Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1537
Views
0
Helpful
9
Replies

Cisco 837 Port Forwarding and MTU

mgregory
Level 1
Level 1

‎05-25-2007 09:03 PM - edited ‎03-05-2019 04:18 PM

I would appreciate help with:

1. port forwarding - my running config is attached and I cannot connect to the redirected ports from the WAN side - it is now working and I need port forwarding to work

2. I would like to know if my WAN MTU on the ADSL port is set too low, it is 1452.

I have an IPSec VPN to my office and the PIX 506E in my offie has MTU set to 1500 on its ports. When I created the VPN I got a message about problems with some packets due to a MTU mis-match.

regards, Mark

Labels:
Preview file
4 KB
0 Helpful
9 Replies 9

bjornarsb
Level 4
Level 4

‎05-26-2007 03:18 PM

Hi,

1. when you use pat you cannot use the same pair of ip source and destination.

So if x.x.x.x = 5.5.5.5 you have to do NAT like this: ip nat inside source static 192.168.2.23 25 5.5.5.5.

2. mtu mis-match is when you have too high mtu on one side , so your mtu could actually be to high , depending on your ipsec configuration. I don't remember exactly but : "The added header(s) varies in length depending the IPsec configuration mode but they do not exceed ~58 bytes (Encapsulating Security Payload (ESP) and ESP authentication (ESPauth)) per packet.

"

PPP is 8 byte , so configure : mtu 1434.

(1400 is a good ~ )

Keep in mind that adjust mss just works for tcp not udp.

Check the scroll box at the bottom right :)

HTH

BR,

Bjornarsb

0 Helpful

mgregory
Level 1
Level 1
In response to bjornarsb

‎05-29-2007 02:56 AM

I do not understand your first point. Yes x.x.x.x is not the inside IP and is already something like 5.5.5.5

2. Are you saying I should lower the MTU on the PIX 506E to match the MTU of the 837?

regards, Mark

0 Helpful

bjornarsb
Level 4
Level 4
In response to mgregory

‎05-29-2007 03:01 AM

Hi again:

ip nat inside source static tcp 192.168.2.23 25 xxx.xxx.xxx.xxx 25 extendable

ip nat inside source static tcp 192.168.2.23 53 xxx.xxx.xxx.xxx 53 extendable

ip nat inside source static udp 192.168.2.23 53 xxx.xxx.xxx.xxx 53 extendable

ip nat inside source static tcp 192.168.2.23 80 xxx.xxx.xxx.xxx 80 extendable

ip nat inside source static tcp 192.168.2.23 443 xxx.xxx.xxx.xxx 443 extendable

ip nat inside source static tcp 192.168.2.23 1723 xxx.xxx.xxx.xxx 1723 extendable

Need to be changed to:

ip nat inside source static 192.168.2.23 xxx.xxx.xxx.xxx ( i.e NAT not PAT )

2: Maybe, first you need to change the mtu on your 837, because of ipsec and so on..

try mtu: 1400.

Then if you are initiating traffic from the office you should match the mtu on the other end. So try mtu = 1400 on both ends :)

BR,

Bjornarsb

0 Helpful

mgregory
Level 1
Level 1
In response to bjornarsb

‎05-29-2007 03:13 AM

Hi,

I do not think your solution to 1. will work. Also there is another entry

ip nat inside source static tcp 192.168.2.24 3389 xxx.xxx.xxx.xxx 3389 extendable

You have not mentioned this. Note it is for a different machine in the private network.

2. Traffic goes both ways from the office to home over the IPsec VPN. There are two interfaces on the 506E inside and outside. If I change outside to 1400 will that affect the other traffic that goes over this interface? Should I change both inside and outside to the same as the 837?

regards,

Mark

0 Helpful

bjornarsb
Level 4
Level 4
In response to mgregory

‎05-29-2007 04:01 AM

Hi,

Yes, 1 will work if you use another public entry for the last statement.

2. yes. but i don't know if you have tcp adjust mss on the PIX ? But I believe that you have path mtu discovery !

If you create a tunnel you can use:

tunnel path mtu discovery on the 837.

!

interface Tunnel1

ip address X 255.255.0.0

ip mtu 1400

ip tcp adjust-mss 1400

no ip split-horizon

tunnel source Dialer 1

tunnel destination X

tunnel key XXX

tunnel path-mtu-discovery

!

BR,

Bjornarsb

0 Helpful

mgregory
Level 1
Level 1
In response to bjornarsb

‎05-29-2007 04:09 AM

I will give it a try in the morning.

can you clarify your statement

Yes, 1 will work if you use another public entry for the last statement.

So I have two entries, one for the 192.168.2.23 and one that is for one port on the 192.168.2.24

I do not think this will work, I have read that your suggested solution is for all ports. I still think my problem is access-list related, but I will give anything a go now.

regards, Mark

0 Helpful

bjornarsb
Level 4
Level 4
In response to mgregory

‎05-29-2007 04:20 AM

Hi,

the problem is that you probarly only have one IP

(negotiated) so its best to move the 3389 service from 192.168.2.24 to 192.168.2.23

And you also need to use:

ip nat inside source static 192.168.2.23 interface Dialer1

If you get different IP (long term)

you have to use Dyndns too.

or try this:

!

interface Dialer1

ip address negotiated previous

encapsulation ppp

!

BR,

Bjornarsb

0 Helpful

mgregory
Level 1
Level 1
In response to bjornarsb

‎05-29-2007 04:24 AM

cannot move the 3389 to 2.23

thus herein lies the problem.

I have been told it will work, the question is how. When I try to connect to a port from outside I get asked for username, password, on port 80 and then it says it is the http server on the 837. This is why I think it is an access-list issue.

Any ideas appreciated.

regards, Mark

0 Helpful

bjornarsb
Level 4
Level 4
In response to mgregory

‎05-29-2007 04:31 AM

Try:

no ip http authentication then you

will get access to the router web configuration.

port 80 forwarding to your server on inside does not work because of my first post :)

actually you should use :

ip http secure-server and use https.

BR,

Bjornarsb

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card