Solved: Re: LAN computers failing to access internet , Cisco 1941 router

no3more14 · ‎06-06-2012

hi

i am not sure if this question has been raised before. My company recently bought a Cisco 1941 router and we have been using a Lynksis router connecting to our ISP using WiMax all along. I have configured the new cisco1941 to the best of my knowledge but something strange is happening on my network. I can open www.gmail.com from any machine but i cant open anything else even www.google.com . What could be causign that ?

My config is as follows :

Current configuration : 4478 bytes

!

No configuration change since last restart

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router1941

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxx

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

ip domain round-robin

ip name-server <ISP's dns1>

ip name-server <ISP's dns2>

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3768018030

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3768018030

revocation-check none

rsakeypair TP-self-signed-3768018030

!

crypto pki certificate chain TP-self-signed-3768018030

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33373638 30313830 3330301E 170D3132 30353138 32303137

32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37363830

31383033 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B657 A902DF30 5C9DE761 352003AB 1CAD376C 069F1654 5D03E204 D1EDB223

A631A3B5 97F706F6 8BF7A06F E53024B2 938362A8 510BE95B F8E568FC 0733B319

97A4F344 FD12C61C 28C05571 869CF359 C21C0731 15D78CC4 74B930D2 90C68D3D

B3B34644 4DC556B3 4EA54676 A4D28550 0647AD19 98C1CEFD 58F4ACE1 DFF15261

5C690203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 1426C098 0E3DFE55 655B3B39 6D5F3D74 6041572E DD301D06

03551D0E 04160414 26C0980E 3DFE5565 5B3B396D 5F3D7460 41572EDD 300D0609

2A864886 F70D0101 05050003 8181003B 8EB1D149 C634E865 C335F7D1 AE598437

4F3A5CEA A7166543 EE86A1D0 53169D26 5BA01CE4 31C03255 6145AC19 FDC24FA1

6662B9A2 C4ED5350 0C23D532 1606EBAA 1D2E23E1 23D972AD CD714BDE FDC59A0A

02D8502F A7AE501A 34F65FC5 C5BDA072 F31C5B2E 9F43422E 78E7CDD1 5DF92721

6FED7C41 D1C3B394 A10BDAC6 4E3E16

quit

license udi pid CISCO1941/K9 sn FCZ1610C5L5

license boot module c1900 technology-package securityk9

license boot module c1900 technology-package datak9

!

username zzzzz privilege 15 secret 5 xxxxxxxxxxxxxxx

!

redundancy

!

interface Tunnel0

description Tunnel to remotesite

ip address 10.0.0.1 255.255.255.252

ip flow ingress

keepalive 10 3

tunnel source <my publicIP>

tunnel mode ipip

tunnel destination <remote publicIP>

!

interface Embedded-Service-Engine0/0

no ip address

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description wimax wan$ETH-WAN$

no ip address

ip access-group wan_acl in

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0/1

description main lan$ETH-LAN$

ip address 192.167.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

ip flow ingress

shutdown

clock rate 2000000

!

interface Dialer0

description wimax dialer

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp chap hostname yyyyyy

ppp chap password 7 xxxxxxxxxxxxx

ppp pap sent-username yyyyyy password 7 xxxxxxxxxxxx

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 192.168.20.1

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.167.2.0 255.255.255.0 Tunnel0

!

ip access-list extended wan_acl

permit tcp any host 192.167.1.254 eq telnet

!

no logging trap

access-list 1 permit 192.167.1.0 0.0.0.255

dialer-list 1 protocol ip permit

!

control-plane

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

From any of my LAN pc's i can ping any websites, traceroute and nslookups works but as soon as i try using my browser then it fails.

My LAN network is 192.167.1.x/24

My ISP's default gateway is 192.168.20.1

GigabitEthernet0/1 is the interface facing my LAN

Dialer0 is an alias to GigabitEthernet0/0 which is my external interface

I am using pppoe to connect to the internet

Where am i getting it wrong ?

rizwanr74 · ‎06-12-2012

Hi Nomore,

Please apply this on your interface "interface GigabitEthernet0/1"

interface GigabitEthernet0/1

ip tcp adjust-mss 1452

You must apply this line "ip tcp adjust-mss 1452" on every interface which facing inside to your internal network, i.e. on this router.

Let me know, if this helps.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

View solution in original post

rizwanr74 · ‎06-06-2012

Hi Nomore,

Please remove this acl from GigabitEthernet0/0, your actual outside interface is "Dialer0", if you choose to put an acl on Dialer0 then you must enable CBAC or ZoneBase Firewall on your router.

interface GigabitEthernet0/0

description wimax wan$ETH-WAN$

no ip address

ip access-group wan_acl in

Let me know, if this helps.

thanks

no3more14 · ‎06-08-2012

hi rizwanr74

That access list wan_acl, was there to permit telnet login from any ip address. I removed it though but nothing changed, i am getting the same result.

cadet alain · ‎06-06-2012

Hi,

Remove the first static route pointing to the ISP gateway IP and let us know.

Don't forget to rate helpful posts.

Regards.

Alain.

Don't forget to rate helpful posts.

no3more14 · ‎06-08-2012

hi Cadet alain

i removed the first static route as per your suggestion but it did not work, i am still getting the same result.

highspeedvideo · ‎06-08-2012

I would check a few things. First, determine if it's DNS, or a DNS firewall thats causing issue. Try to reach a site by IP.

(98.139.183.24) is one of Yahoos IP's.

Second, run a traceroute from the router's command line (IP not DNS) to see if you can reach a destination.

Third, run a trace to that same destination (again by IP) from a pc on your LAN.

( tracert -d 98.139.183.24 ) from a Windows machine.

This will help you identify if the point of failure is:
1) a connectivity issue, 2) a DNS issue or 3) a routing or NAT issue.

no3more14 · ‎06-12-2012

hi Michael O'Brien

i have tried accessing www.yahoo.com, www.google.com, www.cellc.co.za, using the IPADDR and the actual website names but i kept on getting the same result. I went on to run traceroute on my router and on the PC connected on the LAN and the results are as below

traceroute from Router

traceroute www.google.com

Translating "www.google.com"...domain server (196.47.64.4) [OK]

Type escape sequence to abort.

Tracing the route to www.l.google.com (173.194.35.147)

VRF info: (vrf in name/id, vrf out name/id)

1 192.168.20.1 28 msec 52 msec 36 msec

2 196-47-68-233.mweb.com.na (196.47.68.233) 32 msec 36 msec 60 msec

3 196-47-68-229.mweb.com.na (196.47.68.229) 36 msec 36 msec 40 msec

4 10.47.64.66 32 msec 32 msec 56 msec

5 ADSL-41-205-133-9.ipb.na (41.205.133.9) 36 msec 44 msec 44 msec

6 KHP-BOR06-WGG-AR01 (41.205.133.238) 56 msec 44 msec 68 msec

7 po7-0-0.ccr01.lon09.atlas.cogentco.com (149.6.98.61) 240 msec 216 msec 232 msec

8 te0-3-0-3.ccr21.lon01.atlas.cogentco.com (154.54.36.165) [MPLS: Label 17132 Exp 3] 220 msec 216 msec

te0-3-0-4.ccr22.lon01.atlas.cogentco.com (154.54.36.169) [MPLS: Label 17034 Exp 3] 220 msec

9 te4-2.ccr01.lon18.atlas.cogentco.com (154.54.62.58) 240 msec

te2-2.ccr01.lon18.atlas.cogentco.com (154.54.61.218) 216 msec

te1-4.ccr01.lon18.atlas.cogentco.com (154.54.62.54) 228 msec

10 149.6.146.30 240 msec 228 msec 224 msec

11 209.85.255.86 236 msec 224 msec 248 msec

12 209.85.253.92 [MPLS: Label 718153 Exp 4] 220 msec 220 msec

209.85.253.94 [MPLS: Label 654826 Exp 4] 232 msec

13 209.85.243.33 [MPLS: Label 360058 Exp 4] 232 msec 240 msec 280 msec

14 209.85.241.229 [MPLS: Label 311671 Exp 4] 236 msec 236 msec 240 msec

15 216.239.48.116 256 msec 256 msec 240 msec

16 209.85.250.35 232 msec 252 msec 232 msec

17 muc03s01-in-f19.1e100.net (173.194.35.147) 260 msec 240 msec 236 msec

***********************************************************************************************************************************

router1941#traceroute 173.194.35.147

Type escape sequence to abort.

