Re: VPN and internet access

aadams272 · ‎01-11-2007

Hello,

I have a Cisco 1841 setup at a remote site with a webserver and laptop running behind it. Our set up works fine exept that we cannot access the internet from behind the router. Our site to site VPN to our main office works great as do the websites running on the webserver.

I can ping the router with both the public and private IP, but I cannot ping the gateway IP or beyond.

There is one strange thing that I hope might be a clue. If I ping the gateway IP with -l 1500 I get a couple no responses and then all of a sudden I start recieving a reply.

Here is a partial config on the router.

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key X address 216.x.x.153

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to216.x.x.153

set peer 216.x.x.153

set transform-set ESP-3DES-SHA

match address 100

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$

ip address 192.168.7.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

ip address 168.x.x.114 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

no mop enabled

crypto map SDM_CMAP_1

!

ip default-gateway 168.x.x.113

ip classless

ip route 0.0.0.0 0.0.0.0 168.x.x.113

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat pool in-out 168.x.x.116 168.x.x.116 netmask 255.255.255.240

ip nat inside source route-map SDM_RMAP_2 pool in-out overload

ip nat inside source static tcp 192.168.7.119 80 168.x.x.119 80 extendable

ip nat inside source static tcp 192.168.7.119 443 168.x.x.119 443 extendable

!

logging trap debugging

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.168.7.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255 log

access-list 101 remark SDM_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255 log

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.7.0 0.0.0.255 any log

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

route-map SDM_RMAP_2 permit 1

match ip address 101

!

Thanks for any help you can give me.

stephen.stack · ‎01-11-2007

Hi,

I think i may have an answer for you. You obviously configured your IPSec tunnels through SDM. a wise move! Not always though.

I believe your issue lise with your IP Nat statements. Your ACLs are correct as are the crypto config.s.

Now first add MTU settings to your interfaces.

!

interface fa0/0

ip tcp adjust-mss 1452

!

interface fa0/1

ip mtu 1492

!

Change your IP nat statments as follows.

remove the following two line;

#ip nat pool in-out 168.x.x.116 168.x.x.116 netmask 255.255.255.240

#ip nat inside source route-map SDM_RMAP_2 pool in-out overload

by typing a 'no' in front of each command in global config mode as follows'

#no ip nat pool in-out 168.x.x.116 168.x.x.116 netmask 255.255.255.240

#no ip nat inside source route-map SDM_RMAP_2 pool in-out overload

Replace them with the following command

# ip nat inside source route-map SDM_RMAP_2 interface interface FastEthernet0/1 overload

It is not effective to have the IP NAT inside statement point to the IP Nat pool statement when you only have one public IP address.

and i think just to tidy things up.... remove the following

#ip default-gateway 168.x.x.113

Now i suggest you try this when you know that nobody is using the network. Also do not save the config after the changes until you know everything is working fine. If this does not work just reload the router to go back to your previous config.

Remember save you config before any modificaitons.

HTH. If it does please rate this post.

Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Richard Burts · ‎01-11-2007

Stephen

I agree with most but not all of your suggestions. I think the symptoms do sound like an address translation issue and that the address translation should be configured differently.

Since he states that the VPN from the head office is working fine I am not sure that it is needed to change the MTU, though with VPNs I almost always do this. I do not agree with the suggestion to remove ip default-gateway 168.x.x.113. It is doing no harm and there is a circumstance where it might do some good. The default-gateway definition is used for IP hosts and while the router is acting as a router it would not use it. But if the router were ever to be acting as an IP host it would need it. The most likely thing that might cause this would be for the router to boot into rommon. In rommon the router is an IP host and without a default gateway it would be isolated. With a default gateway the router is potentially reachable.

HTH

Rick

HTH

Rick

stephen.stack · ‎01-12-2007

Hi Lads,

Thanks for the info.

rburts, a lot of what i explained is just good practice and it is configs that i have taken from previous and standard configurations that i have. in my all implementations the MTU settings are changed. For me it is just good practice. (that's not to say it should be done).

The IP default gateway issue! I totally see what you mean. :)

it would not be my prefered way of doing it, personally i would not have in a config. (the less in a config the better - security etc...). But rburts is right, this would be used if the router was ever configured as a host.

Now, let's not get caught up in that. Try the NAT statements anyway, and see how you get on.

Cheers

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

aadams272 · ‎01-15-2007

Thanks for the response.

I have made the above changes (except for the default gateway). The problem is however still there.

I did remember something that I had fogotten since setting up this router. That is the VPN did not initially work right. I had to put a manual mtu setting (1414) on the webserver and laptop running behind it. I have deleted the manual mtu setting on the laptop and re-tested. The internet problem is still there and the VPN is also not working correctly without the mtu setting.

Richard Burts · ‎01-15-2007

Arthur

This additional information certainly sounds like the problem is an MTU problem (though I agree with Stephen that the NAT configuration was also contributing to the problem). I believe that the suggestion that Stephen made to configure ip tcp adjust-mss on the LAN interface would solve the problem, except that the value that he configured may not have been small enough. Configuring VPN frequently causes problems with MTU. I frequently configure the adjust-mss to a value of 1375 when I configure VPNs. If you set the MTU to 1414 and it worked I would suggest that you configure ip tcp adjust-mss 1414 and see what that does. And if it does not fix it I would suggest trying 1375.

Give this a try and let us know if it fixes it.

HTH

Rick

HTH

Rick

aadams272 · ‎01-15-2007

I have set the adjust-mss to 1403 (seems to be the max where the VPN works well) and removed the MTU on the server. The VPN is now working great (much easier that setting MTU in the server registry). I could not however set the IP MTU on the external interface. I tried with a few variations starting with mss + 40 and it always broke the VPN.

Connecting to the internet however is still a problem. I set some debugs and captured some output in hope that it it will give some clue as to what is happening (attachment).

debug ip nat

debug ip packet 177 det (177 filtered icmp only)

first ping 64.233.167.104

4 no responses

nothing in log

second ping 64.233.167.104 -l 1473

4 no respones

captured in log

anything lower than 1473 will not make the third ping work

third ping 64.233.167.104

4 replys

Thanks for your input.