Cisco SOHO 91 Problem 1

[rodneyws]

My employer has a VPN setup that connects a remote clinic to the hospital where I work. The VPN tunnel (SOHO 91 to PIX 506e) is active and client PCs can ping from the clinic to the hospital and vice versa. Connectivity (via a DSL connection) is stable and the clinic is able to access the hospital's clinical system through the VPN. However, the clinic is unable to access the internet through its SOHO 91. Any input or sugguestions on how to enable internet access at the clinic would be greatly appreciated.

Here is the running config from the SOHO 91:

!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Warwick
!
no logging buffered
enable secret 5 DELETED
!
username admin privilege 15 password 7 DELETED
no aaa new-model
ip subnet-zero
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
!
crypto isakmp policy 12
hash md5
authentication pre-share
crypto isakmp key 0 DELETED address 65.168.125.109
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 1 ipsec-isakmp
set peer 65.168.125.109
set transform-set sharks
match address 120
!
!
!
!
interface Tunnel0
no ip address
!
interface Ethernet0
ip address 10.6.0.1 255.255.255.0
ip nat inside
no ip route-cache
ip tcp adjust-mss 1348
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address 209.164.236.244 255.255.255.224
ip nat outside
duplex auto
no cdp enable
crypto map nolan
!
ip nat pool branch 209.164.236.244 209.164.236.244 netmask 255.255.255.224
ip nat inside source route-map nonat interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip route 10.1.0.0 255.255.0.0 65.168.125.109
ip http server
no ip http secure-server
!
access-list 23 permit 10.6.0.0 0.0.0.255
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 120 permit ip 10.6.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 130 deny ip 10.6.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 130 permit ip 10.6.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end

 

[JOAMON]

OK....first thing I would change is:
Delete:ip route 0.0.0.0 0.0.0.0 ethernet1
Add:ip route 0.0.0.0 0.0.0.0 209.164.236.XXX
XXX is next hop router. Always use IP address for default route whenever possible. Make change and post results.

 

[rodneyws]

The moment I delete "ip route 0.0.0.0 0.0.0.0 Ethernet1" I will lose connectivity to the router so any changes after that will require some travel time to the remote site.

When you say "XXX is the next hop router" would that be 209.164.236.225 (the IP of the ISP-provided router/modem)?

 

[rodneyws]

I added the route statement you provided and removed the route statement referencing Ethernet1. The two route statements now look like this in the running-config:

ip route 0.0.0.0 0.0.0.0 209.164.236.225
ip route 10.1.0.0 255.255.0.0 65.168.125.109

I have connectivity to the site, but I'm still unable to access the internet from there. From the SOHO 91 router when I type "ping

http://www.yahoo.com"

it resolves the IP but cannot reach Yahoo.

Warwick#ping

http://www.yahoo.com

Translating "

http://www.yahoo.com"...domain

server (255.255.255.255) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.94.230.50, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Other sites of ours have a fairly similar setup but do not experience this problem. What makes this location different is that this particular ISP requires the use of their "modem" that is in fact a router (209.164.236.225) All other locations have a SOHO 91 connected to a DSL modem... at those locations the SOHO 91 handles the PPPOE authentication... at this location, the "modem" handles the PPPOE authentication. 209.164.236.244 is the statis IP that was assigned to us.

Any additional insight would be greatly appreciated. Thanks.

 

[JOAMON]

Your config looks pretty good....is it possible that they have their router setup to do nat as well. Check config on ISP router to see if their setup is interferring with yours.

 

[rodneyws]

Thank you for the quick response. I guess I'll have to go to that site and see if the ISP's equipment has some sort of GUI that I can access.

 

[JOAMON]

You do not need to go there.....most all ISP provided routers can be telnetted into...just need username and password from ISP for access. They usually leave telnet access on for support reasons. Just telnet to IP addreess and your set.

 

[JOAMON]

I am curious about the following statement:
ip nat pool branch 209.164.236.244 209.164.236.244 netmask 255.255.255.224
Not quite sure about this....

 

[JOAMON]

You might look into a program called Dameware mini remote. I use it for suport to 4 locations. It will allow you to remote control PC's from your desktop thus eliminating the need to travel there. It has a low cost and is easy to deploy to remote workstations.

http://www.dameware.com/downloads/

 

[rodneyws]

I was able to initiate a telnet session, but I've been unable to locate online the default username and password for a Paradyne Hotwire ReachDSL Modem - Model 6350.

The other ISPs in this area have allowed us to use actual mdoems with our equipment, but this one location only has one broadband provider and they're really making our lives difficult by requiring us to use their equipment.

 

[JOAMON]

Hello....
You will need to contact your ISP for the password. I found that both the username and password ar Admin (case sens) which they have changed. Before we do that can you answer something for me?
What is :ip nat pool branch 209.164.236.244 209.164.236.244 netmask 255.255.255.224
I do not beleive this needs to be there as you have the overload statement ding the nat on outside interface.
After thinking on this one I do not think that their router is doing nat as your VPN would not function if they were. Still would be good to have the username and password for that device so that you can troubleshoot it.
Also I do not know why you would need the following on ethernet0 ip tcp adjust-mss 1348. (Sets maximum segment size).

 

[rodneyws]

I found Admin/Admin probably the same time you did and that was promptly rejected by the modem/router. As far as your questions go...

1 router was configured for this hospital by a 3rd party company and we've used that configuration as a template for all future locations going live on our VPN. This has worked great at all other locations that use a simple DSL modem. This site's ISP requires us to use their equipment and it's a bit more robust.

So the "ip nat pool branch" command was not placed there by me and to be perfectly honest, I'm not sure why it's there. The same applies for the maximum segment size. I get the impression that the CCNP that setup this whole mess was just a paper CCNP so to speak.

Yes, our VPN is functional at that site... additionally, I can run the Cisco GUI there and it'll auto-detect their internet connection and grant the users internet access. However, I have not been able to convince the internet and VPN to work at the same time for this particular site. We're not trying to funnel internet traffic through the VPN to this location... all we want is for trafic to 10.1.X.X to come down the VPN tunnel and anything else to go out to the internet. It seems so simple... and yet, it's not.

 

[JOAMON]

Can you remove those two statements and test?

 

[JOAMON]

After this lets explore the PC side. Do a ping to 206.163.82.4 form PC. This is a public DNS server and should be able to contact it. Then ping

http://www.yahoo.com

and see if the PC is resolving the name to physical address.

 

[rodneyws]

I had to call the remote site today for an unrelated issue and the worker at that site casually says "By the way, our internet is working now... thanks!" The only (and I can't stress ONLY enough) change that was made was the single route statement.

ip route 0.0.0.0 0.0.0.0 209.164.236.225

The reason I was under the impression this did not work was because of the method used to test it... instead of calling the remote location and asking them to test it, I telnetted into the SOHO 91 and pinged

http://www.yahoo.com.

That test works at all over the other remote sites, but it failed at this site so I logically (and erroneously) concluded the internet was still not functioning for the client PCs at that site. It is working for them now.

I really believe that one changed route statement was the solution to this whole mess. You have NO idea how much I appreciate this... I'm sure it's painfully obvious my level of experience with Cisco routers, but in my defense this is the first job that has given me hands on experience. My next problem will hopefully be more complex/advanced. Thanks again for your time.

 

[JOAMON]

No problem....take a look at the Dameware program I mentioned in previous post......will give you the ability to control remote machines for trobleshooting and IT support issues.

 

[rodneyws]

Long-term it appears this hospital is at least giving some thought to moving to Citrix as well as WinTerms. We just got in 3 for testing/evaluation (Wyse WinTerm 9150SE) and it seems pretty promising. The reason I mention this is because these devices come preloaded with VNC and that's probably what we'll be using to support users going forward.

Again, thanks! Now I have configuration templates for both types of connections and should be able to finish bringing sites online in a timely manner.

So what benefit do you receive from helping people online? Honing your Cisco skills for some high-level exam?

 

[JOAMON]

Studying for my CCNP and is good practice for the Cisco Internetwork Troubleshooting portion. Also have had problems myself and figure a little payback is in order.