cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1702
Views
0
Helpful
8
Replies

sr520 NAT issue

james_flockton
Level 1
Level 1

Hi, I have what appears to be a problem with NAT, I think it's PAT that is causing me problems but  I'm really not sure and would appreciate any help you may be able to offer me.

The problem is that I cannot websites from the server from the inside of the network other than Google.com....

The senario is quite simple and is as follows;

We have a Cisco SR520 attached to our ADSL2 connection to the naked internet, attached to a LAN interface of the router I have a server, that server is a windows 2003 server with an IP of 192.168.1.2, the router has the following version;

Cisco IOS Software, SR520 Software (SR520-ADVIPSERVICESK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 04-Mar-11 08:12 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI5, RELEASE SOFTWARE

wtk_sr520_1_1.1 uptime is 3 minutes
System returned to ROM by reload
System image file is "flash:sr520-advipservicesk9-mz.124-24.T5.bin"
Last reload reason: Reload Command

Cisco SR520W-ADSL (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of memory.
Processor board ID FGL151623KZ
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
1 802.11 Radio
128K bytes of non-volatile configuration memory.
36864K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

The router has for the following configuration;

Current configuration : 5667 bytes
!
version 12.4
no service pad

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname wtk_sr520_1_1.1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 100000
enable secret 5 #####
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-3735572396
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3735572396
revocation-check none
rsakeypair TP-self-signed-3735572396
!
!
crypto pki certificate chain TP-self-signed-3735572396
certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373335 35373233 3936301E 170D3032 30333031 31333334
  30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37333535
  37323339 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C0F3 3E04A7E1 2959BAD9 78E0F229 7BED940D 7169B4A5 0A9B16F6 BF4CDDC5
  B4DEC2E7 45DBE457 9EF434B6 7ADF28B7 957E5A07 C8515C94 AC026307 3DFDE0D4
  8BFAE426 6D6FF89B 81DECD17 FCB5CD51 B27D3CE3 5247FDC8 78BE7D2D 3F3169F2
  AFB4D420 0CBDE419 47ACD3BA AFDF261D 5421D5FF 11638153 D676EAE2 91095588
  863D0203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603
  551D1104 23302182 1F77746B 5F737235 32305F31 5F312E31 2E77746B 6E6F776C
  65732E63 6F2E756B 301F0603 551D2304 18301680 146AEEAB D5ABAEA1 18911000
  CE21218F CEDD3165 17301D06 03551D0E 04160414 6AEEABD5 ABAEA118 911000CE
  21218FCE DD316517 300D0609 2A864886 F70D0101 04050003 81810047 8C5C0FD7
  E542C355 A8186273 03FCA65B 2C5EA49D CE36E5E2 FB6291D0 7DCC532F 90F7443E
  759A4A8D A0485651 4F7AD5EA BA79FD8E 2F9AE218 232F5B91 C638653D B7538E06
  15B2F5F7 58A35485 6C399C9D DFBA1428 69B3F46F 9BA80FE4 E8F65250 5524A181
  C6252663 33970FBC CB7DB062 E6EB73B3 E79213D2 C04BD227 4E6BB7
        quit
dot11 syslog
!
dot11 ssid ####

vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 ####
!
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   domain-name home.lan
   default-router 192.168.1.1
   dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
ip domain name home.lan

ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username ### privilege 15 password 7 ####

!
!
!
archive
log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description WAN via ADSL
pvc 0/38
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description Server
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 10
!
interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers aes-ccm
!
broadcast-key vlan 10 change 45
!
!
ssid ####

!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
rts threshold 2312
!
interface Dot11Radio0.1
encapsulation dot1Q 1
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan10
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Dialer0
ip address negotiated
ip access-group IP-IN in
ip access-group IP-OUT out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname HOSTNAME
ppp chap password 7 021608505A545B
ppp pap sent-username USER_NAME password 7 ####
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI10
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0

!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.2 3389 interface Dialer0 3389
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended IP-IN
permit ip any any log
deny   ip any any log
ip access-list extended IP-OUT
permit ip any any log
deny   ip any any log
!
access-list 1 permit 192.168.1.0 0.0.0.255 log
access-list 1 permit 10.0.0.0 0.0.0.255 log
access-list 1 deny   any log
access-list 2 permit any log
dialer-list 1 protocol ip list 1
!
!
!
!
!
control-plane
!
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
end

1 Accepted Solution

Accepted Solutions

paolo bevilacqua
Hall of Fame
Hall of Fame

Configure:

interface Dialer0

mtu 1492

no ip access-group IP-IN in

no ip access-group IP-OUT out

no cdp run

interface bvi1

ip tcp adjust-mss 1452

interface bvi10

ip tcp adjust-mss 1452

View solution in original post

8 Replies 8

james_flockton
Level 1
Level 1

The above is the oddest thing, you can browse just about all of google.com but as soon as you click off google.com i.e into a search result or something it just dies..

Many thanks for your help in advance, James

The statics work perfectly, it just seems to be the dynamic that is fail but I'm stuggling to debug it.

This show is from me going to www.google.com

sr520_1_1.1#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

udp OUTSIDE_ADDRESS:26399 192.168.1.2:26399 8.8.4.4:53         8.8.4.4:53
tcp OUTSIDE_ADDRESS:28710 192.168.1.2:28710 209.85.143.104:80  209.85.143.104:80
tcp OUTSIDE_ADDRESS:28711 192.168.1.2:28711 209.85.143.104:80  209.85.143.104:80
tcp OUTSIDE_ADDRESS:28712 192.168.1.2:28712 209.85.227.120:80  209.85.227.120:80
tcp OUTSIDE_ADDRESS:28720 192.168.1.2:28720 72.167.232.118:80  72.167.232.118:80
tcp OUTSIDE_ADDRESS:28741 192.168.1.2:28741 208.83.137.23:2703 208.83.137.23:2703
tcp OUTSIDE_ADDRESS:28748 192.168.1.2:28748 209.85.143.104:80  209.85.143.104:80

This show is me attempting (and failing) to go to www.bbc.co.uk

sr520_1_1.1#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global
udp OUTSIDE_ADDRESS:12793 192.168.1.2:12793 8.8.4.4:53         8.8.4.4:53
udp OUTSIDE_ADDRESS:20127 192.168.1.2:20127 8.8.4.4:53         8.8.4.4:53
udp OUTSIDE_ADDRESS:20127 192.168.1.2:20127 8.8.8.8:53         8.8.8.8:53
tcp OUTSIDE_ADDRESS:28762 192.168.1.2:28762 212.58.244.66:80   212.58.244.66:80
udp OUTSIDE_ADDRESS:31466 192.168.1.2:31466 8.8.4.4:53         8.8.4.4:53
udp OUTSIDE_ADDRESS:31466 192.168.1.2:31466 8.8.8.8:53         8.8.8.8:53
udp OUTSIDE_ADDRESS:36742 192.168.1.2:36742 8.8.8.8:53         8.8.8.8:53
udp OUTSIDE_ADDRESS:57331 192.168.1.2:57331 8.8.4.4:53         8.8.4.4:53

paolo bevilacqua
Hall of Fame
Hall of Fame

Configure:

interface Dialer0

mtu 1492

no ip access-group IP-IN in

no ip access-group IP-OUT out

no cdp run

interface bvi1

ip tcp adjust-mss 1452

interface bvi10

ip tcp adjust-mss 1452

I was using the access-group for trying to monitor traffic through the device, why would adjusting the MTU size down to 1492 sort this out?

Thank you for your reply by the way, I'm testing it out now.

James

For monitoring, use netflow. Event without a collector, you can see the flows with a CLI command.

If you want to see why the dialer interface has to be configured like that, take debug ppp negotiation and you will understand.

Well Paolo, I cannot thank you enough, thanks for taking the time on a weekend to reply to me, it was very kind of you and 100% on the money.

James

No sweat, thanks for the nice rating and good luck!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: