NAT problem

Unanswered Question
Sep 18th, 2007
User Badges:

We were doing a testing yesterday on the router whereby we have created a new private segment 192.168.2.x. We NAT this segment to the WAN IP address


We have faced a network problem whereby when my notebook is in 192.168.2.x; I can ping any URLs, can use nslookup to resolve DNS query, can ssh to the server in my office (see diagram below); but cannot browse Internet; except to ISP website. It is weird and I suspect may be the ISP has barred http for the WAN user IP address


I know this is beyond our ISP control but i need a clue at least to help solved my cust prob. Appreciate a feedbacks.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jay77jay77 Tue, 09/18/2007 - 23:03
User Badges:

Its a clear indication of any filtering on ISP side..just wondering is there a know http proxy for that isp,u may want to try that.


At any cost, on such symptoms, the best and first one to call is the ISP.


Cheers!

fazilahrabu Tue, 09/18/2007 - 23:39
User Badges:

We have confirmed with our eng team, that there's no filtering at ISP side. our latest finding during troubleshooting is:


Large size packets have issues going to destination via Fast Ethernet (for NAT), Serial Interface is working fine - from cust router

Work Around: To adjust the maximum segment size (MSS) value of TCP SYN packets going through a cust router (Fast Ethernet).

Current IOS version not supported for this features. Cust IOS is version 12.0


Packet bigger than 1480 bytes can't go through from cust fast e. however From Service Provider POP router we have carried out the same test and found test to be successful end to end.


I'm not sure with the http proxy.

arun kumar Wed, 09/19/2007 - 05:53
User Badges:
  • Bronze, 100 points or more

Hi,


For the above issue, you can also make it work by clearing the DF bit of all the ip packets going via FE of Customer router. Just create a route-map and clear the df bit so that large packets will get fragmented.


route-map DF

match ip address permit

set df-bit 0


ip access-list extended permit

permit ip any any



Apply the route-map on the Customer FE interface


int FE0/0

route-map DF



Hope this helps...


rgds

Arun


Actions

This Discussion