Comware

 View Only
last person joined: yesterday 

Back to discussions
Expand all | Collapse all

MSR 2003 - NAT - ADSL - NAT not working

This thread has been viewed 0 times

  • 1.  MSR 2003 - NAT - ADSL - NAT not working

    EMPLOYEE
    Posted Jan 24, 2017 11:42 AM

    Hi, 

    I have a MSR2003 using an ADSL SIC connected to verizon DSL and I have got the PPPOE to work, but it seems like I can only get to some http/https sites.  FTP outbound seems to work with ASPF policy.  Here is my config below. Any tips would be great.  Thanks.

    I can ping www.google.com and other sites with no problem from router or client running on the 192.168.3.0 network.

    -using NAT PAT (dynamic IP on dial0 interface)
    -ACL 2000 to use NAT
    -ASPF policy 1 for oubound 
    -ACL 3000 to filter inbound from internet

    Log of NAT session

    *Jan 23 15:11:29:109 2017 nkpa-r1 NAT/7/COMMON:
    PACKET: (Dialer0-out) Protocol: TCP
    192.168.3.50:37192 - 107.23.165.43: 443(VPN: 0) ------>
    108.32.26.102: 1582 - 107.23.165.43: 443(VPN: 0)
    *Jan 23 15:11:29:157 2017 nkpa-r1 NAT/7/COMMON:
    PACKET: (Dialer0-in) Protocol: TCP
    107.23.165.43: 443 - 108.32.26.102: 1582(VPN: 0) ------>
    107.23.165.43: 443 - 192.168.3.50:37192(VPN: 0)

    Current Config

    show current-configuration
    #
    version 7.1.064, Release 0411
    #
    sysname nkpa-r1
    #
    clock timezone EST minus 05:00:00
    clock protocol ntp
    #
    aspf policy 1
    detect dns
    detect ftp
    detect http
    detect smtp
    icmp-error drop
    tcp syn-check
    #
    dialer-group 1 rule ip permit
    #
    undo ip fast-forwarding load-sharing
    #
    dhcp enable
    #
    dns proxy enable
    dns source-interface Dialer0
    dns server 71.252.0.14
    dns server 71.250.0.14
    #
    password-recovery enable
    #
    vlan 1
    name core
    #
    vlan 2
    name home
    #
    vlan 3
    name guest
    #
    dhcp server ip-pool guest
    gateway-list 192.168.3.1
    network 192.168.3.0 mask 255.255.255.0
    address range 192.168.3.50 192.168.3.60
    dns-list 192.168.3.1
    #
    controller Cellular0/0
    #
    interface Aux0
    #
    interface Dialer0
    ppp chap password cipher $c$3$SzZIw11kCnsraIP7J/y3vEyyCrO6GgalkCF0XesGvQ==
    ppp chap user xxxxxxx
    ppp ipcp dns admit-any
    ppp ipcp dns request
    dialer bundle enable
    dialer-group 1
    dialer timer idle 0
    ip address ppp-negotiate
    packet-filter 3000 inbound
    aspf apply policy 1 outbound
    nat outbound
    #
    interface ATM2/0
    description for_Verizon_PPPoE_ADSL
    pvc 0/35
    map bridge Virtual-Ethernet0
    #
    interface Virtual-Ethernet0
    nat outbound
    pppoe-client dial-bundle-number 0
    #
    interface NULL0
    #
    interface GigabitEthernet0/0
    port link-mode route
    ip address 192.168.3.1 255.255.255.0
    #
    interface GigabitEthernet0/1
    port link-mode route
    ip address 192.168.0.252 255.255.255.0
    #
    scheduler logfile size 16
    #
    line class aux
    user-role network-admin
    #
    line class tty
    user-role network-operator
    #
    line class vty
    user-role network-operator
    #
    line aux 0
    user-role network-admin
    #
    line vty 0 4
    authentication-mode scheme
    user-role network-operator
    protocol inbound ssh
    #
    line vty 5 63
    authentication-mode scheme
    user-role network-operator
    #
    ip route-static 0.0.0.0 0 Dialer0
    #
    info-center loghost 192.168.0.27
    #
    snmp-agent
    snmp-agent local-engineid 800063A280BCEAFA2E6F5A00000001
    snmp-agent community read RDCORE
    snmp-agent sys-info version v1 v3
    snmp-agent target-host trap address udp-domain 192.168.0.23 params securityname RDCORE
    snmp-agent target-host trap address udp-domain 192.168.0.27 params securityname RDCORE
    snmp-agent trap enable arp
    snmp-agent trap enable radius
    #
    ssh server enable
    sftp server enable
    #
    ntp-service enable
    ntp-service source GigabitEthernet0/1
    ntp-service unicast-server 192.168.0.5
    ntp-service unicast-server 192.168.0.15
    #
    acl basic 2000
    description Nat-allow-ip-out
    rule 0 permit source 192.168.3.0 0.0.0.255
    #
    acl advanced 3000
    description Internet-Inbound
    rule 40 permit udp destination-port eq 4500
    rule 45 permit udp destination-port eq 500
    rule 50 permit udp source-port eq bootps
    rule 55 permit udp source-port eq bootpc
    rule 60 permit gre
    rule 65 permit 50
    rule 70 permit 51
    rule 75 deny udp
    rule 80 deny tcp
    rule 85 deny icmp
    accelerate
    #
    acl advanced 3001
    description Internet-Outbound
    rule 0 permit tcp destination-port eq www
    rule 5 permit tcp destination-port eq 443
    rule 10 permit tcp destination-port eq dns
    rule 15 permit tcp destination-port eq 22
    rule 25 permit udp destination-port eq 80
    rule 30 permit udp destination-port eq 443
    rule 35 permit udp destination-port eq dns
    rule 45 permit udp destination-port eq 9987
    rule 50 permit tcp destination-port eq 9987
    rule 55 permit tcp destination-port eq 30033
    rule 60 permit tcp destination-port eq 993
    rule 65 permit tcp destination-port eq 995
    rule 70 permit tcp destination-port eq 587
    rule 75 permit udp destination-port eq 587
    rule 80 permit tcp destination-port eq 465
    rule 85 permit tcp destination-port eq 123
    rule 90 permit udp destination-port eq ntp
    rule 95 permit udp destination-port range 20 21
    rule 100 permit tcp destination-port range ftp-data ftp
    rule 105 permit udp destination-port eq 1900
    rule 110 permit igmp
    rule 115 permit udp destination-port eq 5351
    rule 120 permit tcp destination-port eq smtp
    rule 125 permit udp destination-port eq 25
    rule 130 permit udp destination-port eq 22
    rule 135 deny tcp
    rule 140 deny udp
    accelerate
    #
    domain system
    #
    domain default enable system
    #
    role name level-0
    description Predefined level-0 role
    #
    role name level-1
    description Predefined level-1 role
    #
    role name level-2
    description Predefined level-2 role
    #
    role name level-3
    description Predefined level-3 role
    #
    role name level-4
    description Predefined level-4 role
    #
    role name level-5
    description Predefined level-5 role
    #
    role name level-6
    description Predefined level-6 role
    #
    role name level-7
    description Predefined level-7 role
    #
    role name level-8
    description Predefined level-8 role
    #
    role name level-9
    description Predefined level-9 role
    #
    role name level-10
    description Predefined level-10 role
    #
    role name level-11
    description Predefined level-11 role
    #
    role name level-12
    description Predefined level-12 role
    #
    role name level-13
    description Predefined level-13 role
    #
    role name level-14
    description Predefined level-14 role
    #
    user-group system
    #
    local-user xxxxx class manage
    password hash $h$6$4K7+GxIhlExaIzK0$HRPv4xuybTYtIQ9tpifofZUH8vAdEhDj58n7olylbPsqgWmO+AxdQC6SjqzuNZPE6gYXjl4aG0iD6Z4A+NT7Aw==
    service-type ssh telnet
    authorization-attribute user-role network-admin
    authorization-attribute user-role network-operator
    #
    cwmp
    cwmp enable
    #


    #MSR
    #ADSL
    #NAT


  • 2.  RE: MSR 2003 - NAT - ADSL - NAT not working

    EMPLOYEE
    Posted Jan 25, 2017 01:15 AM

    I resolved the issue, 

    I had to set the tcp mss size to 1452 on the dialer0 interface.

    interface Dialer0
    description for_Verizon_PPPoE_ADSL
    mtu 1492
    ppp chap password cipher xxxxxx
    ppp chap user xxxxx
    ppp ipcp dns admit-any
    ppp ipcp dns request
    dialer bundle enable
    dialer-group 1
    dialer timer idle 0
    ip address ppp-negotiate
    tcp mss 1452
    packet-filter 3000 inbound
    aspf apply policy 1 outbound
    nat outbound 2000

     explained why ping would work and web browsing would work on some sites and others.  I read up on the verizon fourms and pfsense fourms that setting the tcp mss size was a must for DSL connections.