877 internet access strange problem

Unanswered Question
Dec 25th, 2008
User Badges:

HI All,


having a stange problem here..

i had a 2611 with 2 ethernet ports one for LAN and the other terminating on the ISP Internet device (radio bridge)


it worked well i has setup a tunnel to the head office and PATTED for internet acess


now we bought a 877 to replace that and made vlan1 as LAN and vlan2 as Internet


i can access the head office via tunnel 1 but the PATTING doenst seem to work any more...


from my desktop ic an ping google.com and other public ip add /names but cant seem to open any page or browse the internet


intranet pages from head office servers work fine..


is this a problem with 877 ???


what am i doing wrong ? plz help ..




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Edison Ortiz Fri, 12/26/2008 - 08:17
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The config looks good. Have you verified the workstations do not have some kind of proxy configuration enabled?


One small odd thing I saw, the GRE tunnel has a different adjust-mss than the SVIs. Try matching both values and go 1400 on all interfaces.


If ICMP is disabled from router to workstations, this won't help and fragmentation will occur. Also, try manually changing the MTU on workstations and see if it helps.



__


Edison.

zaidumer Mon, 12/29/2008 - 01:04
User Badges:

Hi Edi,


NO no proxy config enabled on WS, it workes perfectly with the old 2611 or if i completely take out the router ans give the WS public IP and connect the radio device and WS to a switch (with Defult g/w of the WS to the public ip of the radio device.)


ICMP is not disabled from ROuter to WS


yea i fixed the MTUs to 1400 quiet some time a go but that didnt do any good so there must be somthing else.


could it be an IOS issue ? im using

(C870-ADVSECURITYK9-M), Version 12.4(9)T7,



somone suggested that i use Adv IP Services IOS for using 2 vlans to route traffic ??


cause if i see sh ip nat trans it shows me the natting working perfectly


Hu_WH#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

tcp 124.29.xx.yyy:1723 10.204.100.71:1723 65.55.33.151:80 65.55.33.151:80



one more thing .. i did sh i pint fastethernet0 & 3 it shows me this >>


Hu_WH#sh ip int fastethernet0

FastEthernet0 is up, line protocol is up

Internet protocol processing disabled


Hu_WH#sh ip int fastethernet3

FastEthernet3 is up, line protocol is up

Internet protocol processing disabled



so it the IOS issue true ?? cause if it is then i need to get teh IP services IOS


plz help resolve..


Edison Ortiz Mon, 12/29/2008 - 07:19
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I think I found something in your config that does not seem right.


Your ACL for the NAT does not include the Vlan 1 subnet.


access-list 150 permit ip 10.204.100.64 0.0.0.31 any


interface Vlan1

description Warehouse Local LAN

ip address 10.204.100.94 255.255.255.224


Furthermore, your internet connection is working fine - as you stated in your initial post, you can tunnel from this location to HQ. How that connection is made? Via the same internet connection you are having problems with. I suspect the problem is with the NAT listed above.


HTH,


__


Edison.

zaidumer Tue, 12/30/2008 - 03:23
User Badges:

HI Edi,


10.204.100.64 is the subnet id

255.255.255.224 is the subnet mask

10.204.100.65 - 94 is the usable ip range


so i guess 10.204.100.64 0.0.0.31 includes the vlan 1 subnet


also when i said the internet connection is working fine i ment if i use it directly (by giving my PC public ip) but not via router.


i can tunnel to the head office from this location to the head office using the same vlan2 interface connected to the ISP


vlan1 = 10.204.100.94 (LAN connection)

vlan2 = 124.29.xx.yyy (ISP connection)


tunnel1 form Warehouse to Head Office.

tunnel source is vlan2 ip

tunnel destination is Public ip interface of head office router.


i recently changed the IOS of this router to advance ip services but that didnt help too..





zaidumer Tue, 12/30/2008 - 04:10
User Badges:

still cant figure out the problme.


here is an output for vlan maybe this can help diagnose..



Hu_WH#sh vlan-switch


VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa1, Fa2

2 VLAN0002 active Fa0

3 VLAN0003 active Fa3

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active


VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 1002 1003

2 enet 100002 1500 - - - - - 0 0

3 enet 100003 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 1 1003

1003 tr 101003 1500 1005 0 - - srb 1 1002

1004 fdnet 101004 1500 - - 1 ibm - 0 0

1005 trnet 101005 1500 - - 1 ibm - 0 0

Edison Ortiz Tue, 12/30/2008 - 07:49
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Zaid,


Yes, I was incorrect on my previous post - sorry about that.


What I meant to say, if this router can tunnel to the head office, then the internet is working fine and if your workstations can't connect to the internet then the problem seems to be NAT related.


However, you've posted a NAT translation from one device and it looks fine so I'm not sure what else to look for.


Can you post a traceroute from a workstation to 4.2.2.1 ?


__


Edison.

zaidumer Wed, 12/31/2008 - 02:38
User Badges:

HI Edi,


thanks for the reply, unfortunately im not at the remote location today so vont be able to do that but when iw as testing it the tracert was fine


it would touch the LAN side gateway (private ip of the route) then it NATS ( which is shown as icmp in sh ip nat trans ) and gets routed off to the ISP gateway ..



i know for sure now that this isa VLAN thingy when used with NAT. cause the same config is working fine with 2611 (2 pure ethernet ports)


what i can do is give u an access to this router for viewing yourself (since your from cisco and a CCIE :).. )


By the way i have finally called in a cisco vendor for troubleshooting this.. so if still nothing good happens i can give you access..


ill need your contact for that..



tahnsk fro the help though.


Edison Ortiz Wed, 12/31/2008 - 07:28
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

If you can traceroute then the problem seems to be DNS related.


What DNS is configured in the workstation side?


This DNS must be able to resolve public IP addresses.


As for access to your router, sorry - I can't do that. If you want to someone from Cisco to access your router, you must formally open a case with TAC.


__


Edison.

zaidumer Thu, 01/01/2009 - 04:54
User Badges:

HI Edi,



the DNS set at the client end was


primary dns 10.204.1.10 (our local DNS at the head office)


Secondary snd 202.16x.xx.cc dns given by the ISP


i did testing with setting both DNS given by the ISP ( in that case the machine cannot detect the INTRANET websides hosted at the head office)



zaidumer Fri, 01/02/2009 - 00:37
User Badges:

One more thing Edi,



i did another test with an 837 (with 2 ethernet IOS)



and thats working just fine..


could it be an ISP problem ???? if they r restricting vlan traffic or somthing..

andrew.butterworth Fri, 01/02/2009 - 05:15
User Badges:
  • Gold, 750 points or more

If the configurations are effectively the same between the three routers (2600, 877 & 837) and its only the 877 that doesn't work then I would suspect a bug in the IOS. What version is it running and have you tried upgrading it to a later release? Latest is 12.4(22)T, however there are memory restrictions so check first that you have enough.


HTH


Andy

Actions

This Discussion