jolly403
MIS
- Jul 5, 2005
- 17
- 0
- 0
Have spent weeks troubleshooting and trying different configurations. Trying to replace a cheapo Efficient Networks DSL modem with a Cisco 1841. Right now have the config stripped down of the more common security aspects for troubleshooting purposes (and since I've been through so many tweaks it's entirely possible something is mixed up now)
Topology is:
internal LAN---switch---Checkpoint FW1---old 3COM Superstack 3300 switch---Cisco 1841 w/ADSL card---internet
DSL circuit plugged directly into Cisco ADSL. Static IP obtained from provider (Frontier Communications).
Goal is to allow internal uses internet access and external SMTP in.
Problem is everything works fine for anywhere from 2 hours to two weeks, and then suddenly you can't access the web anymore. From my limited debugging ability, I don't see any problems (arp cache doesn't look too big, cpu history occassionally hits 60-70%, but mostly low, nat translations around 100). Mail is still coming in though.
If I reload the router it comes back up. If I take out the router and put the cheapo Efficient Networks DSL modem back in things work fine for as long as I want. The Checkpoint firewall has been in place for years with no problems. Not sure if it has an impact, but both the Checkpoint and Cisco are performing NAT. Will have to think that through.
Any input is greatly appreciated.
Brian
Parsed config:
!This is the running config of the router: 192.168.200.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 warnings
no logging console
enable secret
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
no ip bootp server
ip domain name xxx.xxxxx
ip name-server dns_server
ip ssh time-out 60
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.150.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.2 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
mtu 1492
ip address negotiated
ip access-group sdm_dialer0_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password xxx
ppp pap sent-username xxx password xxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface Dialer0 overload
ip nat inside source static tcp 192.168.200.2 25 interface Dialer0 25
!
ip access-list extended sdm_dialer0_in
remark SDM_ACL Category=1
permit ip any any
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 10 remark SDM_ACL Category=17
access-list 10 permit 192.168.200.2
access-list 10 permit 192.168.200.232
access-list 10 deny any log
access-list 110 remark natout
access-list 110 remark SDM_ACL Category=2
access-list 110 permit ip 192.168.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CWarning-Unauthorized
banner login ^C
!
line con 0
exec-timeout 15 0
password 7 xxx
login local
line aux 0
exec-timeout 15 0
password 7 xxx
line vty 0 4
access-class 10 in
exec-timeout 15 0
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 10 in
exec-timeout 15 0
privilege level 15
login local
transport input ssh
!
end
Topology is:
internal LAN---switch---Checkpoint FW1---old 3COM Superstack 3300 switch---Cisco 1841 w/ADSL card---internet
DSL circuit plugged directly into Cisco ADSL. Static IP obtained from provider (Frontier Communications).
Goal is to allow internal uses internet access and external SMTP in.
Problem is everything works fine for anywhere from 2 hours to two weeks, and then suddenly you can't access the web anymore. From my limited debugging ability, I don't see any problems (arp cache doesn't look too big, cpu history occassionally hits 60-70%, but mostly low, nat translations around 100). Mail is still coming in though.
If I reload the router it comes back up. If I take out the router and put the cheapo Efficient Networks DSL modem back in things work fine for as long as I want. The Checkpoint firewall has been in place for years with no problems. Not sure if it has an impact, but both the Checkpoint and Cisco are performing NAT. Will have to think that through.
Any input is greatly appreciated.
Brian
Parsed config:
!This is the running config of the router: 192.168.200.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 warnings
no logging console
enable secret
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
no ip bootp server
ip domain name xxx.xxxxx
ip name-server dns_server
ip ssh time-out 60
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.150.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.2 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
mtu 1492
ip address negotiated
ip access-group sdm_dialer0_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password xxx
ppp pap sent-username xxx password xxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface Dialer0 overload
ip nat inside source static tcp 192.168.200.2 25 interface Dialer0 25
!
ip access-list extended sdm_dialer0_in
remark SDM_ACL Category=1
permit ip any any
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 10 remark SDM_ACL Category=17
access-list 10 permit 192.168.200.2
access-list 10 permit 192.168.200.232
access-list 10 deny any log
access-list 110 remark natout
access-list 110 remark SDM_ACL Category=2
access-list 110 permit ip 192.168.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CWarning-Unauthorized
banner login ^C
!
line con 0
exec-timeout 15 0
password 7 xxx
login local
line aux 0
exec-timeout 15 0
password 7 xxx
line vty 0 4
access-class 10 in
exec-timeout 15 0
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 10 in
exec-timeout 15 0
privilege level 15
login local
transport input ssh
!
end
