I'm hoping you guys could help me with setup I am currently working on. Hoping this will spark up a really interesting thread.
NET--------2WIRE (U-verse)----------C1800 (12.4)/VPN(NAT/PAT)--------LAN-----------PC’s/U-verse receivers
With the current setup, I am able to bridge the RG (Residential Gateway’s) IP to the external interface of my router and host external services that are accessible from the web. The problem I’m having is trying to get the u-verse receivers to play video. When the box is initially turned on, or the channel is changed, I receive 10+ secs of video and then nothing. What I believe if happening, if that the initial channel setup is coming in ass unicast, then multicast after that. I think the router is not passing the multicast traffic to the receivers behind the router.
If I attach the receivers directly to the gateway, they work with any issue.
I tried enabling PIM (spare-mode) on the WAN and VLAN interfaces but that didn’t do anything.
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname WAN_GW
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
aaa authorization network vpn_group_ml_2 local
!
!
aaa session-id common
memory-size iomem 5
clock timezone CST -6
!
crypto pki trustpoint TP-self-signed-2369645874
enrollment selfsigned
serial-number
subject-name cn=IOS-Self-Signed-Certificate-2369645874
revocation-check none
rsakeypair TP-self-signed-2369645874
!
!
crypto pki certificate chain TP-self-signed-2369645874
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333639 36343538 3734301E 170D3131 30313232 30313535
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33363936
34353837 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009F7D 5F1E3513 5339E889 20449970 AB66CD32 B745148B D5717358 7DAB8108
808FD4FF FAAFF822 5428EE11 D14A062B 1643BA90 FC3C6DC4 6FF4FFB9 B7B8EADA
quit
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 10.0.10.1 10.0.10.10
!
ip dhcp pool LAN
utilization mark high 10 log
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 209.18.47.62 209.18.47.61
!
ip dhcp pool iPhone
host 10.0.10.200 255.255.255.0
hardware-address 6033.4bfa.9d2a
client-name iPhone
!
!
ip cef
no ip bootp server
ip name-server 209.18.47.62
ip name-server 209.18.47.61
ip inspect log drop-pkt
ip inspect name fw_rule http
ip inspect name fw_rule https
ip inspect name fw_rule smtp
ip inspect name fw_rule pop3
ip inspect name fw_rule dns
ip inspect name fw_rule h323
ip inspect name fw_rule netshow
ip inspect name fw_rule rcmd
ip inspect name fw_rule tcp timeout 30
ip inspect name fw_rule udp timeout 15
ip inspect name fw_rule icmp
ip inspect name fw_rule rtsp
ip inspect name fw_rule bittorrent
ip ddns update method DYNDNS
HTTP
add xxxxxxxxxxxxxxxxxxxx@members.dyndns.org/nic/updatesystem=dyndns&hostname=<h" target="_blank"> interval maximum 0 1 0 0
!
no ipv6 cef
ntp source FastEthernet1
!
multilink bundle-name authenticated
!
password encryption aes
!
!
username mg privilege 15 secret
!
crypto logging ezvpn
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp client configuration address-pool local REMOTE
!
crypto isakmp client configuration group RAS
key xxxxxxxxxx
dns 209.18.47.62 209.18.47.61
pool REMOTE
acl 103
save-password
netmask 255.255.255.0
banner ^CCMG LAN ^C
crypto isakmp profile MG
match identity group RAS
client authentication list vpn_xauth_ml_2
isakmp authorization list vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto ipsec profile VPN-IPSEC
set transform-set VPN
set isakmp-profile MG
!
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
!
!
!
interface Loopback0
description SSL VPN
ip address 172.5.0.1 255.255.255.0
!
interface Loopback1
description REMOTE VPN
ip address 172.10.10.1 255.255.255.0
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1
description $ETH-WAN$$FW_OUTSIDE$
ip ddns update hostname xxxxxxxxxxxxxxx
ip ddns update DYNDNS
ip address dhcp
ip access-group outside in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-IPSEC
!
interface Vlan1
description $FW_INSIDE$
ip address 10.0.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool REMOTE 172.10.10.2 172.10.10.10
ip local pool SSLVPN 172.5.0.2 172.5.0.5
ip forward-protocol nd
ip http server
ip http access-class 2
ip http secure-server
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 30
!
ip nat inside source static tcp 172.5.0.1 443 interface FastEthernet1 443
ip nat inside source static tcp 172.5.0.1 80 interface FastEthernet1 80
ip nat inside source static tcp 10.0.10.5 5354 interface FastEthernet1 5354
ip nat inside source static udp 10.0.10.5 5353 interface FastEthernet1 5353
ip nat inside source static tcp 10.0.10.5 9969 interface FastEthernet1 9969
ip nat inside source static tcp 10.0.10.5 5900 interface FastEthernet1 5900
ip nat inside source static udp 10.0.10.5 5900 interface FastEthernet1 5900
ip nat inside source static udp 10.0.10.5 3283 interface FastEthernet1 3283
ip nat inside source static tcp 10.0.10.5 3283 interface FastEthernet1 3283
ip nat inside source static tcp 10.0.10.5 22 interface FastEthernet1 22
ip nat inside source static tcp 10.0.10.20 5001 interface FastEthernet1 5001
ip nat inside source route-map rmap_nat interface FastEthernet1 overload
!
ip access-list standard internal_net
permit 10.0.0.0 0.0.0.255
!
ip access-list extended nat_acl
deny ip 10.0.10.0 0.0.0.255 172.10.10.0 0.0.0.255
permit ip 10.0.10.0 0.0.0.255 any
ip access-list extended outside
permit tcp any any established
permit tcp any any eq 22
permit tcp any any eq 9969
permit udp host 216.136.156.75 eq 12000 any
permit tcp any any eq 443
permit tcp any any eq 5900
permit tcp any any eq 1723
permit udp any any eq 3283
permit tcp any any eq 5354
permit tcp any any eq 123
permit udp any any eq 5353
permit udp any any eq ntp
permit udp any eq ntp any
permit gre any any
permit udp any eq 3074 any
permit tcp any eq 3074 any
permit udp any any eq 3074
permit tcp any any eq 5001
permit udp any any eq 5001
permit udp any any eq bootps
permit udp any any eq bootpc
permit udp any eq domain any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
deny ip any any log
!
access-list 103 permit ip 10.0.10.0 0.0.0.255 172.10.10.0 0.0.0.255
!
!
!
!
route-map rmap_nat permit 10
match ip address nat_acl
!
!
!
control-plane
!
banner login
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
!
webvpn gateway SSL_GATEWAY
ip address 172.5.0.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2369645874
logging enable
inservice
!
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
!
webvpn install csd flash:/webvpn/sdesktop.pkg
!
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
!
login-message "Welcome to My VPN"
!
policy group SSLPolicy
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
default-group-policy SSLPolicy
aaa authentication list vpn_xauth_ml_1
gateway SSL_GATEWAY domain
max-users 10
inservice
!
CCNA, CCNP, Sec+
NET--------2WIRE (U-verse)----------C1800 (12.4)/VPN(NAT/PAT)--------LAN-----------PC’s/U-verse receivers
With the current setup, I am able to bridge the RG (Residential Gateway’s) IP to the external interface of my router and host external services that are accessible from the web. The problem I’m having is trying to get the u-verse receivers to play video. When the box is initially turned on, or the channel is changed, I receive 10+ secs of video and then nothing. What I believe if happening, if that the initial channel setup is coming in ass unicast, then multicast after that. I think the router is not passing the multicast traffic to the receivers behind the router.
If I attach the receivers directly to the gateway, they work with any issue.
I tried enabling PIM (spare-mode) on the WAN and VLAN interfaces but that didn’t do anything.
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname WAN_GW
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
aaa authorization network vpn_group_ml_2 local
!
!
aaa session-id common
memory-size iomem 5
clock timezone CST -6
!
crypto pki trustpoint TP-self-signed-2369645874
enrollment selfsigned
serial-number
subject-name cn=IOS-Self-Signed-Certificate-2369645874
revocation-check none
rsakeypair TP-self-signed-2369645874
!
!
crypto pki certificate chain TP-self-signed-2369645874
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333639 36343538 3734301E 170D3131 30313232 30313535
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33363936
34353837 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009F7D 5F1E3513 5339E889 20449970 AB66CD32 B745148B D5717358 7DAB8108
808FD4FF FAAFF822 5428EE11 D14A062B 1643BA90 FC3C6DC4 6FF4FFB9 B7B8EADA
quit
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 10.0.10.1 10.0.10.10
!
ip dhcp pool LAN
utilization mark high 10 log
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 209.18.47.62 209.18.47.61
!
ip dhcp pool iPhone
host 10.0.10.200 255.255.255.0
hardware-address 6033.4bfa.9d2a
client-name iPhone
!
!
ip cef
no ip bootp server
ip name-server 209.18.47.62
ip name-server 209.18.47.61
ip inspect log drop-pkt
ip inspect name fw_rule http
ip inspect name fw_rule https
ip inspect name fw_rule smtp
ip inspect name fw_rule pop3
ip inspect name fw_rule dns
ip inspect name fw_rule h323
ip inspect name fw_rule netshow
ip inspect name fw_rule rcmd
ip inspect name fw_rule tcp timeout 30
ip inspect name fw_rule udp timeout 15
ip inspect name fw_rule icmp
ip inspect name fw_rule rtsp
ip inspect name fw_rule bittorrent
ip ddns update method DYNDNS
HTTP
add xxxxxxxxxxxxxxxxxxxx@members.dyndns.org/nic/updatesystem=dyndns&hostname=<h" target="_blank"> interval maximum 0 1 0 0
!
no ipv6 cef
ntp source FastEthernet1
!
multilink bundle-name authenticated
!
password encryption aes
!
!
username mg privilege 15 secret
!
crypto logging ezvpn
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp client configuration address-pool local REMOTE
!
crypto isakmp client configuration group RAS
key xxxxxxxxxx
dns 209.18.47.62 209.18.47.61
pool REMOTE
acl 103
save-password
netmask 255.255.255.0
banner ^CCMG LAN ^C
crypto isakmp profile MG
match identity group RAS
client authentication list vpn_xauth_ml_2
isakmp authorization list vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto ipsec profile VPN-IPSEC
set transform-set VPN
set isakmp-profile MG
!
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
!
!
!
interface Loopback0
description SSL VPN
ip address 172.5.0.1 255.255.255.0
!
interface Loopback1
description REMOTE VPN
ip address 172.10.10.1 255.255.255.0
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1
description $ETH-WAN$$FW_OUTSIDE$
ip ddns update hostname xxxxxxxxxxxxxxx
ip ddns update DYNDNS
ip address dhcp
ip access-group outside in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-IPSEC
!
interface Vlan1
description $FW_INSIDE$
ip address 10.0.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool REMOTE 172.10.10.2 172.10.10.10
ip local pool SSLVPN 172.5.0.2 172.5.0.5
ip forward-protocol nd
ip http server
ip http access-class 2
ip http secure-server
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 30
!
ip nat inside source static tcp 172.5.0.1 443 interface FastEthernet1 443
ip nat inside source static tcp 172.5.0.1 80 interface FastEthernet1 80
ip nat inside source static tcp 10.0.10.5 5354 interface FastEthernet1 5354
ip nat inside source static udp 10.0.10.5 5353 interface FastEthernet1 5353
ip nat inside source static tcp 10.0.10.5 9969 interface FastEthernet1 9969
ip nat inside source static tcp 10.0.10.5 5900 interface FastEthernet1 5900
ip nat inside source static udp 10.0.10.5 5900 interface FastEthernet1 5900
ip nat inside source static udp 10.0.10.5 3283 interface FastEthernet1 3283
ip nat inside source static tcp 10.0.10.5 3283 interface FastEthernet1 3283
ip nat inside source static tcp 10.0.10.5 22 interface FastEthernet1 22
ip nat inside source static tcp 10.0.10.20 5001 interface FastEthernet1 5001
ip nat inside source route-map rmap_nat interface FastEthernet1 overload
!
ip access-list standard internal_net
permit 10.0.0.0 0.0.0.255
!
ip access-list extended nat_acl
deny ip 10.0.10.0 0.0.0.255 172.10.10.0 0.0.0.255
permit ip 10.0.10.0 0.0.0.255 any
ip access-list extended outside
permit tcp any any established
permit tcp any any eq 22
permit tcp any any eq 9969
permit udp host 216.136.156.75 eq 12000 any
permit tcp any any eq 443
permit tcp any any eq 5900
permit tcp any any eq 1723
permit udp any any eq 3283
permit tcp any any eq 5354
permit tcp any any eq 123
permit udp any any eq 5353
permit udp any any eq ntp
permit udp any eq ntp any
permit gre any any
permit udp any eq 3074 any
permit tcp any eq 3074 any
permit udp any any eq 3074
permit tcp any any eq 5001
permit udp any any eq 5001
permit udp any any eq bootps
permit udp any any eq bootpc
permit udp any eq domain any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
deny ip any any log
!
access-list 103 permit ip 10.0.10.0 0.0.0.255 172.10.10.0 0.0.0.255
!
!
!
!
route-map rmap_nat permit 10
match ip address nat_acl
!
!
!
control-plane
!
banner login
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
!
webvpn gateway SSL_GATEWAY
ip address 172.5.0.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2369645874
logging enable
inservice
!
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
!
webvpn install csd flash:/webvpn/sdesktop.pkg
!
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
!
login-message "Welcome to My VPN"
!
policy group SSLPolicy
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
default-group-policy SSLPolicy
aaa authentication list vpn_xauth_ml_1
gateway SSL_GATEWAY domain
max-users 10
inservice
!
CCNA, CCNP, Sec+