A Real NAT in the butt >.<

Well I figured I would turn to good owe techexams.net for some ideals because I'm totally fresh out.

I am doing a contract for a small business and currently installing "cheep" cisco equipment per say to fit their budget so im using a cisco 2610 with a wic-1adsl, cisco 3524XL (non poe).

I am currently using the ios firewall on it, with access lists and the whole nine yards but none of this is the issue.

I have nat setup to overload to dialer1.

The issue is this guys laptop can visit ANY WEBSITE on the internet, while other computers in the business (XP and Vista) cannot visit every website per say. For example news.yahoo.com, fictionpress.com, cannot do streaming videos from news.yahoo.com. ebay.com is REALLY REALLY slow and often does not load. myspace will not load, facebook will not load (yeah social websites but this company is a photography company

) oh yeah and the CISCO website takes like 2 minutes to load one page...

The router is currently running c2600-ik9o3s3-mz.123-23.bin

I have disabled fw, totally removed all access lists, even tried enterprise basic, tried 12.4(17) ip base (yes it will run on a 2610 - little processor intensive but it works) and all ios's do the same thing with nat, the laptop can view any website but the rest of the machines are limited.

to top this one off, the lapto uses wireless which goes through a stinksys (laughs) basically setup as a bridge using wpa and radius authentication. At first i thought it was the wireless so then i tried a network card in the laptop and it still works fine... does not matter what interface, the laptop works 100%, no other machine does.

I have had 4 people look over my config and everyone of them said theirs no reason why it should be doing this.

Config is posted below. please note I've removed most identifiable info for security reasons.

!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname IM_A_ROUTER
!
boot-start-marker
boot-end-marker
!
no logging on
!
aaa new-model
!
!
aaa authentication fail-message REMOVED
aaa authentication login default group radius local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa session-id common
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip name-server 192.168.144.97
no ip dhcp conflict logging
!
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp timeout 15
ip inspect name FIREWALL ftp
ip inspect name FIREWALL h323
ip inspect name FIREWALL smtp
ip inspect name FIREWALL rcmd
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL tftp timeout 30
ip inspect name FIREWALL netshow
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL http
ip inspect name FIREWALL skinny
ip audit po max-events 100
ip dhcp-server 192.168.144.97
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
no file verify auto
!
!
interface ATM0/0
description ##### aDSL Physical Interface #####
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/0
description ##### Private Internal Interface #####
ip address 192.168.144.254 255.255.255.0
ip access-group 107 in
ip nat inside
ip inspect FIREWALL in
full-duplex
!
interface Dialer1
description ##### aDSL PPPoE Dialer #####
ip address negotiated
ip access-group 112 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username
ppp chap password ohnoyoudont
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.144.42 23 interface Dialer1 23
ip nat inside source static tcp 192.168.144.55 80 interface Dialer1 80
ip nat inside source static tcp 192.168.144.97 1723 interface Dialer1 1723
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit any
access-list 72 permit 192.168.144.0 0.0.0.255
access-list 72 deny any
access-list 107 permit tcp 192.168.144.0 0.0.0.255 any
access-list 107 deny ip any any log
access-list 112 permit tcp any any eq www
access-list 112 permit tcp any any eq 1723
access-list 112 permit icmp any any echo-reply
access-list 112 deny ip any any log
cdp timer 90
!
radius-server host 192.168.144.97 auth-port 1645 acct-port 1646
radius-server key INSERTKEYHERE?
!
!
banner login YAY MY LOGIN BANNER
alias exec sir show ip route
alias exec siib show ip int brief
alias exec dsl sh dsl int atm 0/0
alias exec siis show ip inspect ses
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
access-class 72 in
exec-timeout 2 0
!
end

If you have any good ideals I'm open to suggestions. keep in mind, if i totally remove the firewall and the access-lists (except the nat source list) it still does this problem.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

nice343

get a router with 2 ethernet ports and tell us what happens after you configure it for NAT

I don't see anything wrong with the config. I could be wrong though

mikej412

Are you getting anything when you check for NAT translations for the other PCs? Do any of the other PCs work if you take the laptop off the network and reboot the router? Any exciting debug output?

mgeorge

if i do it this way i'd have to get another router to perform pppoe dialer and nat and configure the first router a a bridge. When i bridge with the wic-1adsl to the ethernet0, it gets limited to 2.2Mbps, the customer has 6.0/512

I've tried to configure NAT on a server and bridge the wic-1adsl to e0 and do pppoe and nat on the server and it gets limited to 2-2.5mbps max

mgeorge

I can see the NAT translations like every other translation.

Also the ios firewall seems to work fine i can see all the sis_open's per each nat translation.

I've tried totally removing the laptop from the network and hard booting the router and all the other pcs still have the same issue.

this is really frusterating

Also another note to add is cpu utilization never goes over 70%

mgeorge

Well i have completely reconfigured the router from blank with just a simple nat and the required config to establish a pppoe session.

Issue still remains. same laptop can visit every website while other machines cannot.

So I thought it was just those machines or somthing on those pc's, put a brand new dell 745 in and it could not view every website like the laptop does.

Normally I enjoy a challange but this one here really takes the cake!!!

I've totally switched routers, 2620 and 2610 and the only thing ive not switched is the wic.

I'm pretty sure the wic is legitimate, it was purchased from horizon datacom out of ohio.

Wic has latest firmware.

I guess ima have to slap it in a 3600 series after i grab a nm-1fe2w (since these wics will not work in the standard ethernet nm's)

but im still open to

's

Also to add to the issue, i booted to a live ubuntu cd to test it in ubnutu on one of the desktops and it still cannot view the normal websites like the laptop can... This is starting to drive me nuts.

mikej412

Same or different IPs on the laptop when you were wireless and wired?

Have you tried a pc on the same switch port (and maybe IP) as the laptop? Cloned the Laptops MAC address on a PC?

Any funky old switch configs?

Any funky interface statistics/errors when you try using those PCs?

mgeorge

Well the interface dispatch on the switch ports look normal, nothing obvious

The laptop has 2 different mac addresses, the onboard nic and wifi.

IP addresses are different, wifi is .114, nic is .116

im going to try to clone the nic now and see what it does.

nic cloning is so easy with virtual pc

specify a nic and it works lol... but no that did not do it.

I've plugged the pc that i cloned the mac with directly into the routers e0/0 and still nothing.

so that rules out the switch

i plug the laptop directly into the router and it works fine.

lol.... this one is just a doosey

sprkymrk

Matt,

I had this same issue (different hardware, but exact same symtoms). It was DNS. Reverse lookups were killing those exact same sites and slowing them to a crawl. Check how the laptop might be configured differently or else make sure the IOS is not doing reverse lookups as a security feature. Something along those lines - I am not a Cisco man myself much beyond the basics.

mgeorge

Well I just posted my resolution and it didnt show up... odd >.<

Well after 6 hours or non stop pulling my hair and 3 gallons of purified water i finally got it working but yet I DONT KNOW HOW I DID IT!!! LOL!!! I HATE IT WHEN THAT HAPPENS

Any who mike got my gears turning about mac addresses and to me everything layer 3 was working fine so i decided to move to layer2 and still could find nothing.

After disabled a shitload of services and non essential stuff, unplugging the stinksys router (which acts as a wifi ap) I then noticed IT ALL WORKS!! I was kinda afraid to plug that stinksys back into it. but i did and it worked fine as well. The IOS firewall is delivering the max throughput 6Mbps of the dsl link. cpu stays below 70% which im fine with.

I went back to using a sub interface for the pvc vpi/vci. I orginally used a subint but went to the physical to conserve ram they both had the same issue prior to doing what ever i did to fix it.

Well my final config is posted below so that way you guys can go through it and draw a conclusion. Their are several things i added that could have solved the issue but I dont really want to go through and remove them all and screw it up agian since they are opening their doors in like 5 minutes and i got oh so lucky in getting this thing working 20 minutes before opening time. talk about biting the dust.

Thanks guys for the ideals... also sprk, the DNS is setup to go to an Active Directory DNS which then fowards to the Smellsouth DNS servers. The router its self references the DNS server only to ping stuff from command line.

!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname IM_A_ROUTER
!
boot-start-marker
boot-end-marker
!
no logging on
!
clock timezone EST -5
aaa new-model
!
!
aaa authentication fail-message ^CFAIL MESSAGE HERE^C
aaa authentication login default group radius local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain lookup
ip name-server 192.168.144.97
no ip dhcp conflict logging
!
no ip bootp server
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp timeout 45
ip inspect name FIREWALL ftp
ip inspect name FIREWALL h323
ip inspect name FIREWALL smtp
ip inspect name FIREWALL rcmd
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL tftp timeout 30
ip inspect name FIREWALL netshow
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL http
ip audit po max-events 100
ip dhcp-server 192.168.144.97
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
no file verify auto
!
interface ATM0/0
description ##### ADSL_PHYSCAL_INTERFACE #####
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/0
ip address 192.168.144.254 255.255.255.0
ip access-group 107 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect FIREWALL in
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
full-duplex
!
interface Dialer1
description ##### aDSL PPPoE Dialer #####
ip address negotiated
ip access-group 112 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
encapsulation ppp
load-interval 30
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ilikebreakandbutter
ppp chap password iliketoastandjam
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.144.97 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.144.55 80 interface Dialer1 80
ip nat inside source static tcp 192.168.144.42 23 interface Dialer1 23
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit any
access-list 72 permit 192.168.144.0 0.0.0.255
access-list 107 permit ip 192.168.144.0 0.0.0.255 any
access-list 107 deny ip any any
access-list 112 permit tcp any any eq www
access-list 112 permit tcp any any eq 1723
access-list 112 permit icmp any any echo-reply
access-list 112 deny ip any any log
cdp timer 90
!
radius-server host 192.168.144.97 auth-port 1645 acct-port 1646
radius-server key 7 guessme!!!
!
!
!
!
banner login ^CBIG FAT BANNER GOES HERE!!!^C
alias exec sir show ip route
alias exec siib show ip int brief
alias exec dsl sh dsl int atm 0/0
alias exec siis show ip inspect ses
alias exec cpu show proc cpu hist
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
access-class 72 in
exec-timeout 2 0
!
!
end

On a personal note i found the QUICKEST way to crash a router!!! debug ip nat details
then have some one download a 600 mb file... (kuh-rash) it goes!!! cpu pegs 100% max

Dont try that in your live network folks

you'll be then typing up your resume.

mgeorge

now that i think about it. I had a problem like this before setting up a simple modem for south east bell dsl customer, SeTEL use s a MTU of 1450. I remember back when it was connected it would go to some websites, and it wouldnt go to others. cuz i was using the 1492 instead of their 1450. Once it was changed it worked perfect.

ip tcp adjust-mss 1452

I'm "pretty" sure that command did the trick.

any one have any objections?

Also the laptop had the cisco vpn client on it which uses the "deterministic network enhancer"
which detects fragmentation and adjusts the mtu accordinly. (laughs go figure!! no wonder the laptop worked and nothing else did!!!!)

This is definately a learning experince for me

man that laptop threw me WAY OFF.

mikej412

mgeorge27 wrote:

i finally got it working but yet I DONT KNOW HOW I DID IT!!! LOL!!! I HATE IT WHEN THAT HAPPENS

Sometimes you just have to take it any way you can get it

mgeorge

After looking into it a little futher to satisify my curiousity. The deterministic network enhancer had set the MTU on the laptop to 1300 which was well below an acceptable non-fragmentation range required to encapsulate the packet for pppoe/atm

All other machines were using default ethernet 1500.

After setting the maximum segment size with the "ip tcp adjust-mss xxxx" command to a lower acceptable size to interoperate with the PPPoE Dialer/ATM Interface it worked great.

APA

Have experienced these symptoms with a live auction website that our users visit nearly everyday....

Ended up being that the website was exceeding the MSS that it was actually advertising......Caused the website to be extremely slow and drop out occassionally.

Once we adjusted the allowed MSS for this certain website everything returned to normal..... Matt I think you are spot on with what was causing the problem.