02-02-2007 01:04 AM - edited 03-03-2019 03:36 PM
Dear,
I've recently installed a new 2821 router to replace an SMC ADSL modem. Since then, the lan cannot browse some websites, e.g. http://www.isabel.be, http://www.msn.com, http://www.sapo.pt.
Other websites work fine. There are no restrictions yet on the router - below the config. Any idea how to solve this issue? Thanks!!
---
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname roupt01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 debugging
logging console critical
enable password 7
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
ip cef
!
no ip bootp server
ip name-server 195.x.129.126
ip name-server 194.x.69.222
ip ssh time-out 60
ip ssh authentication-retries 2
!
voice-card 0
no dspfarm
!
username admin privilege 15 password 7
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key address 193.x.93.27
!
crypto ipsec transform-set sonicwall esp-aes esp-sha-hmac
!
crypto map sonicwallmap 10 ipsec-isakmp
set peer 193.x.93.27
set security-association lifetime seconds 28800
set transform-set sonicwall
match address 120
!
interface GigabitEthernet0/0
description UPT_Lan
no ip address
no ip proxy-arp
ip mtu 1452
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.10
description Logistics
encapsulation dot1Q 10
ip address 172.x.x.200 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.11
description Upstairs
encapsulation dot1Q 11
ip address 10.35.1.161 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.99
description Linux_Server
encapsulation dot1Q 99
ip address 10.35.3.161 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface ATM0/2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
crypto map sonicwallmap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.137.205.84 255.255.255.255 172.27.0.2
!
ip dns server
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 110 interface Dialer0 overload
!
no logging trap
access-list 110 deny ip 172.27.0.0 0.0.0.255 192.168.205.0 0.0.0.255
access-list 110 deny ip 10.35.0.0 0.0.3.255 192.168.205.0 0.0.0.255
access-list 110 permit ip 172.27.0.0 0.0.0.255 any
access-list 110 permit ip 10.35.0.0 0.0.3.255 any
access-list 120 permit ip 10.35.0.0 0.0.3.255 192.168.205.0 0.0.0.255
access-list 120 permit ip 172.27.0.0 0.0.0.255 192.168.205.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
password 7
login
transport output telnet
line aux 0
transport output none
line vty 0 4
password 7
login
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Solved! Go to Solution.
02-02-2007 01:22 AM
Hello,
you might run into MTU related issues. Some - and not all - servers will set the DF bit and thus the IP packet will not reach you, if the packet size is above the interface MTU.
Can you try "ip tcp mss-adjust 1400" on the dialer interface? Detailed description of the command and the feature can be found in "TCP MSS Adjustment"
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html
Basically the router intercepts the TCP session setup to enforce a maximum session size low enough to avoid packets larger than the interface MTU.
Hope this helps! Please rate all posts.
Regards, Martin
02-02-2007 01:22 AM
Hello,
you might run into MTU related issues. Some - and not all - servers will set the DF bit and thus the IP packet will not reach you, if the packet size is above the interface MTU.
Can you try "ip tcp mss-adjust 1400" on the dialer interface? Detailed description of the command and the feature can be found in "TCP MSS Adjustment"
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html
Basically the router intercepts the TCP session setup to enforce a maximum session size low enough to avoid packets larger than the interface MTU.
Hope this helps! Please rate all posts.
Regards, Martin
02-15-2007 05:01 PM
Hi
Try using ip tcp adjust-mss 1360 on the LAN interfaces. There are a lot of MTU issues over DSL
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: