cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
727
Views
0
Helpful
14
Replies

Cisco 1710

DiasiaTanaj
Level 1
Level 1

I have a cisco router that is connected to a DSL modem. currently the cisco router is setup with multi-nat, acl's, and vpn access. The problem I am having is with internal users not being able to access certain internet websites using friendly names. I verified on the Windows servers that DNS is working, and also worked with the ISP tech support to verify that there were no problems on their end. while logged into the cisco router I am successfully able to ping internal ip's, ISP DNS, and external IP addresses that are outlined in the ACL.

Currently the E0 link is set to half duplex, and there are no collisions being detected. I am lost at what I should try next to pin point what the problem is.

14 Replies 14

thisisshanky
Level 11
Level 11

When you mean friendly names, I assume its DNS. Is this happening for any DNS address or is it just a few addresses ? If you try to ping a DNS name from inside from a command prompt (CMD) does it atleast resolve the name -> address ? If you put a PC on the outside segment between the router's outside FE and DSL modem, (possibly configure a static public ip address on your PC ) , Are you able to reach the internet at this point ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Just a few addresses. When I connect my pc directly to the dsl router I am able to get to the website that was causing me problems behind the firewall. When I try to ping internally I am able to at least resolve the ip address, but cannot access the address using IE or firefox.

Hello,

in addition to Sankar's post, you could try and change MSS size on your Ethernet interface:

interface Ethernet0

ip tcp adjust-mss 1350

Also, make sure that whatever access list you have configured allows TCP port 53 (which is used for DNS), e.g.:

access-list 101 permit tcp any any eq domain

HTH,

GP

By adjusting the mms is that the same as IP MTU?

If so, the MTU is already set at 1400.

If I am able to access multiple websites will updating the access list to include a DNS entry really resolve the problem? I thought with DNS if you had a problem you would not be able to access any websites.

By adjusting the mms is that the same as IP MTU?

If so, the MTU is already set at 1400.

If I am able to access multiple websites will updating the access list to include a DNS entry really resolve the problem? I thought with DNS if you had a problem you would not be able to access any websites.

Hi

ip tcp-adjust mss command takes care/prevents dropping of TCP packets in between coz of the mismatch in MTU size in the path.

any reason behind setting that up to 1400 instead of default 1500 ?

do check changing the same to 1500 or else add the ip tcp-adjust 1350 command with current MTU(1400) size itself.

also refer this link for more insight view on the same..

http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

regds

thanks for that info I will update the E0 on the router and see what happens.

BTW.

The MTU was changed to 1400 since the DSL ISP provider stated that communication works best at that speed.

Hello,

if you can access some websites, but not others, the access list is likely not the problem. What firewall do you have ? From what you are saying, it seems reasonable to assume that the problem lies in there.

Does changing the MSS make a difference ?

Regards,

GP

if you are running CBAC and have IP inspect statements, it could be that Java sites are a problem

try adding the following in the

ip inspect name YOURNAME http java-list 5

access-list 5 permit xxx.xxx.xxx.xxx

This will let you know if the firewall is stopping the website or not...

Thanks for the input. this router does have ip inspect for tcp,smtp,http, and udp.

Do I have to update the ACL to include all websites that are giving me this problem?

The problem was with the router itself. I had a Netgear VPN router on standby that I used. Since this router does not support multi-nat I will need to make suggestions on what router is best for his business needs.

The access list is only enabled on devices trying to come in to my network. The only firewall i am using is the cisco router (ACL, and IP inspection).

I am waiting on word back from the staff members having the problem (im offsite). Can you have inbound and outbound ip inspection on the same interface?

Changing the MMS did not resolve the problem.

Here is a quick overview.

Config t

ip inspect name inbound tcp

ip inspect name inbound smtp

ip inspect name inbound udp

ip inspect name inbound http

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound http

ip inspect name outbound smtp

access-list 100 tcp any host 68.1.1.4 eq pop

access-list 100 tcp any host 68.1.1.4 eq smtp

access-list 100 tcp any host 68.1.1.4 eq 1352

access-list 100 tcp any host 68.1.1.3 eq pop

access-list 100 tcp any host 68.1.1.3 eq smtp

access-list 100 tcp any host 68.1.1.3 eq 1352

access-list 100 esq any any

access-list 100 udp any host 68.1.1.2 eq isakmp

access-list 100 udp any host 68.1.1.2 eq non500-isakmp

ip nat inside source static 1.1.1.2 68.1.1.3

ip nat inside source static 1.1.1.3 68.1.1.4

ip name-server 64.0.0.1

ip name-server 64.0.1.1

!

int E0

ip address 68.1.1.2/29

ip access-group 100 in

no ip redirects

no ip unreachables

ip nat outside

ip inspect outbound out

ip mtu 1400

ip tcp-adjust mms 1350

!

int F0

ip address 1.1.1.1/24

ip nat inside

ip inspect inbound in

speed auto

!

BTW,

This configuration (minus the mtu, and mms settings) were working up until 3 wks ago.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: