Solved: 1841 NAT issue?

Andre Neethling · ‎04-27-2014

Hi. I have an 1841 set up as a PPPoE dialer doing NAT and ZBF. I am experiencing some issues. My one PC works perfectly. All websites available. When I use my Mobile via the WiFi, only certain sites work. My other PC Can access some websites too. Google=perfect, facebook does not work. The PC that is working is Widows 8.1, the PC that is not is Windows 7. I had a look at some recommendations here, like using an extended ACL for NAT. NO difference. I did notice that the NVI0 interface is defaulting to the lowest IP address on the router, which I am not using. When I use an ASA with the default class maps to do the PPoE, all devices work perfectly. See my config below. Any assistance will be appreciated.

Building configuration...

Current configuration : 4234 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1841
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096 notifications
enable secret
!
no aaa new-model
clock timezone Harare 2
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 172.16.1.1 172.16.1.20
ip dhcp excluded-address 172.16.0.1 172.16.0.20
!
!
ip cef
ip name-server 4.2.2.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01

quit
!
!
username privilege 15 secret 5
archive
log config
hidekeys
!
!
!
!
!
!
class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol tcp
match protocol udp
match protocol icmp
match protocol dns
match protocol https
match protocol http
!
!
policy-map type inspect ALLOWED-POLICY
class type inspect ALLOWED-PROTOCOLS
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect ALLOWED-POLICY
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 172.16.0.1 255.255.255.0
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security INSIDE
!
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 172.16.2.1 255.255.255.0
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security OUTSIDE
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username <user> password <password>
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT1 interface Dialer0 overload
!
ip access-list extended NAT1
permit ip 172.16.1.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!

control-plane

line con 0
password 7
logging synchronous
login
line aux 0
line vty 0 4
password 7
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Peter Paluch · ‎04-28-2014

Andre,

Just a blind shot at this stage but I have a feeling that your MTU manipulations on the Dialer0 are not correct. Can you please enter the following commands?

interface Dialer0
  ip mtu 1492
  ip tcp adjust-mss 1452
shutdown !!! Wait a couple of seconds
  no shutdown

The IP MTU on PPPoE is 1492 bytes, not 1452. In addition, you want to tell all TCP sessions passing through the interface that the maximum segment size shall be 1452, so that 20B of TCP and 20B of IP header, the total size is 1492 bytes.

Please give this a test and let us know.

Best regards,
Peter

View solution in original post

Peter Paluch · ‎04-28-2014

Andre,

Just a blind shot at this stage but I have a feeling that your MTU manipulations on the Dialer0 are not correct. Can you please enter the following commands?

interface Dialer0
  ip mtu 1492
  ip tcp adjust-mss 1452
shutdown !!! Wait a couple of seconds
  no shutdown

The IP MTU on PPPoE is 1492 bytes, not 1452. In addition, you want to tell all TCP sessions passing through the interface that the maximum segment size shall be 1452, so that 20B of TCP and 20B of IP header, the total size is 1492 bytes.

Please give this a test and let us know.

Best regards,
Peter

Andre Neethling · ‎04-28-2014

HI Peter. Thank you for your solution. It worked. I am a bit surprised, because I set up the PPPoE using CCP 2.7 and used all the defaults. I did the same with an 877 router, and the defaults worked fine there. Thanks again for your assistance. Much appreciated.

Regards

Andre

Peter Paluch · ‎04-28-2014

Hello Andre,

Truth to be told, I have never used nor recommended the SDM or CCP. They generate a lot of cruft and hard-to-read configuration. As an example, the dialer-group 1, dialer list 1 protocol ip permit, and ppp authentication pap callin commands are useless in your configuration and can be safely removed. They serve no useful purpose on your router as a PPPoE CPE.

On the other hand, I am surprised to see that your Fa0/0.10 and Fa0/0.30 are not configured with ip nat inside command, and they also do not belong into any security zone. Is that intentional?

Best regards,
Peter

Andre Neethling · ‎04-28-2014

HI. I am using the 1841's and a switch in a LAB environment at home. I built some HSRP and GLBP scenarios for training purposes. I was using an ASA as my gateway. I decided to switch off the ASA for now. The other 2 sub interfaces were never set up for access gateways yet. I am building a LAB using the 1841 for URL filtering and ZBF policies for a friend of mine. I'll enable the other sub interfaces for NAT and ZBF soon. But for now it's not required.

Thanks again for your assistance.