Hi Edi,

NO no proxy config enabled on WS, it workes perfectly with the old 2611 or if i completely take out the router ans give the WS public IP and connect the radio device and WS to a switch (with Defult g/w of the WS to the public ip of the radio device.)

ICMP is not disabled from ROuter to WS

yea i fixed the MTUs to 1400 quiet some time a go but that didnt do any good so there must be somthing else.

could it be an IOS issue ? im using

(C870-ADVSECURITYK9-M), Version 12.4(9)T7,

somone suggested that i use Adv IP Services IOS for using 2 vlans to route traffic ??

cause if i see sh ip nat trans it shows me the natting working perfectly

Hu_WH#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

tcp 124.29.xx.yyy:1723 10.204.100.71:1723 65.55.33.151:80 65.55.33.151:80

one more thing .. i did sh i pint fastethernet0 & 3 it shows me this >>

Hu_WH#sh ip int fastethernet0

FastEthernet0 is up, line protocol is up

Internet protocol processing disabled

Hu_WH#sh ip int fastethernet3

FastEthernet3 is up, line protocol is up

Internet protocol processing disabled

so it the IOS issue true ?? cause if it is then i need to get teh IP services IOS

plz help resolve..

I think I found something in your config that does not seem right.

Your ACL for the NAT does not include the Vlan 1 subnet.

access-list 150 permit ip 10.204.100.64 0.0.0.31 any

interface Vlan1

description Warehouse Local LAN

ip address 10.204.100.94 255.255.255.224

Furthermore, your internet connection is working fine - as you stated in your initial post, you can tunnel from this location to HQ. How that connection is made? Via the same internet connection you are having problems with. I suspect the problem is with the NAT listed above.

HTH,

__

Edison.

HI Edi,

10.204.100.64 is the subnet id

255.255.255.224 is the subnet mask

10.204.100.65 - 94 is the usable ip range

so i guess 10.204.100.64 0.0.0.31 includes the vlan 1 subnet

also when i said the internet connection is working fine i ment if i use it directly (by giving my PC public ip) but not via router.

i can tunnel to the head office from this location to the head office using the same vlan2 interface connected to the ISP

vlan1 = 10.204.100.94 (LAN connection)

vlan2 = 124.29.xx.yyy (ISP connection)

tunnel1 form Warehouse to Head Office.

tunnel source is vlan2 ip

tunnel destination is Public ip interface of head office router.

i recently changed the IOS of this router to advance ip services but that didnt help too..

still cant figure out the problme.

here is an output for vlan maybe this can help diagnose..

Hu_WH#sh vlan-switch

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa1, Fa2

2 VLAN0002 active Fa0

3 VLAN0003 active Fa3

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 1002 1003

2 enet 100002 1500 - - - - - 0 0

3 enet 100003 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 1 1003

1003 tr 101003 1500 1005 0 - - srb 1 1002

1004 fdnet 101004 1500 - - 1 ibm - 0 0

1005 trnet 101005 1500 - - 1 ibm - 0 0

Zaid,

Yes, I was incorrect on my previous post - sorry about that.

What I meant to say, if this router can tunnel to the head office, then the internet is working fine and if your workstations can't connect to the internet then the problem seems to be NAT related.

However, you've posted a NAT translation from one device and it looks fine so I'm not sure what else to look for.

Can you post a traceroute from a workstation to 4.2.2.1 ?

__

Edison.

HI Edi,

thanks for the reply, unfortunately im not at the remote location today so vont be able to do that but when iw as testing it the tracert was fine

it would touch the LAN side gateway (private ip of the route) then it NATS ( which is shown as icmp in sh ip nat trans ) and gets routed off to the ISP gateway ..

i know for sure now that this isa VLAN thingy when used with NAT. cause the same config is working fine with 2611 (2 pure ethernet ports)

what i can do is give u an access to this router for viewing yourself (since your from cisco and a CCIE :).. )

By the way i have finally called in a cisco vendor for troubleshooting this.. so if still nothing good happens i can give you access..

ill need your contact for that..

tahnsk fro the help though.

If you can traceroute then the problem seems to be DNS related.

What DNS is configured in the workstation side?

This DNS must be able to resolve public IP addresses.

As for access to your router, sorry - I can't do that. If you want to someone from Cisco to access your router, you must formally open a case with TAC.

__

Edison.

HI Edi,

the DNS set at the client end was

primary dns 10.204.1.10 (our local DNS at the head office)

Secondary snd 202.16x.xx.cc dns given by the ISP

i did testing with setting both DNS given by the ISP ( in that case the machine cannot detect the INTRANET websides hosted at the head office)

One more thing Edi,

i did another test with an 837 (with 2 ethernet IOS)

and thats working just fine..

could it be an ISP problem ???? if they r restricting vlan traffic or somthing..

If the configurations are effectively the same between the three routers (2600, 877 & 837) and its only the 877 that doesn't work then I would suspect a bug in the IOS. What version is it running and have you tried upgrading it to a later release? Latest is 12.4(22)T, however there are memory restrictions so check first that you have enough.

HTH

Andy