having a stange problem here..
i had a 2611 with 2 ethernet ports one for LAN and the other terminating on the ISP Internet device (radio bridge)
it worked well i has setup a tunnel to the head office and PATTED for internet acess
now we bought a 877 to replace that and made vlan1 as LAN and vlan2 as Internet
i can access the head office via tunnel 1 but the PATTING doenst seem to work any more...
from my desktop ic an ping google.com and other public ip add /names but cant seem to open any page or browse the internet
intranet pages from head office servers work fine..
is this a problem with 877 ???
what am i doing wrong ? plz help ..
The config looks good. Have you verified the workstations do not have some kind of proxy configuration enabled?
One small odd thing I saw, the GRE tunnel has a different adjust-mss than the SVIs. Try matching both values and go 1400 on all interfaces.
If ICMP is disabled from router to workstations, this won't help and fragmentation will occur. Also, try manually changing the MTU on workstations and see if it helps.
NO no proxy config enabled on WS, it workes perfectly with the old 2611 or if i completely take out the router ans give the WS public IP and connect the radio device and WS to a switch (with Defult g/w of the WS to the public ip of the radio device.)
ICMP is not disabled from ROuter to WS
yea i fixed the MTUs to 1400 quiet some time a go but that didnt do any good so there must be somthing else.
could it be an IOS issue ? im using
(C870-ADVSECURITYK9-M), Version 12.4(9)T7,
somone suggested that i use Adv IP Services IOS for using 2 vlans to route traffic ??
cause if i see sh ip nat trans it shows me the natting working perfectly
Hu_WH#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 124.29.xx.yyy:1723 10.204.100.71:1723 188.8.131.52:80 184.108.40.206:80
one more thing .. i did sh i pint fastethernet0 & 3 it shows me this >>
Hu_WH#sh ip int fastethernet0
FastEthernet0 is up, line protocol is up
Internet protocol processing disabled
Hu_WH#sh ip int fastethernet3
FastEthernet3 is up, line protocol is up
Internet protocol processing disabled
so it the IOS issue true ?? cause if it is then i need to get teh IP services IOS
plz help resolve..
I think I found something in your config that does not seem right.
Your ACL for the NAT does not include the Vlan 1 subnet.
access-list 150 permit ip 10.204.100.64 0.0.0.31 any
description Warehouse Local LAN
ip address 10.204.100.94 255.255.255.224
Furthermore, your internet connection is working fine - as you stated in your initial post, you can tunnel from this location to HQ. How that connection is made? Via the same internet connection you are having problems with. I suspect the problem is with the NAT listed above.
10.204.100.64 is the subnet id
255.255.255.224 is the subnet mask
10.204.100.65 - 94 is the usable ip range
so i guess 10.204.100.64 0.0.0.31 includes the vlan 1 subnet
also when i said the internet connection is working fine i ment if i use it directly (by giving my PC public ip) but not via router.
i can tunnel to the head office from this location to the head office using the same vlan2 interface connected to the ISP
vlan1 = 10.204.100.94 (LAN connection)
vlan2 = 124.29.xx.yyy (ISP connection)
tunnel1 form Warehouse to Head Office.
tunnel source is vlan2 ip
tunnel destination is Public ip interface of head office router.
i recently changed the IOS of this router to advance ip services but that didnt help too..
still cant figure out the problme.
here is an output for vlan maybe this can help diagnose..
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1, Fa2
2 VLAN0002 active Fa0
3 VLAN0003 active Fa3
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Yes, I was incorrect on my previous post - sorry about that.
What I meant to say, if this router can tunnel to the head office, then the internet is working fine and if your workstations can't connect to the internet then the problem seems to be NAT related.
However, you've posted a NAT translation from one device and it looks fine so I'm not sure what else to look for.
Can you post a traceroute from a workstation to 220.127.116.11 ?
thanks for the reply, unfortunately im not at the remote location today so vont be able to do that but when iw as testing it the tracert was fine
it would touch the LAN side gateway (private ip of the route) then it NATS ( which is shown as icmp in sh ip nat trans ) and gets routed off to the ISP gateway ..
i know for sure now that this isa VLAN thingy when used with NAT. cause the same config is working fine with 2611 (2 pure ethernet ports)
what i can do is give u an access to this router for viewing yourself (since your from cisco and a CCIE :).. )
By the way i have finally called in a cisco vendor for troubleshooting this.. so if still nothing good happens i can give you access..
ill need your contact for that..
tahnsk fro the help though.
If you can traceroute then the problem seems to be DNS related.
What DNS is configured in the workstation side?
This DNS must be able to resolve public IP addresses.
As for access to your router, sorry - I can't do that. If you want to someone from Cisco to access your router, you must formally open a case with TAC.
the DNS set at the client end was
primary dns 10.204.1.10 (our local DNS at the head office)
Secondary snd 202.16x.xx.cc dns given by the ISP
i did testing with setting both DNS given by the ISP ( in that case the machine cannot detect the INTRANET websides hosted at the head office)
One more thing Edi,
i did another test with an 837 (with 2 ethernet IOS)
and thats working just fine..
could it be an ISP problem ???? if they r restricting vlan traffic or somthing..
If the configurations are effectively the same between the three routers (2600, 877 & 837) and its only the 877 that doesn't work then I would suspect a bug in the IOS. What version is it running and have you tried upgrading it to a later release? Latest is 12.4(22)T, however there are memory restrictions so check first that you have enough.