01-11-2007 01:22 PM - edited 03-03-2019 03:20 PM
Hello,
I have a Cisco 1841 setup at a remote site with a webserver and laptop running behind it. Our set up works fine exept that we cannot access the internet from behind the router. Our site to site VPN to our main office works great as do the websites running on the webserver.
I can ping the router with both the public and private IP, but I cannot ping the gateway IP or beyond.
There is one strange thing that I hope might be a clue. If I ping the gateway IP with -l 1500 I get a couple no responses and then all of a sudden I start recieving a reply.
Here is a partial config on the router.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key X address 216.x.x.153
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.x.x.153
set peer 216.x.x.153
set transform-set ESP-3DES-SHA
match address 100
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 192.168.7.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 168.x.x.114 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
ip default-gateway 168.x.x.113
ip classless
ip route 0.0.0.0 0.0.0.0 168.x.x.113
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat pool in-out 168.x.x.116 168.x.x.116 netmask 255.255.255.240
ip nat inside source route-map SDM_RMAP_2 pool in-out overload
ip nat inside source static tcp 192.168.7.119 80 168.x.x.119 80 extendable
ip nat inside source static tcp 192.168.7.119 443 168.x.x.119 443 extendable
!
logging trap debugging
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.7.0 0.0.0.255 any log
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 101
!
Thanks for any help you can give me.
01-11-2007 03:05 PM
Hi,
I think i may have an answer for you. You obviously configured your IPSec tunnels through SDM. a wise move! Not always though.
I believe your issue lise with your IP Nat statements. Your ACLs are correct as are the crypto config.s.
Now first add MTU settings to your interfaces.
!
interface fa0/0
ip tcp adjust-mss 1452
!
interface fa0/1
ip mtu 1492
!
Change your IP nat statments as follows.
remove the following two line;
#ip nat pool in-out 168.x.x.116 168.x.x.116 netmask 255.255.255.240
#ip nat inside source route-map SDM_RMAP_2 pool in-out overload
by typing a 'no' in front of each command in global config mode as follows'
#no ip nat pool in-out 168.x.x.116 168.x.x.116 netmask 255.255.255.240
#no ip nat inside source route-map SDM_RMAP_2 pool in-out overload
Replace them with the following command
# ip nat inside source route-map SDM_RMAP_2 interface interface FastEthernet0/1 overload
It is not effective to have the IP NAT inside statement point to the IP Nat pool statement when you only have one public IP address.
and i think just to tidy things up.... remove the following
#ip default-gateway 168.x.x.113
Now i suggest you try this when you know that nobody is using the network. Also do not save the config after the changes until you know everything is working fine. If this does not work just reload the router to go back to your previous config.
Remember save you config before any modificaitons.
HTH. If it does please rate this post.
Regards
Stephen
01-11-2007 07:01 PM
Stephen
I agree with most but not all of your suggestions. I think the symptoms do sound like an address translation issue and that the address translation should be configured differently.
Since he states that the VPN from the head office is working fine I am not sure that it is needed to change the MTU, though with VPNs I almost always do this. I do not agree with the suggestion to remove ip default-gateway 168.x.x.113. It is doing no harm and there is a circumstance where it might do some good. The default-gateway definition is used for IP hosts and while the router is acting as a router it would not use it. But if the router were ever to be acting as an IP host it would need it. The most likely thing that might cause this would be for the router to boot into rommon. In rommon the router is an IP host and without a default gateway it would be isolated. With a default gateway the router is potentially reachable.
HTH
Rick
01-12-2007 12:43 AM
Hi Lads,
Thanks for the info.
rburts, a lot of what i explained is just good practice and it is configs that i have taken from previous and standard configurations that i have. in my all implementations the MTU settings are changed. For me it is just good practice. (that's not to say it should be done).
The IP default gateway issue! I totally see what you mean. :)
it would not be my prefered way of doing it, personally i would not have in a config. (the less in a config the better - security etc...). But rburts is right, this would be used if the router was ever configured as a host.
Now, let's not get caught up in that. Try the NAT statements anyway, and see how you get on.
Cheers
Stephen
01-15-2007 12:11 PM
Thanks for the response.
I have made the above changes (except for the default gateway). The problem is however still there.
I did remember something that I had fogotten since setting up this router. That is the VPN did not initially work right. I had to put a manual mtu setting (1414) on the webserver and laptop running behind it. I have deleted the manual mtu setting on the laptop and re-tested. The internet problem is still there and the VPN is also not working correctly without the mtu setting.
01-15-2007 08:27 PM
Arthur
This additional information certainly sounds like the problem is an MTU problem (though I agree with Stephen that the NAT configuration was also contributing to the problem). I believe that the suggestion that Stephen made to configure ip tcp adjust-mss on the LAN interface would solve the problem, except that the value that he configured may not have been small enough. Configuring VPN frequently causes problems with MTU. I frequently configure the adjust-mss to a value of 1375 when I configure VPNs. If you set the MTU to 1414 and it worked I would suggest that you configure ip tcp adjust-mss 1414 and see what that does. And if it does not fix it I would suggest trying 1375.
Give this a try and let us know if it fixes it.
HTH
Rick
01-15-2007 10:15 PM
I have set the adjust-mss to 1403 (seems to be the max where the VPN works well) and removed the MTU on the server. The VPN is now working great (much easier that setting MTU in the server registry). I could not however set the IP MTU on the external interface. I tried with a few variations starting with mss + 40 and it always broke the VPN.
Connecting to the internet however is still a problem. I set some debugs and captured some output in hope that it it will give some clue as to what is happening (attachment).
debug ip nat
debug ip packet 177 det (177 filtered icmp only)
first ping 64.233.167.104
4 no responses
nothing in log
second ping 64.233.167.104 -l 1473
4 no respones
captured in log
anything lower than 1473 will not make the third ping work
third ping 64.233.167.104
4 replys
Thanks for your input.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide