09-04-2012 08:45 AM
Hi I have installed a CISCO v887 router in Amsterdam office
I established a VPN tunnel between AMS office and Edinburg office.
1. The VPN is up and running
2. I am unable to browse anything from LAN computers in Amsterdam office.
3. From LAN computers I can traceroute to yahoo.com but from browser I cant browse yahoo.com and web page hanged out in this situation (website found waiting for reply). But nothing comes over and LAN users are unable to use internet.
Please help
My configurations are
ip source-route
!
!
!
!
ip cef
ip domain name xxxxxx.com
ip name-server 8.8.8.8
no ipv6 cef
!
username xxxxxxxxxxxxxxxxx
username xxxxxxxxxxxxxxxxxxx
!
!
controller VDSL 0
!
ip ssh version 1
ip ssh pubkey-chain
username xxxxxxx
key-hash ssh-rsa xxxxxxxxxxxxxxxxxxx
quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address 94.xx.xx.xx
!
!
crypto ipsec transform-set AMS-SET esp-des esp-sha-hmac
!
crypto map AMS-R 10 ipsec-isakmp
set peer 94.xx.xx.xx
set transform-set AMS-SET
match address 102
!
!
!
!
!
interface Ethernet0
no ip address
pppoe-client dial-pool-number 10
!
!
interface Ethernet0.6
encapsulation dot1Q 6
pppoe-client dial-pool-number 10
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
!
interface FastEthernet0
load-interval 30
speed 100
pppoe-client dial-pool-number 10
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface Vlan1
ip address 10.0.12.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
!
interface Dialer0
no ip address
shutdown
!
!
interface Dialer10
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 10
dialer-group 10
ppp authentication pap callin
ppp chap hostname xxx@xxx-ZDSL
ppp chap password 0 xxx
ppp pap sent-username xxxx@xxx-ZDSL password 0 xxx
no cdp enable
crypto map AMS-R
!
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source route-map nonat interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
access-list 102 permit ip 10.0.12.0 0.0.0.255 10.0.0.0 0.0.3.255
access-list 102 permit ip 10.0.12.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 102 permit ip 10.0.12.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 102 deny ip any any
access-list 175 deny ip 10.0.12.0 0.0.0.255 10.0.0.0 0.0.3.255
access-list 175 deny ip 10.0.12.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 175 deny ip 10.0.12.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 175 permit ip 10.0.12.0 0.0.0.255 any
dialer-list 10 protocol ip permit
dialer-list 1 protocol ip permit
!
!
!
route-map nonat permit 10
match ip address 175
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
password xxxxxx
login local
transport preferred ssh
transport input ssh
!
scheduler max-task-time 5000
end
Solved! Go to Solution.
09-04-2012 09:37 AM
Hi Mahmood,
Please add these highlighted lines below on both interfaces.
interface Vlan1
ip tcp adjust-mss 1412
interface Dialer10
ip mtu 1452
Please update.
thanks
09-04-2012 09:52 AM
Going out of the VPN scope, I agree with rizwanr74.
Just to give you a little background of what those commands do.
The ideal TCP MSS value is calculated as following:
TCP MSS = MTU - (TCP + IP headers)
= 1452 - (20 + 20)
= 1412
Doing this you optimize the TCP connections, since fragmentation is avoided (the resulted packet does not exceed the MTU size).
You configure TCP MSS on the source interface, VLAN 1 in this case.
Test it out and let us know.
09-05-2012 05:34 AM
09-04-2012 08:58 AM
Hi Mahmood,
Two things to mention:
1- You are not supposed to reach "yahoo.com" across the tunnel, at least not, based on your configuration:
Name: yahoo.com
Addresses: 98.139.183.24, 72.30.38.140, 98.138.253.109
Crypto ACL:
access-list 102 permit ip 10.0.12.0 0.0.0.255 10.0.0.0 0.0.3.255
access-list 102 permit ip 10.0.12.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 102 permit ip 10.0.12.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 102 deny ip any any
* The "deny ip any any" is not required.
2- Unless you want to send this traffic over the VPN tunnel and have the remote VPN endpoint provide Internet access across the tunnel, I think this is not a VPN issue.
Please let us know.
