RE: Cisco 1841 & Windows Update Error 2

[Hel27n]

Hello,

I have recently purchased a new Cisco 1841 Router. I have it setup so that it connects via ADSL to the internet. The computers on my network go through a ProxyServer & the the Cisco Router to access the Internet.

All seems to be ok apart from when tryng to logon to hotmail and when running Windows Update.

When running Windows Update an Error 0x800A138F is returned. I thought that the Router may be blocking Port 443 but when I check the Routers 'SDM Default Rules' there alreay is an entry forpremitting any source - any destination - dest:443/tcp.

Can anyone help me with this as I am quite lost as what to do next.

 

[Hel27n]

Hi Andy,

I have deleted IP NAT from both Dilar4 & FE0/0, and am still presented with the same error, and when trying to logon to hotmail I get the following message: 'The gateway has lost the connection with the Web site you are trying to access.'

I will go through the config of the network again:-

Internal Network:
IPs: 192.168.9.x & 192.168.10.x
Subnet: 255.255.252.0
Gateway: 192.168.10.x (Proxys Internal IP)

ProxyServer:
Internal:-
IP: 192.168.10.x
Subnet: 255.255.252.0

External:-
IP: 217.46.x.x
Subnet: 255.255.255.248
Gateway: 217.46.x.x (Routers IP)

Routers Fast Ehternet0/0:-
IP: 217.46.x.x
Subnet: 255.255.255.248

 

[ADB100]

OK. If your default Gateway is the Proxy I assume it must also be routing (is it ISA?). You will therefore need the IP Nat stuff I mentioned in the previous email:

ip access-list standard Internal-Networks
permit 192.168.9.0 0.0.0.255
permit 192.168.10.0 0.0.0.255
!
ip nat inside source list Internal-Networks interface dialer4

Plus the IP nat inside/outside statements on the FE and dialer interfaces.


I must admit my ADSL configuration is slightly different from yours - I don't have the public IP address on my inside interface on the router, it is configured on the dialer interface (or at least PPP negotiated). Is it worth trying the following:

interface FastEthernet0/0
ip address 192.168.255.1 255.255.255.252
ip nat inside
!
interface Dialer4
ip address 217.46.x.x 255.255.255.248
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxx@xxx.xxx
ppp chap password xxxxxxx
!
ip access-list standard Internal-Networks
permit 192.168.255.0 0.0.0.3
permit 192.168.9.0 0.0.0.255
permit 192.168.10.0 0.0.0.255
!
ip nat inside source list Internal-Networks interface dialer4
!
ip nat inside source static 192.168.255.2 217.46.x.x (your original Proxy IP address)


Also change the outside interface of your Proxy to be 192.168.255.2/30.

Andy

 

[Hel27n]

Hi Andy,

I have tried what you suggest and I still have an internet connection (thank God) but still have the same problems with Windows Update & Hotmail. However I do feel that we are much closer to solving the problem.

Would you mind having a look over the configuration as it stands now and see if there is anything else that may need to be changed.
___________________________________________________________
Current configuration : 3477 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxx@xxx.xxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret xxxxxxx
!
username administrator privilege 15 secret xxxx
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip tcp synwait-time 10
!
ip ips po max-events 100
no ip bootp server
ip name-server 213.120.62.103
ip name-server 213.120.62.104
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable

interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$$INTF-INFO-FE 0$
ip address 192.168.255.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto

no cdp enable
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.6 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Dialer4
description $FW_OUTSIDE$
ip address 217.46.x.x 255.255.255.248
ip mtu 1452

ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxx@xxx.xxx
ppp chap password xxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer4
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list internal-networks interface Dialer4 overload
ip nat inside source static 192.168.255.2 217.46.x.x
!
ip access-list standard internal-networks
permit 192.168.255.0 0.0.0.3
permit 192.168.9.0 0.0.0.255
permit 192.168.10.0 0.0.0.255
!
logging trap debugging
dialer-list 1 protocol ip permit
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh

control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh

 

[ADB100]

You obviously need to add IP routes to your internal networks via your proxy servers outside address:

ip route 192.168.9.0 255.255.255.0 192.168.255.2
ip route 192.168.10.0 255.255.255.0 192.168.255.2

Apart from that I think you need to start debugging things - it could also be an IOS bug?

Andy

 

[Hel27n]

Hi Andy,

I shall try this out when I get into work in the morning. I have a few other questions about this config though?

ip nat inside source list internal-networks interface Dialer4 overload
ip nat inside source static 192.168.255.2 217.46.x.x

- What does the 'OVERLOAD' mean on the statement above?
- Why do I need the above static NAT rlue if the proxy now has an ip of 192.168.10.63 & 192.168.255.2, and the Routers FE0/0 is 192.168.255.1 (with all m/c's on the network gateway set to 192.168.10.63)?

I should sate that the 'ProxyServer' used to have proxy s/w installed but doesn't any more, it runs on Win 2003 with ISA.

Helen.

 

[ADB100]

Overload means it will perform NAT/PAT (port address translation) as opposed to just 1-to-1 NAT. With NAT you need a 'real' IP address for each host on the Inside that want to communicate through the NAT'd interface. With PAT the NAT process changes source UDP/TCP port numbers.

You need to NAT because your Proxy is not on a Publicly reachable IP address. With the static NAT rule ALL IP traffic to the registered IP address of your proxy is NAT'd to the same IP address.

I have the same setup as you (although Win200 and ISA2000).

Andy

 

[plshlpme]

the ip tcp adjust-mss 1452
needs to be on your dialer ... not your fast e
try it again

 

[ADB100]

Another thing to try would be to remove the 'IP unreachables' from your fastethernet interface in case there is an MTU mismatch and you are not being formed about this due to ICMP unreachables.

Andy

 

[Hel27n]

Hi Andy & 'plshlpme',

I have made the changes and still the same error. Can you check this again for me please?

Current configuration : 3821 bytes
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname xxx@xxx.xxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret xxxxxxx
!
username administrator privilege 15 secret xxxxxxxxx
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip tcp synwait-time 10
ip ips po max-events 100
no ip bootp server
ip name-server 213.120.62.103
ip name-server 213.120.62.104
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$$INTF-INFO-FE 0$
ip address 192.168.255.1 255.255.255.252
ip access-group sdm_fastethernet0/0_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.6 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Dialer4
description $FW_OUTSIDE$
ip address 217.46.156.182 255.255.255.248
ip access-group sdm_dialer4_in in
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxx@xxx.xxx
ppp chap password xxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer4
ip route 192.168.9.0 255.255.255.0 192.168.255.2
ip route 192.168.10.0 255.255.255.0 192.168.255.2
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list internal-networks interface Dialer4 overload
ip nat inside source static 192.168.255.2 217.46.156.178
!
ip access-list standard internal-networks
permit 192.168.255.0 0.0.0.3
permit 192.168.9.0 0.0.0.255
permit 192.168.10.0 0.0.0.255
!
ip access-list extended sdm_dialer4_in
remark SDM_ACL Category=1
permit tcp any any
permit ip any any
ip access-list extended sdm_fastethernet0/0_in
remark SDM_ACL Category=1
permit ip any any
permit tcp any any
!
logging trap debugging
dialer-list 1 protocol ip permit
control-plane
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 4000 1000
end

 

[ADB100]

Hi

Try removing 'no ip unreachables' from the FE interface in case there is an MTU issue and this isn't getting back to the client. That is all I can see, apart from making sure the time on your Windows machines are correct?

After that I am afraid it would be debugging time

Andy

 

[plshlpme]

you have a slight prob with your mtu setting and the tcp adjust-mss settings on your dialer.... it should be like this:
the reason im pushing this option is because i have dsl and am using a 2514 router and had the same problem. with the mtu set i was good to many sites but i couldn't connect with msn messenger, or go to hotmail, or to my online banking. once i found this tcp adjust-mss and put it in i was good to go to every site.

so adjust your dialer as follows....
and let us know if its helped.


interface Dialer4
description $FW_OUTSIDE$
ip address 217.46.156.182 255.255.255.248
ip access-group sdm_dialer4_in in
ip mtu 1492
ip tcp adjust-mss 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxx@xxx.xxx
ppp chap password xxxxxxx

 

[Hel27n]

Hi Andy & plshlpme,

I have great news, I have eventually got the Router working correctly, Windows Update (working perfectly with Win 2k but still some problems with Win XP Pro) and hotmail, fantastic!

I haven't tried the above post from 'plshlpme' but if I continue to have trouble I shall look into this.

I would really like to thank you guys for all you're help as I was really getting in a desperate state. You all really know you’re stuff.

I would now like to ensure that I have adequate firewall settings in place (I have only used the default SDM rules at present), would any of you be able to tell me the best resources / URL’s for doing so?

Thanks again,

Helen.

 

[plshlpme]

here is a link you could look at. its about building a secure config on a cisco.. i have looked at it many times...

http://www.cymru.com/Documents/secure-ios-template.html

 

[Hel27n]

Hello Andy & Plshlpme,

I hope you guys are still around. My Router was working perfectly before the Easter Holidays. When I returned on Monday I found that I can't connect to Windows Update or Hotmail again. No Settings were changed so I am not sure what has happened.

Perhaps you could have a look to see if you can see anything that may be causing the problem?

Current configuration : 3573 bytes
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname XXX@XXX.XXX
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret XXXXX
!
username administrator privilege
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
--More—
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip tcp synwait-time 10
!
ip ips po max-events 100
no ip bootp server
ip name-server 213.120.62.103
ip name-server 213.120.62.104
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
interface FastEthernet0/0
description $FW_INSIDE
ip address 192.168.255.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.6 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Dialer4
description $FW_OUTSIDE$
ip address 217.46.X.X 255.255.255.248
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXX@XXX.XXX
ppp chap password
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer4
ip route 192.168.9.0 255.255.255.0 192.168.255.2
ip route 192.168.10.0 255.255.255.0 192.168.255.2
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list internal-networks interface Dialer4 overload
ip nat inside source static 192.168.255.2 217.46.X.X
!
ip access-list standard internal-networks
permit 192.168.255.0 0.0.0.3
permit 192.168.9.0 0.0.0.255
permit 192.168.10.0 0.0.0.255
!
logging trap debugging
dialer-list 1 protocol ip permit
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 4000 1000
end

Thanks,

Helen.

 

[plshlpme]

the only thing that i see that could be changed is the mtu on your interfaces..
on the dialer you can make it ip mtu 1492

and you don't need ip tcp adjust-mss 1452 on the fast e interface.

other then that it looks ok to me.
have you shut / no shut on the dialer interface maybe to give it a kick.