Tracing the route to muc03s01-in-f19.1e100.net (173.194.35.147)

VRF info: (vrf in name/id, vrf out name/id)

1 192.168.20.1 48 msec 36 msec 44 msec

2 196-47-68-233.mweb.com.na (196.47.68.233) 48 msec 44 msec 44 msec

3 196-47-68-229.mweb.com.na (196.47.68.229) 44 msec 48 msec 32 msec

4 10.47.64.66 52 msec 36 msec 40 msec

5 ADSL-41-205-133-9.ipb.na (41.205.133.9) 44 msec 52 msec 48 msec

6 KHP-BOR06-WGG-AR01 (41.205.133.238) 52 msec 48 msec 64 msec

7 po7-0-0.ccr01.lon09.atlas.cogentco.com (149.6.98.61) 228 msec 216 msec 216 msec

8 te0-3-0-4.ccr22.lon01.atlas.cogentco.com (154.54.36.169) [MPLS: Label 17034 Exp 3] 232 msec

te0-3-0-3.ccr21.lon01.atlas.cogentco.com (154.54.36.165) [MPLS: Label 17132 Exp 3] 232 msec

te0-3-0-4.ccr22.lon01.atlas.cogentco.com (154.54.36.169) [MPLS: Label 17034 Exp 3] 244 msec

9 te1-2.ccr01.lon18.atlas.cogentco.com (154.54.61.150) 224 msec

te1-4.ccr01.lon18.atlas.cogentco.com (154.54.62.54) 224 msec

te2-1.ccr01.lon18.atlas.cogentco.com (154.54.61.214) 228 msec

10 149.6.146.30 232 msec 272 msec 244 msec

11 209.85.255.84 264 msec

209.85.255.86 220 msec

209.85.255.84 240 msec

12 209.85.253.92 [MPLS: Label 718153 Exp 4] 228 msec 224 msec

209.85.253.94 [MPLS: Label 654826 Exp 4] 232 msec

13 209.85.243.33 [MPLS: Label 773178 Exp 4] 240 msec 256 msec 228 msec

14 209.85.241.229 [MPLS: Label 311671 Exp 4] 236 msec 236 msec 224 msec

15 216.239.48.116 236 msec 260 msec 252 msec

16 209.85.250.35 232 msec 236 msec 244 msec

17 muc03s01-in-f19.1e100.net (173.194.35.147) 240 msec 244 msec 240 msec

###########################################################################################################################

traceroute using a PC connected to the router

traceroute to 173.194.70.17 (173.194.70.17), 30 hops max, 60 byte packets

1 192.167.1.254 (192.167.1.254) 1.495 ms 1.530 ms 1.608 ms

2 192.168.20.1 (192.168.20.1) 41.820 ms 62.033 ms 62.040 ms

3 196-47-68-233.mweb.com.na (196.47.68.233) 66.233 ms 66.336 ms 66.342 ms

4 196-47-68-229.mweb.com.na (196.47.68.229) 62.084 ms 62.152 ms 62.248 ms

5 10.47.64.66 (10.47.64.66) 62.257 ms 62.359 ms 62.366 ms

6 ADSL-41-205-133-9.ipb.na (41.205.133.9) 66.410 ms 41.402 ms 44.821 ms

7 KHP-BOR06-WGG-AR01 (41.205.133.238) 70.956 ms 70.958 ms 75.443 ms

8 po7-0-0.ccr01.lon09.atlas.cogentco.com (149.6.98.61) 325.073 ms 325.076 ms 325.108 ms

9 te0-3-0-3.ccr21.lon01.atlas.cogentco.com (154.54.36.165) 239.927 ms 246.127 ms te0-3-0-4.ccr22.lon01.atlas.cogentco.com (154.54.36.169) 246.130 ms

10 te2-2.ccr01.lon18.atlas.cogentco.com (154.54.61.218) 246.099 ms te1-1.ccr01.lon18.atlas.cogentco.com (130.117.51.162) 246.096 ms te4-2.ccr01.lon18.atlas.cogentco.com (154.54.62.58) 246.107 ms

11 149.6.146.30 (149.6.146.30) 246.145 ms 246.185 ms 246.191 ms

12 209.85.255.86 (209.85.255.86) 239.821 ms 245.064 ms 209.85.255.84 (209.85.255.84) 254.940 ms

13 209.85.253.196 (209.85.253.196) 254.919 ms 209.85.253.90 (209.85.253.90) 220.039 ms 209.85.253.196 (209.85.253.196) 243.968 ms

14 209.85.243.33 (209.85.243.33) 263.709 ms 263.724 ms 269.207 ms

15 209.85.241.229 (209.85.241.229) 254.130 ms 278.639 ms 209.85.241.227 (209.85.241.227) 248.399 ms

16 209.85.254.114 (209.85.254.114) 248.335 ms 209.85.254.112 (209.85.254.112) 240.238 ms 209.85.254.114 (209.85.254.114) 249.610 ms

17 * * *

18 fa-in-f17.1e100.net (173.194.70.17) 257.153 ms 257.148 ms 223.458 ms

*******************************************************************************************

traceroute to www.gmail.com (173.194.70.17), 30 hops max, 60 byte packets

1 192.167.1.254 (192.167.1.254) 1.370 ms 1.337 ms 1.335 ms

2 192.168.20.1 (192.168.20.1) 53.654 ms 58.994 ms 64.225 ms

3 196-47-68-233.mweb.com.na (196.47.68.233) 68.669 ms 68.670 ms 68.708 ms

4 196-47-68-229.mweb.com.na (196.47.68.229) 64.160 ms 64.198 ms 64.278 ms

5 10.47.64.66 (10.47.64.66) 64.272 ms 64.323 ms 64.404 ms

6 ADSL-41-205-133-9.ipb.na (41.205.133.9) 68.619 ms 33.168 ms 53.258 ms

7 KHP-BOR06-WGG-AR01 (41.205.133.238) 68.403 ms 64.144 ms 64.149 ms

8 po7-0-0.ccr01.lon09.atlas.cogentco.com (149.6.98.61) 239.488 ms 254.845 ms 254.881 ms

9 te0-3-0-3.ccr21.lon01.atlas.cogentco.com (154.54.36.165) 255.143 ms te0-3-0-4.ccr22.lon01.atlas.cogentco.com (154.54.36.169) 259.501 ms te0-3-0-3.ccr21.lon01.atlas.cogentco.com (154.54.36.165) 255.135 ms

10 te3-1.ccr01.lon18.atlas.cogentco.com (154.54.62.50) 259.507 ms te2-1.ccr01.lon18.atlas.cogentco.com (154.54.61.214) 259.527 ms te1-1.ccr01.lon18.atlas.cogentco.com (130.117.51.162) 259.582 ms

11 149.6.146.30 (149.6.146.30) 259.638 ms 259.696 ms 279.753 ms

12 209.85.255.86 (209.85.255.86) 309.783 ms 209.85.255.84 (209.85.255.84) 339.765 ms 209.85.255.86 (209.85.255.86) 249.782 ms

13 209.85.253.92 (209.85.253.92) 245.446 ms 209.85.253.196 (209.85.253.196) 235.289 ms 209.85.253.94 (209.85.253.94) 236.912 ms

14 209.85.243.33 (209.85.243.33) 251.743 ms 272.414 ms 209.85.240.28 (209.85.240.28) 272.413 ms

15 209.85.241.229 (209.85.241.229) 262.185 ms 262.368 ms 262.369 ms

16 209.85.254.114 (209.85.254.114) 262.146 ms 209.85.254.112 (209.85.254.112) 262.360 ms 262.403 ms

17 * * *

18 fa-in-f17.1e100.net (173.194.70.17) 248.801 ms 248.843 ms 248.886 ms

rizwanr74 · ‎06-12-2012

Hi Nomore,

Please apply this on your interface "interface GigabitEthernet0/1"

interface GigabitEthernet0/1

ip tcp adjust-mss 1452

You must apply this line "ip tcp adjust-mss 1452" on every interface which facing inside to your internal network, i.e. on this router.

Let me know, if this helps.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

no3more14 · ‎06-13-2012

Hi rizwanr74

My brother, you are a star, i dont know how to thank you. Its noow working, i am currently connected using my 1941 router on a PC connected directly to it. I am just left on testing with all my LAN PC's to which i believe will work with your solution.

Once again thanks very much

rizwanr74 · ‎06-13-2012

"i dont know how to thank you."

Since you put it this way, my humble request would be that you read a copy of the Quran, translated by Yusuf Ali.

Thanks