Trouble configuring Cisco 857, many sites not working

seanblaes · ‎08-18-2006

First off, I'm a newbie to Cisco equipment. I'm a software developer

by trade, working from home for my own company. I outgrew the router

that my DSL provider gave me (SBC/AT&T) with my static service (5

static IPs) as I need to host some servers onsite and wanted a decent

firewall. So, I read reviews online and purchased the Cisco 857.

I set this up yesterday using the wizard/installer that came with it.

I have not enabled the firewall, and am currently using NAT across one

of the external static IPs. Internally my network is 192.168.1.0/24.

Generally, everything is working, but a few things are not and it's

baffling me. AJAX websites (those that communicate back to the server

with Javascript) are generally not working. A prominent example is

Google's GMail (gmail.google.com). I can login and view my mail, but I

can't send or do anything that requires AJAX functionality. In fact,

it seems almost as though I can't do an HTTP POST in general across the

857. Very strange.

When I plug in my old router, everything works fine. When I plug in

the 857, I have the issues above. Hopefully somebody has some ideas

that can send me in the right direction. I am decent with network

equipment, and such. Many years ago I did have experience setting up

and managing a Cisco 4000 series, but I've forgotten most of what I

knew then. Let me know if you have any ideas on what might be wrong,

or how I might be able to figure out what is wrong.

m-haddad · ‎08-18-2006

If you have IOS with firewall feature set check the inspection. If you have inspection for java applets or http try to remove it and see if things work.

If you can paste the config this would be better,

Let me know what happens,

Regards,

globalnettech · ‎08-18-2006

Hello,

my first thought would be that, when using SDM to configure the router, a feature called CBAC (Context-Based Access Control) usually puts statements in your configuration that start with 'ip inspect', which might cause your problem. If that applies to your situation, try and take those statements out, and see if that makes a difference. SDM also puts a couple of access lists in a standard config which might block certain traffic. If possible, can you post the configuration you have so far ?

One other thing you could try is to adjust the MSS of the Ethernet interface on your router. Use the interface command:

ip tcp adjust-mss 1452

Regards,

GNT

seanblaes · ‎08-18-2006

No luck so far. There weren't any inspect entries, and I think I did what you wanted regarding the MSS setting, but I'm not sure. I've attached my config (I snipped a few ips and such that I felt might not be good to put on the internet, replaced with xxxxx).

sundar.palaniappan · ‎08-18-2006

Hi,

Your symptoms indicate a possible MTU problem. Can you lower the MTU to 1400 bytes using the command 'ip tcp adjust-mss 1400'. The router would transparently lower the MSS to 1400 bytes during the TCP negotiation phase between the end devices.

Hope that helps!

Regards,

Sundar

m-haddad · ‎08-18-2006

Can you try removing the

ip mtu 1452 from the dialer interface and try again.

Please let me know if the problem is solved,

Regardsm

seanblaes · ‎08-18-2006

Hey guys. I think this did the trick. I first removed the mtu line altogether, which caused google gmail to start working, but some other sites (such as msn.com) stopped working. Go figure! So, I added the line back in with an MTU of 1440, and it seems that everything is working now.

Thanks for all your help. I would have never thought of an MTU issue.