Thanx.
Portu
09-04-2012 09:37 AM
Hi Mahmood,
Please add these highlighted lines below on both interfaces.
interface Vlan1
ip tcp adjust-mss 1412
interface Dialer10
ip mtu 1452
Please update.
thanks
09-04-2012 09:52 AM
Going out of the VPN scope, I agree with rizwanr74.
Just to give you a little background of what those commands do.
The ideal TCP MSS value is calculated as following:
TCP MSS = MTU - (TCP + IP headers)
= 1452 - (20 + 20)
= 1412
Doing this you optimize the TCP connections, since fragmentation is avoided (the resulted packet does not exceed the MTU size).
You configure TCP MSS on the source interface, VLAN 1 in this case.
Test it out and let us know.
09-05-2012 01:15 AM
interface Vlan1
ip tcp adjust-mss 1412
IT worked, Thanks a lot
09-05-2012 05:34 AM
Hi Mahmood,
Good news
Please rate any post you found useful.
09-05-2012 06:41 AM
I have one more problem.
I want enable the outbound SSH access of this router. I am able to SSH the router using its local IP. But I am not able to access the router from its Public IP. I have tried to allow SSH from different access lists like
access-list 175 permit tcp any any eq ssh but nothing worked.
can you please help me to fix this issue
09-05-2012 06:52 AM
Hi Mahmood,
"
can you please help me to fix this issue "
Please remove this highlighted line.
line vty 0 4
access-class 1 in
Thanks
Rizwan Rafeek.
09-05-2012 07:50 AM
Hi Rizwan
Thanks for your reply but that command did not work
line vty 0 4
access-class 1 in
09-05-2012 08:48 AM
Hi Mahmood,
Please post the output from from the debug when you initiate ssh from outside your internal-network.
debug ip ssh
thanks
09-05-2012 02:01 PM
Mahmood,
In addition to the "debug ip ssh", please verify the next steps:
Action plan:
Check if there is an RSA key-pair:
show crypto key mypub rsa
If the output does not display anything, then generate the RSA key-pair:
crypto key generate rsa general-keys modulus 1024 exportable
If it gives you the "% Please define a domain-name first." error, define a domain-name and generate the RSA key-pair.
ip domain-name cisco.com
crypto key generate rsa general-keys modulus 1024 exportable
Then check the RSA key-pair:
2811#show crypto key mypub rsa
% Key pair was generated at: 20:54:28 UTC Sep 5 2012
Key name: 2811.cisco.com
Storage Device: not specified
Usage: General Purpose Key
Key is exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C5C7BB
321C2B96 2C5A14E9 A64D784F 9E15265E 3AF8D5BE 5B80A296 895C873B 357EBB62
E7D7552B 0C3FE170 F9BA0AAC D34BE267 5E15BF6E B616D55B 3A1D4C3E FA9C1197
FBD7300F 70AD1EDE 08FE05B6 A7C121CA 751D6182 C003DCE2 F621DB31 7E665FAC
35381483 3B50F0C8 7F13A61C 35B270C4 6281FDBB 73089810 39D57D89 19020301 0001
% Key pair was generated at: 20:54:30 UTC Sep 5 2012
Key name: 2811.cisco.com.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BDD811 8FC6EA0D
4C2B8557 886C0E0B ABE6805F FA3A08E0 87226F8A B45653ED 6EA0B60D 2C89BB0A
09BDF276 88BB3FF5 93700270 DB7AD828 FD8BB538 C7EBD01E 30F4C523 3CD051C9
8E730AAB 8121AABC 010EBFAB 98DCB537 6C452BBA 4D70D801 F9020301 0001
Then make sure SSH version 2 is configured:
ip ssh version 2
Then make sure the VTY lines allow SSH:
line vty 0 15
transport input ssh
At that point, it should at least, give the prompt to enter your credentials.
Let me know.
Thanks.
Portu.
09-05-2012 06:44 AM
Mahmood,
Good that worked out for you.
FYI...
Since you are running, IPSec you may want to consider lowering the MTU size, as you do not want to packet being fragmented.
Thanks
Rizwan Rafeek
Please rate helpful post, so that it will be helpful for somoene else.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide