Cisco 837 Port Forwarding and MTU

Unanswered Question

I would appreciate help with:

1. port forwarding - my running config is attached and I cannot connect to the redirected ports from the WAN side - it is now working and I need port forwarding to work


2. I would like to know if my WAN MTU on the ADSL port is set too low, it is 1452.

I have an IPSec VPN to my office and the PIX 506E in my offie has MTU set to 1500 on its ports. When I created the VPN I got a message about problems with some packets due to a MTU mis-match.


regards, Mark



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bjornarsb Sat, 05/26/2007 - 15:18

Hi,


1. when you use pat you cannot use the same pair of ip source and destination.

So if x.x.x.x = 5.5.5.5 you have to do NAT like this: ip nat inside source static 192.168.2.23 25 5.5.5.5.


2. mtu mis-match is when you have too high mtu on one side , so your mtu could actually be to high , depending on your ipsec configuration. I don't remember exactly but : "The added header(s) varies in length depending the IPsec configuration mode but they do not exceed ~58 bytes (Encapsulating Security Payload (ESP) and ESP authentication (ESPauth)) per packet.

"

PPP is 8 byte , so configure : mtu 1434.

(1400 is a good ~ )


Keep in mind that adjust mss just works for tcp not udp.


Check the scroll box at the bottom right :)


HTH


BR,

Bjornarsb


bjornarsb Tue, 05/29/2007 - 03:01

Hi again:


ip nat inside source static tcp 192.168.2.23 25 xxx.xxx.xxx.xxx 25 extendable

ip nat inside source static tcp 192.168.2.23 53 xxx.xxx.xxx.xxx 53 extendable

ip nat inside source static udp 192.168.2.23 53 xxx.xxx.xxx.xxx 53 extendable

ip nat inside source static tcp 192.168.2.23 80 xxx.xxx.xxx.xxx 80 extendable

ip nat inside source static tcp 192.168.2.23 443 xxx.xxx.xxx.xxx 443 extendable

ip nat inside source static tcp 192.168.2.23 1723 xxx.xxx.xxx.xxx 1723 extendable


Need to be changed to:


ip nat inside source static 192.168.2.23 xxx.xxx.xxx.xxx ( i.e NAT not PAT )



2: Maybe, first you need to change the mtu on your 837, because of ipsec and so on..

try mtu: 1400.


Then if you are initiating traffic from the office you should match the mtu on the other end. So try mtu = 1400 on both ends :)


BR,


Bjornarsb




Hi,


I do not think your solution to 1. will work. Also there is another entry


ip nat inside source static tcp 192.168.2.24 3389 xxx.xxx.xxx.xxx 3389 extendable


You have not mentioned this. Note it is for a different machine in the private network.


2. Traffic goes both ways from the office to home over the IPsec VPN. There are two interfaces on the 506E inside and outside. If I change outside to 1400 will that affect the other traffic that goes over this interface? Should I change both inside and outside to the same as the 837?


regards,

Mark

bjornarsb Tue, 05/29/2007 - 04:01

Hi,


Yes, 1 will work if you use another public entry for the last statement.


2. yes. but i don't know if you have tcp adjust mss on the PIX ? But I believe that you have path mtu discovery !


If you create a tunnel you can use:

tunnel path mtu discovery on the 837.



!

interface Tunnel1

ip address X 255.255.0.0

ip mtu 1400

ip tcp adjust-mss 1400

no ip split-horizon

tunnel source Dialer 1

tunnel destination X

tunnel key XXX

tunnel path-mtu-discovery

!


BR,

Bjornarsb

I will give it a try in the morning.


can you clarify your statement

Yes, 1 will work if you use another public entry for the last statement.


So I have two entries, one for the 192.168.2.23 and one that is for one port on the 192.168.2.24


I do not think this will work, I have read that your suggested solution is for all ports. I still think my problem is access-list related, but I will give anything a go now.


regards, Mark


bjornarsb Tue, 05/29/2007 - 04:20

Hi,


the problem is that you probarly only have one IP

(negotiated) so its best to move the 3389 service from 192.168.2.24 to 192.168.2.23


And you also need to use:

ip nat inside source static 192.168.2.23 interface Dialer1


If you get different IP (long term)

you have to use Dyndns too.

or try this:

!

interface Dialer1

ip address negotiated previous

encapsulation ppp

!


BR,

Bjornarsb

cannot move the 3389 to 2.23


thus herein lies the problem.


I have been told it will work, the question is how. When I try to connect to a port from outside I get asked for username, password, on port 80 and then it says it is the http server on the 837. This is why I think it is an access-list issue.


Any ideas appreciated.

regards, Mark

bjornarsb Tue, 05/29/2007 - 04:31

Try:


no ip http authentication then you

will get access to the router web configuration.


port 80 forwarding to your server on inside does not work because of my first post :)


actually you should use :

ip http secure-server and use https.


BR,

Bjornarsb


Actions

This Discussion