 permit esp any any
access-list 102 permit gre any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit udp any any eq non500-isakmp
access-list 102 permit udp any any eq 10000
access-list 102 permit tcp any any eq 10000
access-list 102 permit icmp host 196.25.1.1 any
access-list 102 permit udp any eq domain any
access-list 102 permit tcp any eq domain any
access-list 102 permit tcp any eq www any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any eq ftp-data any
access-list 102 permit tcp any eq ftp any
access-list 102 permit tcp any eq 69 any
access-list 102 permit udp any eq tftp any
access-list 102 permit tcp any eq 443 any
access-list 102 permit tcp any eq telnet any
access-list 102 permit tcp any any eq telnet
access-list 102 permit udp any eq ntp any eq ntp
access-list 102 permit tcp any range 11000 11025 any
access-list 102 permit tcp any any eq 8000
access-list 102 deny ip any any log
!
access-list 103 remark VLAN IN
access-list 103 remark CCP_ACL Category=1
access-list 103 deny ip any 10.0.0.0 0.0.0.255
access-list 103 deny ip 10.0.0.0 0.0.0.255 any
access-list 103 permit ip any any
!
access-list 104 remark VLAN OUT
access-list 104 remark CCP_ACL Category=1
access-list 104 deny ip any 10.0.0.0 0.0.0.255
access-list 104 deny ip 10.0.0.0 0.0.0.255 any
access-list 104 permit ip any any
!
dialer-list 1 protocol ip permit
!
no cdp run
!
control-plane
!
line con 0
exec-timeout 0 0
no modem enable
length 50
speed 115200
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 196.25.1.1
end
04-05-2013 02:19 AM
Delete ip nat enable from both Dialer and Dot11Radio0 interfaces.
Best Regards
Please rate all helpful posts and close solved questions
04-05-2013 02:21 AM
I removed "ip nat enable", but made no difference.
Would a route map perhaps help here ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide