05-20-2009 05:55 AM - edited 03-04-2019 04:49 AM
Having a weird one with a new 1841 with SHDSL WIC. I've got the SHDSL Circuit coming up okay, getting the internet IP Address and all inbound (Port Forward) traffic is working fine.
What I can't get get working is outbound traffic from clients. I can see the NAT Translation table and it all looks good. I am unable to traceroute or ping out from the router as well (from the CLI).
I've included the current (sanitised) config. Anyone able to take a quick look over the config and tell me if there's anything they can see which would be giving me this outbound traffic issue. I've spoken with the Telco and they're confident there's nothing at issue with the circuit and that it's my config.
Any assitance extremely welcome.
Thanks
Nathan
05-20-2009 05:58 AM
Config:
-----------------------------------
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname Router01
!
boot-start-marker
boot system flash c1841-ipbasek9-mz.124-24.T.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 XXXXXXXXXXXXX
!
no aaa new-model
clock timezone WST 8
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name customer.com
ip name-server x.x.x.x
ip name-server y.y.y.y
multilink bundle-name authenticated
!
!
username administrator privilege 15 secret 5 xxxxxxxxxxxxxxxxxx
archive
log config
hidekeys
!
!
controller SHDSL 0/0/0
dsl-group 0 pairs 0
shdsl rate auto
!
!
ip tcp synwait-time 10
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 10.0.0.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
shutdown
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 1/34
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip access-group 101 in
ip mtu 1400
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 443 interface Dialer0 443
ip nat inside source static tcp 10.0.0.2 80 interface Dialer0 80
ip nat inside source static tcp 10.0.0.2 25 interface Dialer0 25
ip nat inside source static tcp 10.0.0.2 3389 interface Dialer0 3389
ip nat inside source static tcp 10.0.0.2 1723 interface Dialer0 1723
!
logging trap debugging
access-list 1 remark The Local LAN
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit icmp any any echo
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 4000 1000
end
05-20-2009 06:11 AM
I'm not sure what the problem is, but with PPPoA, you don't need neither the MTU nor the TCP MSS reduction.
05-20-2009 09:07 AM
Nathan,
Try this:
access-list 101 permit tcp any any established
Put it at the top of your acl.
HTH,
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: