Re: Cisco 819 seemingly blocking random services

LocusRobotics1 · ‎08-30-2018

I have a Cisco 819 with a Verizon Sim card in it and have it setup to be transparent to handoff to a Meraki network. We seem to hav e connection to the site and I am able to vpn in but some web pages are not working, and external services, like slack and socket comms seem to be not working.

For instance, I can go to bing.com and search and that works, but can't go to some URL's like yahoo.com. I am able to ping yahoo.com, get DNS resolution, and then I tried to use that IP the site still times out. Doesn't appear to be a DNS issue. Wondering if anyone here can help me out and check over my config to see if maybe its something in here doing it? The only thing that changed at this site was moving over to this box instead of using an USB stick modem in the MX.

Thanks

Current configuration : 8936 bytes

!

! Last configuration change at 17:54:40 UTC Thu Aug 30 2018 by admin

!

version 15.6

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service internal

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

ethernet lmi ce

!

crypto pki trustpoint TP-self-signed-1840704989

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1840704989

revocation-check none

rsakeypair TP-self-signed-1840704989

!

crypto pki certificate chain TP-self-signed-1840704989

certificate self-signed 01

#####

quit

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

import all

network 10.0.0.0 255.255.255.0

default-router 10.10.10.1

lease 0 2

!

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip inspect WAAS flush-timeout 10

ip cef

no ipv6 cef

!

flow record nbar-appmon

match ipv4 source address

match ipv4 destination address

match application name

collect interface output

collect counter bytes

collect counter packets

collect timestamp absolute first

collect timestamp absolute last

!

flow monitor application-mon

cache timeout active 60

record nbar-appmon

!

parameter-map type inspect global

max-incomplete low 18000

max-incomplete high 20000

nbar-classify

!

multilink bundle-name authenticated

!

chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"

!

license udi pid C819HG-LTE-MNA-K9 sn FTX2137Z05V

!

object-group service INTERNAL_UTM_SERVICE

!

object-group network Others_dst_net

any

!

object-group network Others_src_net

any

!

object-group service Others_svc

ip

!

object-group network Web_dst_net

any

!

object-group network Web_src_net

any

!

object-group service Web_svc

ip

!

object-group network local_cws_net

!

object-group network local_lan_subnets

any

!

object-group network vpn_remote_subnets

any

!

username admin privilege 15 secret 5 password

!

redundancy

notification-timer 120000

!

controller Cellular 0

lte sim data-profile 1 attach-profile 1 slot 0

lte modem link-recovery rssi onset-threshold -110

lte modem link-recovery monitor-timer 20

lte modem link-recovery wait-timer 10

lte modem link-recovery debounce-count 6

no cdp run

!

class-map type inspect match-any INTERNAL_DOMAIN_FILTER

match protocol msnmsgr

match protocol ymsgr

class-map type inspect match-any Others_app

match protocol https

match protocol smtp

match protocol pop3

match protocol imap

match protocol sip

match protocol ftp

match protocol dns

match protocol icmp

class-map type inspect match-any Web_app

match protocol http

class-map type inspect match-all Others

match class-map Others_app

match access-group name Others_acl

class-map type inspect match-all Web

match class-map Web_app

match access-group name Web_acl

!

policy-map type inspect LAN-WAN-POLICY

class type inspect Web

inspect

class type inspect Others

inspect

class type inspect INTERNAL_DOMAIN_FILTER

inspect

class class-default

drop log

!

zone security LAN

zone security WAN

zone security VPN

zone security DMZ

zone-pair security LAN-WAN source LAN destination WAN

service-policy type inspect LAN-WAN-POLICY

!

interface Loopback1

description ### always-on interface ###

ip address 1.2.3.9 255.255.255.255

ip nat inside

ip virtual-reassembly in

!

interface Cellular0

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly in

encapsulation slip

load-interval 30

dialer in-band

dialer idle-timeout 0

dialer string lte

dialer string ltescript

dialer watch-group 1

async mode interactive

!

interface Cellular1

no ip address

encapsulation slip

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

description $ETH_LAN$

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source static 10.0.0.2 interface Cellular0

ip route 0.0.0.0 0.0.0.0 Cellular0

!

ip access-list extended NAT

permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended Others_acl

permit object-group Others_svc object-group Others_src_net object-group Others_dst_net

ip access-list extended Web_acl

permit object-group Web_svc object-group Web_src_net object-group Web_dst_net

ip access-list extended nat-list

permit ip object-group local_lan_subnets any

!

dialer watch-list 1 ip 5.6.7.8 0.0.0.0

dialer watch-list 1 delay route-check initial 60

dialer watch-list 1 delay connect 1

dialer-list 1 protocol ip permit

ipv6 ioam timestamp

!

access-list 23 permit 10.10.10.0 0.0.0.127

access-list 23 permit 10.0.0.0 0.0.0.255

!

control-plane

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

line con 0

login local

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

stopbits 1

line 3

script dialer lte

no exec

rxspeed 100000000

txspeed 50000000

line 8

no exec

rxspeed 100000000

txspeed 50000000

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Georg Pauwen · ‎08-30-2018

Hello,

currently you have only a single static NAT mapping, is this by design ? Try to make the changes marked in bold to your NAT configuration and check if that makes a difference:

Current configuration : 8936 bytes
! Last configuration change at 17:54:40 UTC Thu Aug 30 2018 by admin
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
ethernet lmi ce
!
crypto pki trustpoint TP-self-signed-1840704989
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1840704989
revocation-check none
rsakeypair TP-self-signed-1840704989
!
crypto pki certificate chain TP-self-signed-1840704989
certificate self-signed 01
#####
quit
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.0.0.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid C819HG-LTE-MNA-K9 sn FTX2137Z05V
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
username admin privilege 15 secret 5 password
!
redundancy
notification-timer 120000
!
controller Cellular 0
lte sim data-profile 1 attach-profile 1 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect Web
inspect
class type inspect Others
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
interface Loopback1
description ### always-on interface ###
ip address 1.2.3.9 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Cellular0
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer string ltescript
dialer watch-group 1
async mode interactive
!
interface Cellular1
no ip address
encapsulation slip
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
description $ETH_LAN$
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
--> no ip nat inside source static 10.0.0.2 interface Cellular0
ip nat inside source route-map NAT interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
!
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
!
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
route-map NAT permit 10
match ip address NAT
match interface Cellular0

!
ipv6 ioam timestamp
!
access-list 23 permit 10.10.10.0 0.0.0.127
access-list 23 permit 10.0.0.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
rxspeed 100000000
txspeed 50000000
line 8
no exec
rxspeed 100000000
txspeed 50000000
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

LocusRobotics1 · ‎08-30-2018

Hello Georg, Thanks for your response.

I am using that so the router is transparent and just hands off an outside IP that ports can just be forwarded through to an MX sitting behind it. I would rather prefer to do just specific ports forward and have the NAT rule like you suggested but was unable to VPN and forward to internal websites with that NAT setup.

Also, I think there may be some sort of MTU issue going on here, I can ping out with MTU up to 1414, but past that it doesn't work. I manually forced MTU to (1500/1428/1400) on both the cell0 and VLAN1 interfaces but still was seeing the same problem.

I have currently swapped this device with a USB stick and the site is working fine, and am having it transported back to me to test at HQ to get it working. I can try those rules, but not sure that is the issue. If you have any other thoughts that would be great, and if not I will let you know what I see when I have hands on the device tomorrow.

Thanks

Georg Pauwen · ‎08-30-2018

Hello,

there is a lot of redundant configuration on your router such as the ZBF. Unless you really need that, you might want to try just the basic configuration below, which typically works for the 819 4G routers.

Current configuration : 8936 bytes
! Last configuration change at 17:54:40 UTC Thu Aug 30 2018 by admin
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
ethernet lmi ce
!
crypto pki trustpoint TP-self-signed-1840704989
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1840704989
revocation-check none
rsakeypair TP-self-signed-1840704989
!
crypto pki certificate chain TP-self-signed-1840704989
certificate self-signed 01
#####
quit
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.0.0.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid C819HG-LTE-MNA-K9 sn FTX2137Z05V
!
username admin privilege 15 secret 5 password
!
redundancy
notification-timer 120000
!
controller Cellular 0
lte sim data-profile 1 attach-profile 1 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
interface Loopback1
description ### always-on interface ###
ip address 1.2.3.9 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Cellular0
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer watch-group 1
async mode interactive
!
interface Cellular1
no ip address
encapsulation slip
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
description $ETH_LAN$
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map NAT interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
!
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
!
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
route-map NAT permit 10
match ip address NAT
match interface Cellular0
ipv6 ioam timestamp
!
access-list 23 permit 10.10.10.0 0.0.0.127
access-list 23 permit 10.0.0.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
rxspeed 100000000
txspeed 50000000
line 8
no exec
rxspeed 100000000
txspeed 50000000
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end