Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2504
Views
0
Helpful
12
Replies

NAT and PPP DSL

Go to solution
MaetrixCIO
Level 1
Level 1

‎11-25-2017 11:23 PM - edited ‎03-08-2019 12:52 PM

I have an issue regarding how PPP with a CenturyLink DSL modem in bridge mode. I have two sites with the same essential setup and both are using overload NAT to provide internet to the LAN. My goal is to have IPSEC GRE tunnels between sites but i have been dealing with oddities regarding NAT that i have never come across with cable internet. Primarily I had to find a workaround for SSH access, as I could not SSH into the routers on their WAN IP. In fact, all traffic destined to the router appears to fail, including traffic originated by the router such as pings to 4.2.2.2.

 

My workaround involved adding a PAT entry to forward SSH to the LAN interface's IP, which works. I see this as a potential issue with IPSEC GRE tunnels.

 

Here are my configs for each site. Please advise as to where to begin regarding these odd issues.

Site A
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname A-RTR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 409600
enable secret XXXX
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
clock timezone PDT -8 0
clock summer-time PDT recurring
!
dot11 syslog
no ip source-route
!
!

ip cef
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
username admin secret XXXX
!
redundancy
!
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
interface Loopback0
 description *OSPF Loopback
 ip address 10.2.254.1 255.255.255.255
!
interface FastEthernet0/0
 description *To A-MLS01 Fa0/48
 ip address 10.2.0.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface FastEthernet0/1
 mtu 1492
 no ip address
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
!
interface Dialer0
 description Dialer to CenturyLink
 mtu 1492
 bandwidth 500
 bandwidth receive 7000
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 ip ospf 1 area 0
 dialer pool 1
 ppp chap hostname XXXX@qwest.net
 ppp chap password XXXX
 ppp pap sent-username XXXX@qwest.net password XXXX
 no cdp enable
!
router ospf 1
 router-id 10.2.254.1
 passive-interface Dialer0
 network 10.2.0.1 0.0.0.0 area 0
 network 10.2.254.1 0.0.0.0 area 0
 default-information originate
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static tcp 10.2.0.1 22 interface Dialer0 22
ip nat inside source list NAT-OUT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT-OUT
 permit ip any any
 deny   ip any any log
!
logging esm config
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 exec-timeout 5 0
line aux 0
line vty 0 4
 exec-timeout 5 0
 transport input ssh
line vty 5 15
 exec-timeout 5 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp source FastEthernet0/0
ntp server X.X.X.X
end

 

Site B

 

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname B-RTR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
enable password XXXX
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
memory-size iomem 15
clock timezone PDT -8 0
clock summer-time PDT recurring
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
username admin secret XXXX
!
redundancy
!
!
ip ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
 description *OSPF Loopback
 ip address 10.3.254.1 255.255.255.255
!
interface FastEthernet0/0
 description *To B-MLS01 Fa0/48
 ip address 10.3.0.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Dialer0
 description Dialer to CenturyLink
 bandwidth 500
 bandwidth receive 7000
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname XXXX@qwest.net
 ppp chap password XXXX
 ppp pap sent-username XXXX@qwest.net password XXXX
!
router ospf 1
 router-id 10.3.254.1
 passive-interface Dialer0
 network 10.3.0.1 0.0.0.0 area 0
 network 10.3.254.1 0.0.0.0 area 0
 default-information originate
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT-OUT interface Dialer0 overload
ip nat inside source static tcp 10.3.0.1 22 interface Dialer0 22
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT-OUT
 permit ip any any
!
logging esm config
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 exec-timeout 5 0
line aux 0
line vty 0 4
 exec-timeout 5 0
 transport input ssh
line vty 5 15
 exec-timeout 5 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp server 97.127.84.241
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-26-2017 05:18 AM

I see no reason to use an extended access list for nat (especially when it is permit ip any any). I suggest that you change your config to use a standard access list for nat. I have seen some odd behaviors when nat uses permit any. Could you change the nat access list to permit your inside/private address space?

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-26-2017 05:18 AM

I see no reason to use an extended access list for nat (especially when it is permit ip any any). I suggest that you change your config to use a standard access list for nat. I have seen some odd behaviors when nat uses permit any. Could you change the nat access list to permit your inside/private address space?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
MaetrixCIO
Level 1
Level 1
In response to Richard Burts

‎11-26-2017 10:38 AM

Fantastic! Ive always used extended named ACLs because they looked cleaner and were easier to identify. This worked as soon as i changed it and all the other oddities fixed themselves! Much appreciation!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MaetrixCIO

‎11-26-2017 11:06 AM

I am glad that my suggestion did provide a solution for your problem. Thank you for marking this question as solved. I do agree that named access lists are easier to identify than numbered access lists. Can you clarify whether you just changed from extended access list to standard access list or did you also change from permit any to permit <your_internal_network>

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
MaetrixCIO
Level 1
Level 1
In response to Richard Burts

‎11-27-2017 07:56 AM

I did both

 

access-list 1 permit 10.2.0.0 0.0.255.255

ip nat inside source list 1 interface Dialer0 overload

 

Although i am still having a couple quirky issues with my other site. Certain TLS enabled sites like cisco.com and a company operations program refuse to load or take a long time to confirm and complete the TLS handshake. I confirmed this by using another internet line that has an ISP-provided router from HughesNet.

 

Possibly more to come but this solution resolved the odd issues with the tunnels and SSH.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MaetrixCIO

‎11-27-2017 11:03 AM

Thanks for confirming that you did both. I am glad that this resolved at least some of your quirky issues. Please let us know if there are further developments.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
MaetrixCIO
Level 1
Level 1
In response to Richard Burts

‎12-13-2017 10:27 AM - edited ‎12-14-2017 04:36 PM

Dupe reply!

0 Helpful

Go to solution
MaetrixCIO
Level 1
Level 1

‎12-13-2017 10:35 AM

I hate to bump this thread, but issues are still occurring... It seems TLS enabled apps on Android devices are being odd. They appear to timeout and not load content but a Windows 10 PC accesses the actual websites without issue. I did some digging and pulled a packet capture which shows transmissions and at the end TCP resets.... I attached the packet capture for review in hopes someone may have seen this before.... Updated config of the router is shown below:

 

Current configuration : 4137 bytes
!
! Last configuration change at 09:35:10 PDT Wed Dec 13 2017 by admin
! NVRAM config last updated at 13:54:15 PDT Tue Dec 12 2017 by admin
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname RTR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 409600
enable password 7 secret
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
clock timezone PDT -8 0
clock summer-time PDT recurring
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
no ip domain lookup
ip domain name comp.corp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
username admin secret 5 secret
!
redundancy
!
!
ip tftp source-interface FastEthernet0/0
ip ssh version 2
!
crypto keyring VPN-KEYRING
  pre-shared-key address 0.0.0.0 0.0.0.0 key PSKSTRING
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
crypto isakmp profile VPN-CPROFILE
   keyring VPN-KEYRING
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set VPN-TSET esp-aes esp-sha-hmac
!
crypto ipsec profile VPN-PROFILE
 set transform-set VPN-TSET
 set pfs group2
 set isakmp-profile VPN-CPROFILE
!
!
!
!
!
!
!
interface Loopback0
 description *OSPF Loopback
 ip address 10.2.254.1 255.255.255.255
!
interface Tunnel0
 description To DTA
 ip address 172.20.0.5 255.255.255.252
 load-interval 30
 keepalive 10 3
 tunnel source Dialer0
 tunnel mode ipsec ipv4
 tunnel destination DSTIPADDR
 tunnel protection ipsec profile VPN-PROFILE
!
interface Tunnel1
 description To EPA
 ip address 172.20.0.2 255.255.255.252
 load-interval 30
 shutdown
 keepalive 10 3
 tunnel source Dialer0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-PROFILE
!
interface FastEthernet0/0
 description *To MLS Fa0/48
 ip address 10.2.0.1 255.255.255.252
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface FastEthernet0/1
 mtu 1492
 bandwidth 500
 bandwidth receive 3000
 no ip address
 ip tcp adjust-mss 1452
 load-interval 30
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Dialer0
 description Dialer to CenturyLink
 mtu 1492
 bandwidth 500
 bandwidth receive 3000
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 load-interval 30
 dialer pool 1
 ppp chap hostname PPPUSER
 ppp chap password 7 PPPPASSWORD
 ppp pap sent-username PPPUSER password 7 PPPPASSWORD
 no cdp enable
!
router ospf 1
 router-id 10.2.254.1
 passive-interface FastEthernet0/1
 passive-interface Dialer0
 passive-interface Loopback0
 network 10.2.0.1 0.0.0.0 area 0
 network 10.2.254.1 0.0.0.0 area 0
 network 172.20.0.1 0.0.0.0 area 0
 network 172.20.0.5 0.0.0.0 area 0
 default-information originate
 distribute-list prefix DENY-DEFAULT in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.2.10.25 8000 interface Dialer0 8000
ip nat inside source static tcp 10.2.10.25 8554 interface Dialer0 8554
ip nat inside source static tcp 10.2.10.25 8994 interface Dialer0 8994
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip prefix-list DENY-DEFAULT seq 5 deny 0.0.0.0/0
ip prefix-list DENY-DEFAULT seq 10 permit 0.0.0.0/0 le 32
logging esm config
access-list 1 permit 10.2.0.0 0.0.255.255
access-list 100 permit ip host 10.2.10.122 any
access-list 100 permit ip any host 10.2.10.122
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 exec-timeout 5 0
line aux 0
line vty 0 4
 exec-timeout 5 0
 transport input ssh
line vty 5 15
 exec-timeout 5 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp source FastEthernet0/0
ntp server 97.127.84.241
end

 

Also! The previous issue that was persistent after I fixed the extended access-list issue was due to using "ip mtu 1492" vs "mtu 1492" on the dialer interface. So this is the last issue.

 

Another detail regarding the environment for the sake of troubleshooting context, all devices are connected to a Cisco WAP1142 whuch then connects to a CAT3560.

 

|WAP|----|CAT3560|-----|C2811|----|Zyxel Modem(Bridge)|----|CenturyLink|

    ||

    ||---------|

|Android|   |Win10|

BUF2.txt
Preview file
274 KB
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MaetrixCIO

‎12-13-2017 01:20 PM

Sorry to hear that other issues are happening. I looked at the file you attached but what I am seeing is not legible text.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
MaetrixCIO
Level 1
Level 1
In response to Richard Burts

‎12-13-2017 09:54 PM

You'll have to change the extension to pcap and open it in wireshark. 

0 Helpful

Go to solution
MaetrixCIO
Level 1
Level 1
In response to MaetrixCIO

‎12-17-2017 10:44 AM

Turns out the issues around TLS was an ip tcp adjust-mss issue. I set it to 1440 which was the largest segment size in the packet capture and everything normalized.
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MaetrixCIO

‎12-18-2017 02:35 PM

Glad to hear that you have it sorted out.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
towncalendars
Level 1
Level 1
In response to MaetrixCIO

‎12-17-2017 03:10 PM

Fixed. Thank you.

january 2018 calendar

0 Helpful
Related community topics
li.common.scroll-to.top