01-09-2006 09:42 PM - edited 03-03-2019 01:22 AM
I have a cisco router that is connected to a DSL modem. currently the cisco router is setup with multi-nat, acl's, and vpn access. The problem I am having is with internal users not being able to access certain internet websites using friendly names. I verified on the Windows servers that DNS is working, and also worked with the ISP tech support to verify that there were no problems on their end. while logged into the cisco router I am successfully able to ping internal ip's, ISP DNS, and external IP addresses that are outlined in the ACL.
Currently the E0 link is set to half duplex, and there are no collisions being detected. I am lost at what I should try next to pin point what the problem is.
01-09-2006 10:14 PM
When you mean friendly names, I assume its DNS. Is this happening for any DNS address or is it just a few addresses ? If you try to ping a DNS name from inside from a command prompt (CMD) does it atleast resolve the name -> address ? If you put a PC on the outside segment between the router's outside FE and DSL modem, (possibly configure a static public ip address on your PC ) , Are you able to reach the internet at this point ?
01-10-2006 05:01 AM
Just a few addresses. When I connect my pc directly to the dsl router I am able to get to the website that was causing me problems behind the firewall. When I try to ping internally I am able to at least resolve the ip address, but cannot access the address using IE or firefox.
01-09-2006 10:44 PM
Hello,
in addition to Sankar's post, you could try and change MSS size on your Ethernet interface:
interface Ethernet0
ip tcp adjust-mss 1350
Also, make sure that whatever access list you have configured allows TCP port 53 (which is used for DNS), e.g.:
access-list 101 permit tcp any any eq domain
HTH,
GP
01-10-2006 05:08 AM
By adjusting the mms is that the same as IP MTU?
If so, the MTU is already set at 1400.
If I am able to access multiple websites will updating the access list to include a DNS entry really resolve the problem? I thought with DNS if you had a problem you would not be able to access any websites.
01-10-2006 05:11 AM
By adjusting the mms is that the same as IP MTU?
If so, the MTU is already set at 1400.
If I am able to access multiple websites will updating the access list to include a DNS entry really resolve the problem? I thought with DNS if you had a problem you would not be able to access any websites.
01-10-2006 05:38 AM
Hi
ip tcp-adjust mss command takes care/prevents dropping of TCP packets in between coz of the mismatch in MTU size in the path.
any reason behind setting that up to 1400 instead of default 1500 ?
do check changing the same to 1500 or else add the ip tcp-adjust 1350 command with current MTU(1400) size itself.
also refer this link for more insight view on the same..
http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
regds
01-10-2006 09:46 AM
thanks for that info I will update the E0 on the router and see what happens.
BTW.
The MTU was changed to 1400 since the DSL ISP provider stated that communication works best at that speed.
01-10-2006 05:38 AM
Hello,
if you can access some websites, but not others, the access list is likely not the problem. What firewall do you have ? From what you are saying, it seems reasonable to assume that the problem lies in there.
Does changing the MSS make a difference ?
Regards,
GP
01-10-2006 10:00 AM
if you are running CBAC and have IP inspect statements, it could be that Java sites are a problem
try adding the following in the
ip inspect name YOURNAME http java-list 5
access-list 5 permit xxx.xxx.xxx.xxx
This will let you know if the firewall is stopping the website or not...
01-10-2006 10:28 AM
Thanks for the input. this router does have ip inspect for tcp,smtp,http, and udp.
Do I have to update the ACL to include all websites that are giving me this problem?
01-10-2006 06:30 PM
The problem was with the router itself. I had a Netgear VPN router on standby that I used. Since this router does not support multi-nat I will need to make suggestions on what router is best for his business needs.
01-10-2006 10:50 AM
The access list is only enabled on devices trying to come in to my network. The only firewall i am using is the cisco router (ACL, and IP inspection).
I am waiting on word back from the staff members having the problem (im offsite). Can you have inbound and outbound ip inspection on the same interface?
01-10-2006 10:55 AM
Changing the MMS did not resolve the problem.
01-10-2006 11:10 AM
Here is a quick overview.
Config t
ip inspect name inbound tcp
ip inspect name inbound smtp
ip inspect name inbound udp
ip inspect name inbound http
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound http
ip inspect name outbound smtp
access-list 100 tcp any host 68.1.1.4 eq pop
access-list 100 tcp any host 68.1.1.4 eq smtp
access-list 100 tcp any host 68.1.1.4 eq 1352
access-list 100 tcp any host 68.1.1.3 eq pop
access-list 100 tcp any host 68.1.1.3 eq smtp
access-list 100 tcp any host 68.1.1.3 eq 1352
access-list 100 esq any any
access-list 100 udp any host 68.1.1.2 eq isakmp
access-list 100 udp any host 68.1.1.2 eq non500-isakmp
ip nat inside source static 1.1.1.2 68.1.1.3
ip nat inside source static 1.1.1.3 68.1.1.4
ip name-server 64.0.0.1
ip name-server 64.0.1.1
!
int E0
ip address 68.1.1.2/29
ip access-group 100 in
no ip redirects
no ip unreachables
ip nat outside
ip inspect outbound out
ip mtu 1400
ip tcp-adjust mms 1350
!
int F0
ip address 1.1.1.1/24
ip nat inside
ip inspect inbound in
speed auto
!
BTW,
This configuration (minus the mtu, and mms settings) were working up until 3 wks ago.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: