Solved: Unable to browse from LAN desktops via cisco 887vdsl router

mehmoodch · ‎09-04-2012

Hi I have installed a CISCO v887 router in Amsterdam office

I established a VPN tunnel between AMS office and Edinburg office.

1. The VPN is up and running

2. I am unable to browse anything from LAN computers in Amsterdam office.

3. From LAN computers I can traceroute to yahoo.com but from browser I cant browse yahoo.com and web page hanged out in this situation (website found waiting for reply). But nothing comes over and LAN users are unable to use internet.

Please help

My configurations are

ip source-route

!

ip cef

ip domain name xxxxxx.com

ip name-server 8.8.8.8

no ipv6 cef

!

username xxxxxxxxxxxxxxxxx

username xxxxxxxxxxxxxxxxxxx

!

controller VDSL 0

!

ip ssh version 1

ip ssh pubkey-chain

username xxxxxxx

key-hash ssh-rsa xxxxxxxxxxxxxxxxxxx

quit

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxx address 94.xx.xx.xx

!

crypto ipsec transform-set AMS-SET esp-des esp-sha-hmac

!

crypto map AMS-R 10 ipsec-isakmp

set peer 94.xx.xx.xx

set transform-set AMS-SET

match address 102

!

interface Ethernet0

no ip address

pppoe-client dial-pool-number 10

!

interface Ethernet0.6

encapsulation dot1Q 6

pppoe-client dial-pool-number 10

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

load-interval 30

speed 100

pppoe-client dial-pool-number 10

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 10.0.12.1 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly

!

interface Dialer0

no ip address

shutdown

!

interface Dialer10

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 10

dialer-group 10

ppp authentication pap callin

ppp chap hostname xxx@xxx-ZDSL

ppp chap password 0 xxx

ppp pap sent-username xxxx@xxx-ZDSL password 0 xxx

no cdp enable

crypto map AMS-R

!

ip forward-protocol nd

ip http server

no ip http secure-server

!

ip nat inside source route-map nonat interface Dialer10 overload

ip route 0.0.0.0 0.0.0.0 Dialer10

!

access-list 102 permit ip 10.0.12.0 0.0.0.255 10.0.0.0 0.0.3.255

access-list 102 permit ip 10.0.12.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 102 permit ip 10.0.12.0 0.0.0.255 172.17.0.0 0.0.255.255

access-list 102 deny ip any any

access-list 175 deny ip 10.0.12.0 0.0.0.255 10.0.0.0 0.0.3.255

access-list 175 deny ip 10.0.12.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 175 deny ip 10.0.12.0 0.0.0.255 172.17.0.0 0.0.255.255

access-list 175 permit ip 10.0.12.0 0.0.0.255 any

dialer-list 10 protocol ip permit

dialer-list 1 protocol ip permit

!

route-map nonat permit 10

match ip address 175

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 1 in

exec-timeout 30 0

privilege level 15

password xxxxxx

login local

transport preferred ssh

transport input ssh

!

scheduler max-task-time 5000

end

rizwanr74 · ‎09-04-2012

Hi Mahmood,

Please add these highlighted lines below on both interfaces.

interface Vlan1

ip tcp adjust-mss 1412

interface Dialer10

ip mtu 1452

Please update.

thanks

View solution in original post

Javier Portuguez · ‎09-04-2012

Going out of the VPN scope, I agree with rizwanr74.

Just to give you a little background of what those commands do.

The ideal TCP MSS value is calculated as following:

TCP MSS = MTU - (TCP + IP headers)

= 1452 - (20 + 20)

= 1412

Doing this you optimize the TCP connections, since fragmentation is avoided (the resulted packet does not exceed the MTU size).

You configure TCP MSS on the source interface, VLAN 1 in this case.

Test it out and let us know.

View solution in original post

Javier Portuguez · ‎09-05-2012

Hi Mahmood,

Good news

Please rate any post you found useful.

View solution in original post

Javier Portuguez · ‎09-04-2012

Hi Mahmood,

Two things to mention:

1- You are not supposed to reach "yahoo.com" across the tunnel, at least not, based on your configuration:

Name: yahoo.com

Addresses: 98.139.183.24, 72.30.38.140, 98.138.253.109

Crypto ACL:

access-list 102 permit ip 10.0.12.0 0.0.0.255 10.0.0.0 0.0.3.255

access-list 102 permit ip 10.0.12.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 102 permit ip 10.0.12.0 0.0.0.255 172.17.0.0 0.0.255.255

access-list 102 deny ip any any

* The "deny ip any any" is not required.

2- Unless you want to send this traffic over the VPN tunnel and have the remote VPN endpoint provide Internet access across the tunnel, I think this is not a VPN issue.

Please let us know.

Thanx.

Portu

rizwanr74 · ‎09-04-2012

Hi Mahmood,

Please add these highlighted lines below on both interfaces.

interface Vlan1

ip tcp adjust-mss 1412

interface Dialer10

ip mtu 1452

Please update.

thanks

Javier Portuguez · ‎09-04-2012

Going out of the VPN scope, I agree with rizwanr74.

Just to give you a little background of what those commands do.

The ideal TCP MSS value is calculated as following:

TCP MSS = MTU - (TCP + IP headers)

= 1452 - (20 + 20)

= 1412

Doing this you optimize the TCP connections, since fragmentation is avoided (the resulted packet does not exceed the MTU size).

You configure TCP MSS on the source interface, VLAN 1 in this case.

Test it out and let us know.

mehmoodch · ‎09-05-2012

interface Vlan1

ip tcp adjust-mss 1412

IT worked, Thanks a lot

Javier Portuguez · ‎09-05-2012

Hi Mahmood,

Good news

Please rate any post you found useful.

mehmoodch · ‎09-05-2012

I have one more problem.

I want enable the outbound SSH access of this router. I am able to SSH the router using its local IP. But I am not able to access the router from its Public IP. I have tried to allow SSH from different access lists like

access-list 175 permit tcp any any eq ssh but nothing worked.

can you please help me to fix this issue

rizwanr74 · ‎09-05-2012

Hi Mahmood,

"

can you please help me to fix this issue "

Please remove this highlighted line.

line vty 0 4

access-class 1 in

Thanks

Rizwan Rafeek.

mehmoodch · ‎09-05-2012

Hi Rizwan

Thanks for your reply but that command did not work

line vty 0 4

access-class 1 in

rizwanr74 · ‎09-05-2012

Hi Mahmood,

Please post the output from from the debug when you initiate ssh from outside your internal-network.

debug ip ssh

thanks

Javier Portuguez · ‎09-05-2012

Mahmood,

In addition to the "debug ip ssh", please verify the next steps:

Action plan:

Check if there is an RSA key-pair:

show crypto key mypub rsa

If the output does not display anything, then generate the RSA key-pair:

crypto key generate rsa general-keys modulus 1024 exportable

If it gives you the "% Please define a domain-name first." error, define a domain-name and generate the RSA key-pair.

ip domain-name cisco.com

crypto key generate rsa general-keys modulus 1024 exportable

Then check the RSA key-pair:

2811#show crypto key mypub rsa

% Key pair was generated at: 20:54:28 UTC Sep 5 2012

Key name: 2811.cisco.com

Storage Device: not specified

Usage: General Purpose Key

Key is exportable.

Key Data:

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C5C7BB

321C2B96 2C5A14E9 A64D784F 9E15265E 3AF8D5BE 5B80A296 895C873B 357EBB62

E7D7552B 0C3FE170 F9BA0AAC D34BE267 5E15BF6E B616D55B 3A1D4C3E FA9C1197

FBD7300F 70AD1EDE 08FE05B6 A7C121CA 751D6182 C003DCE2 F621DB31 7E665FAC

35381483 3B50F0C8 7F13A61C 35B270C4 6281FDBB 73089810 39D57D89 19020301 0001

% Key pair was generated at: 20:54:30 UTC Sep 5 2012

Key name: 2811.cisco.com.server

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BDD811 8FC6EA0D

4C2B8557 886C0E0B ABE6805F FA3A08E0 87226F8A B45653ED 6EA0B60D 2C89BB0A

09BDF276 88BB3FF5 93700270 DB7AD828 FD8BB538 C7EBD01E 30F4C523 3CD051C9

8E730AAB 8121AABC 010EBFAB 98DCB537 6C452BBA 4D70D801 F9020301 0001

Then make sure SSH version 2 is configured:

ip ssh version 2

Then make sure the VTY lines allow SSH:

line vty 0 15

transport input ssh

At that point, it should at least, give the prompt to enter your credentials.

Let me know.

Thanks.

Portu.

rizwanr74 · ‎09-05-2012

Mahmood,

Good that worked out for you.

FYI...

Since you are running, IPSec you may want to consider lowering the MTU size, as you do not want to packet being fragmented.

Thanks

Rizwan Rafeek

Please rate helpful post, so that it will be helpful for somoene else.