A Real NAT in the butt >.<

mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
Well I figured I would turn to good owe techexams.net for some ideals because I'm totally fresh out.

I am doing a contract for a small business and currently installing "cheep" cisco equipment per say to fit their budget so im using a cisco 2610 with a wic-1adsl, cisco 3524XL (non poe).

I am currently using the ios firewall on it, with access lists and the whole nine yards but none of this is the issue.

I have nat setup to overload to dialer1.

The issue is this guys laptop can visit ANY WEBSITE on the internet, while other computers in the business (XP and Vista) cannot visit every website per say. For example news.yahoo.com, fictionpress.com, cannot do streaming videos from news.yahoo.com. ebay.com is REALLY REALLY slow and often does not load. myspace will not load, facebook will not load (yeah social websites but this company is a photography company icon_lol.gif ) oh yeah and the CISCO website takes like 2 minutes to load one page...

The router is currently running c2600-ik9o3s3-mz.123-23.bin

I have disabled fw, totally removed all access lists, even tried enterprise basic, tried 12.4(17) ip base (yes it will run on a 2610 - little processor intensive but it works) and all ios's do the same thing with nat, the laptop can view any website but the rest of the machines are limited.

to top this one off, the lapto uses wireless which goes through a stinksys (laughs) basically setup as a bridge using wpa and radius authentication. At first i thought it was the wireless so then i tried a network card in the laptop and it still works fine... does not matter what interface, the laptop works 100%, no other machine does.

I have had 4 people look over my config and everyone of them said theirs no reason why it should be doing this.

Config is posted below. please note I've removed most identifiable info for security reasons.


!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname IM_A_ROUTER
!
boot-start-marker
boot-end-marker
!
no logging on
!
aaa new-model
!
!
aaa authentication fail-message REMOVED
aaa authentication login default group radius local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa session-id common
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip name-server 192.168.144.97
no ip dhcp conflict logging
!
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp timeout 15
ip inspect name FIREWALL ftp
ip inspect name FIREWALL h323
ip inspect name FIREWALL smtp
ip inspect name FIREWALL rcmd
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL tftp timeout 30
ip inspect name FIREWALL netshow
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL http
ip inspect name FIREWALL skinny
ip audit po max-events 100
ip dhcp-server 192.168.144.97
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
no file verify auto
!
!
interface ATM0/0
description ##### aDSL Physical Interface #####
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/0
description ##### Private Internal Interface #####
ip address 192.168.144.254 255.255.255.0
ip access-group 107 in
ip nat inside
ip inspect FIREWALL in
full-duplex
!
interface Dialer1
description ##### aDSL PPPoE Dialer #####
ip address negotiated
ip access-group 112 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username
ppp chap password ohnoyoudont
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.144.42 23 interface Dialer1 23
ip nat inside source static tcp 192.168.144.55 80 interface Dialer1 80
ip nat inside source static tcp 192.168.144.97 1723 interface Dialer1 1723
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit any
access-list 72 permit 192.168.144.0 0.0.0.255
access-list 72 deny any
access-list 107 permit tcp 192.168.144.0 0.0.0.255 any
access-list 107 deny ip any any log
access-list 112 permit tcp any any eq www
access-list 112 permit tcp any any eq 1723
access-list 112 permit icmp any any echo-reply
access-list 112 deny ip any any log
cdp timer 90
!
radius-server host 192.168.144.97 auth-port 1645 acct-port 1646
radius-server key INSERTKEYHERE?
!
!
banner login YAY MY LOGIN BANNER
alias exec sir show ip route
alias exec siib show ip int brief
alias exec dsl sh dsl int atm 0/0
alias exec siis show ip inspect ses
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
access-class 72 in
exec-timeout 2 0
!
end

If you have any good ideals I'm open to suggestions. keep in mind, if i totally remove the firewall and the access-lists (except the nat source list) it still does this problem.
There is no place like 127.0.0.1

Comments

  • nice343nice343 Member Posts: 391
    get a router with 2 ethernet ports and tell us what happens after you configure it for NAT

    I don't see anything wrong with the config. I could be wrong though :D
    My daily blog about IT and tech stuff
    http://techintuition.com/
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Are you getting anything when you check for NAT translations for the other PCs? Do any of the other PCs work if you take the laptop off the network and reboot the router? Any exciting debug output?
    :mike: Cisco Certifications -- Collect the Entire Set!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    if i do it this way i'd have to get another router to perform pppoe dialer and nat and configure the first router a a bridge. When i bridge with the wic-1adsl to the ethernet0, it gets limited to 2.2Mbps, the customer has 6.0/512

    I've tried to configure NAT on a server and bridge the wic-1adsl to e0 and do pppoe and nat on the server and it gets limited to 2-2.5mbps max
    There is no place like 127.0.0.1
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    I can see the NAT translations like every other translation.

    Also the ios firewall seems to work fine i can see all the sis_open's per each nat translation.

    I've tried totally removing the laptop from the network and hard booting the router and all the other pcs still have the same issue.

    this is really frusterating icon_eek.gif

    Also another note to add is cpu utilization never goes over 70%
    There is no place like 127.0.0.1
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    Well i have completely reconfigured the router from blank with just a simple nat and the required config to establish a pppoe session.

    Issue still remains. same laptop can visit every website while other machines cannot.

    So I thought it was just those machines or somthing on those pc's, put a brand new dell 745 in and it could not view every website like the laptop does.

    Normally I enjoy a challange but this one here really takes the cake!!!

    I've totally switched routers, 2620 and 2610 and the only thing ive not switched is the wic.

    I'm pretty sure the wic is legitimate, it was purchased from horizon datacom out of ohio.

    Wic has latest firmware.

    I guess ima have to slap it in a 3600 series after i grab a nm-1fe2w (since these wics will not work in the standard ethernet nm's)

    but im still open to icon_idea.gif's

    Also to add to the issue, i booted to a live ubuntu cd to test it in ubnutu on one of the desktops and it still cannot view the normal websites like the laptop can... This is starting to drive me nuts.
    There is no place like 127.0.0.1
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Same or different IPs on the laptop when you were wireless and wired?

    Have you tried a pc on the same switch port (and maybe IP) as the laptop? Cloned the Laptops MAC address on a PC?

    Any funky old switch configs?

    Any funky interface statistics/errors when you try using those PCs?
    :mike: Cisco Certifications -- Collect the Entire Set!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    Well the interface dispatch on the switch ports look normal, nothing obvious

    The laptop has 2 different mac addresses, the onboard nic and wifi.

    IP addresses are different, wifi is .114, nic is .116

    im going to try to clone the nic now and see what it does.

    nic cloning is so easy with virtual pc :) specify a nic and it works lol... but no that did not do it.

    I've plugged the pc that i cloned the mac with directly into the routers e0/0 and still nothing.

    so that rules out the switch

    i plug the laptop directly into the router and it works fine.

    lol.... this one is just a doosey icon_eek.gif
    There is no place like 127.0.0.1
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Matt,

    I had this same issue (different hardware, but exact same symtoms). It was DNS. Reverse lookups were killing those exact same sites and slowing them to a crawl. Check how the laptop might be configured differently or else make sure the IOS is not doing reverse lookups as a security feature. Something along those lines - I am not a Cisco man myself much beyond the basics.
    All things are possible, only believe.
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    Well I just posted my resolution and it didnt show up... odd >.<

    Well after 6 hours or non stop pulling my hair and 3 gallons of purified water i finally got it working but yet I DONT KNOW HOW I DID IT!!! LOL!!! I HATE IT WHEN THAT HAPPENS icon_eek.gif

    Any who mike got my gears turning about mac addresses and to me everything layer 3 was working fine so i decided to move to layer2 and still could find nothing.

    After disabled a shitload of services and non essential stuff, unplugging the stinksys router (which acts as a wifi ap) I then noticed IT ALL WORKS!! I was kinda afraid to plug that stinksys back into it. but i did and it worked fine as well. The IOS firewall is delivering the max throughput 6Mbps of the dsl link. cpu stays below 70% which im fine with.

    I went back to using a sub interface for the pvc vpi/vci. I orginally used a subint but went to the physical to conserve ram they both had the same issue prior to doing what ever i did to fix it.

    Well my final config is posted below so that way you guys can go through it and draw a conclusion. Their are several things i added that could have solved the issue but I dont really want to go through and remove them all and screw it up agian since they are opening their doors in like 5 minutes and i got oh so lucky in getting this thing working 20 minutes before opening time. talk about biting the dust.

    Thanks guys for the ideals... also sprk, the DNS is setup to go to an Active Directory DNS which then fowards to the Smellsouth DNS servers. The router its self references the DNS server only to ping stuff from command line.

    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    no service dhcp
    !
    hostname IM_A_ROUTER
    !
    boot-start-marker
    boot-end-marker
    !
    no logging on
    !
    clock timezone EST -5
    aaa new-model
    !
    !
    aaa authentication fail-message ^CFAIL MESSAGE HERE^C
    aaa authentication login default group radius local
    aaa authentication ppp default if-needed group radius local
    aaa authorization exec default group radius if-authenticated
    aaa authorization network default group radius if-authenticated
    aaa session-id common
    ip subnet-zero
    no ip source-route
    ip cef
    !
    !
    no ip domain lookup
    ip name-server 192.168.144.97
    no ip dhcp conflict logging
    !
    no ip bootp server
    ip inspect name FIREWALL tcp
    ip inspect name FIREWALL udp timeout 45
    ip inspect name FIREWALL ftp
    ip inspect name FIREWALL h323
    ip inspect name FIREWALL smtp
    ip inspect name FIREWALL rcmd
    ip inspect name FIREWALL cuseeme
    ip inspect name FIREWALL tftp timeout 30
    ip inspect name FIREWALL netshow
    ip inspect name FIREWALL realaudio
    ip inspect name FIREWALL rtsp
    ip inspect name FIREWALL http
    ip audit po max-events 100
    ip dhcp-server 192.168.144.97
    vpdn enable
    !
    vpdn-group 1
    request-dialin
    protocol pppoe
    !
    !
    no file verify auto
    !
    interface ATM0/0
    description ##### ADSL_PHYSCAL_INTERFACE #####
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0/0.1 point-to-point
    pvc 8/35
    encapsulation aal5snap
    pppoe-client dial-pool-number 1
    !
    !
    interface Ethernet0/0
    ip address 192.168.144.254 255.255.255.0
    ip access-group 107 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip inspect FIREWALL in
    ip route-cache flow
    ip tcp adjust-mss 1452
    no ip mroute-cache
    full-duplex
    !
    interface Dialer1
    description ##### aDSL PPPoE Dialer #####
    ip address negotiated
    ip access-group 112 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1492
    ip nat outside
    encapsulation ppp
    load-interval 30
    dialer pool 1
    dialer idle-timeout 0
    dialer persistent
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname ilikebreakandbutter
    ppp chap password iliketoastandjam
    !
    ip nat inside source list 1 interface Dialer1 overload
    ip nat inside source static tcp 192.168.144.97 1723 interface Dialer1 1723
    ip nat inside source static tcp 192.168.144.55 80 interface Dialer1 80
    ip nat inside source static tcp 192.168.144.42 23 interface Dialer1 23
    no ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    !
    access-list 1 permit any
    access-list 72 permit 192.168.144.0 0.0.0.255
    access-list 107 permit ip 192.168.144.0 0.0.0.255 any
    access-list 107 deny ip any any
    access-list 112 permit tcp any any eq www
    access-list 112 permit tcp any any eq 1723
    access-list 112 permit icmp any any echo-reply
    access-list 112 deny ip any any log
    cdp timer 90
    !
    radius-server host 192.168.144.97 auth-port 1645 acct-port 1646
    radius-server key 7 guessme!!!
    !
    !
    !
    !
    banner login ^CBIG FAT BANNER GOES HERE!!!^C
    alias exec sir show ip route
    alias exec siib show ip int brief
    alias exec dsl sh dsl int atm 0/0
    alias exec siis show ip inspect ses
    alias exec cpu show proc cpu hist
    !
    line con 0
    exec-timeout 0 0
    line aux 0
    line vty 0 4
    access-class 72 in
    exec-timeout 2 0
    !
    !
    end

    On a personal note i found the QUICKEST way to crash a router!!! debug ip nat details
    then have some one download a 600 mb file... (kuh-rash) it goes!!! cpu pegs 100% max

    Dont try that in your live network folks icon_lol.gif you'll be then typing up your resume.
    There is no place like 127.0.0.1
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    now that i think about it. I had a problem like this before setting up a simple modem for south east bell dsl customer, SeTEL use s a MTU of 1450. I remember back when it was connected it would go to some websites, and it wouldnt go to others. cuz i was using the 1492 instead of their 1450. Once it was changed it worked perfect.

    ip tcp adjust-mss 1452

    I'm "pretty" sure that command did the trick.

    any one have any objections?

    Also the laptop had the cisco vpn client on it which uses the "deterministic network enhancer"
    which detects fragmentation and adjusts the mtu accordinly. (laughs go figure!! no wonder the laptop worked and nothing else did!!!!)

    This is definately a learning experince for me icon_lol.gif man that laptop threw me WAY OFF.
    There is no place like 127.0.0.1
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    mgeorge27 wrote:
    i finally got it working but yet I DONT KNOW HOW I DID IT!!! LOL!!! I HATE IT WHEN THAT HAPPENS icon_eek.gif
    icon_cheers.gif

    Sometimes you just have to take it any way you can get it icon_lol.gif
    :mike: Cisco Certifications -- Collect the Entire Set!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    After looking into it a little futher to satisify my curiousity. The deterministic network enhancer had set the MTU on the laptop to 1300 which was well below an acceptable non-fragmentation range required to encapsulate the packet for pppoe/atm

    All other machines were using default ethernet 1500.

    After setting the maximum segment size with the "ip tcp adjust-mss xxxx" command to a lower acceptable size to interoperate with the PPPoE Dialer/ATM Interface it worked great.
    There is no place like 127.0.0.1
  • APAAPA Member Posts: 959
    Have experienced these symptoms with a live auction website that our users visit nearly everyday....

    Ended up being that the website was exceeding the MSS that it was actually advertising......Caused the website to be extremely slow and drop out occassionally.

    Once we adjusted the allowed MSS for this certain website everything returned to normal..... Matt I think you are spot on with what was causing the problem.

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
Sign In or Register to comment.