HPE Community
WAN Routing
1822498 Members
2587 Online
109642 Solutions
New Discussion

MSR 2003 - NAT - ADSL - NAT not working

 
SOLVED
Go to solution
Paul Kurtz
HPE Pro

‎01-24-2017 08:41 AM - edited ‎01-24-2017 02:27 PM

‎01-24-2017 08:41 AM - edited ‎01-24-2017 02:27 PM

MSR 2003 - NAT - ADSL - NAT not working

Hi, 

I have a MSR2003 using an ADSL SIC connected to verizon DSL and I have got the PPPOE to work, but it seems like I can only get to some http/https sites.  FTP outbound seems to work with ASPF policy.  Here is my config below. Any tips would be great.  Thanks.

I can ping www.google.com and other sites with no problem from router or client running on the 192.168.3.0 network.

-using NAT PAT (dynamic IP on dial0 interface)
-ACL 2000 to use NAT
-ASPF policy 1 for oubound 
-ACL 3000 to filter inbound from internet

Log of NAT session

*Jan 23 15:11:29:109 2017 nkpa-r1 NAT/7/COMMON:
PACKET: (Dialer0-out) Protocol: TCP
192.168.3.50:37192 - 107.23.165.43: 443(VPN: 0) ------>
108.32.26.102: 1582 - 107.23.165.43: 443(VPN: 0)
*Jan 23 15:11:29:157 2017 nkpa-r1 NAT/7/COMMON:
PACKET: (Dialer0-in) Protocol: TCP
107.23.165.43: 443 - 108.32.26.102: 1582(VPN: 0) ------>
107.23.165.43: 443 - 192.168.3.50:37192(VPN: 0)

Current Config

show current-configuration
#
version 7.1.064, Release 0411
#
sysname nkpa-r1
#
clock timezone EST minus 05:00:00
clock protocol ntp
#
aspf policy 1
detect dns
detect ftp
detect http
detect smtp
icmp-error drop
tcp syn-check
#
dialer-group 1 rule ip permit
#
undo ip fast-forwarding load-sharing
#
dhcp enable
#
dns proxy enable
dns source-interface Dialer0
dns server 71.252.0.14
dns server 71.250.0.14
#
password-recovery enable
#
vlan 1
name core
#
vlan 2
name home
#
vlan 3
name guest
#
dhcp server ip-pool guest
gateway-list 192.168.3.1
network 192.168.3.0 mask 255.255.255.0
address range 192.168.3.50 192.168.3.60
dns-list 192.168.3.1
#
controller Cellular0/0
#
interface Aux0
#
interface Dialer0
ppp chap password cipher $c$3$SzZIw11kCnsraIP7J/y3vEyyCrO6GgalkCF0XesGvQ==
ppp chap user xxxxxxx
ppp ipcp dns admit-any
ppp ipcp dns request
dialer bundle enable
dialer-group 1
dialer timer idle 0
ip address ppp-negotiate
packet-filter 3000 inbound
aspf apply policy 1 outbound
nat outbound
#
interface ATM2/0
description for_Verizon_PPPoE_ADSL
pvc 0/35
map bridge Virtual-Ethernet0
#
interface Virtual-Ethernet0
nat outbound
pppoe-client dial-bundle-number 0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
ip address 192.168.0.252 255.255.255.0
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-operator
protocol inbound ssh
#
line vty 5 63
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 Dialer0
#
info-center loghost 192.168.0.27
#
snmp-agent
snmp-agent local-engineid 800063A280BCEAFA2E6F5A00000001
snmp-agent community read RDCORE
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 192.168.0.23 params securityname RDCORE
snmp-agent target-host trap address udp-domain 192.168.0.27 params securityname RDCORE
snmp-agent trap enable arp
snmp-agent trap enable radius
#
ssh server enable
sftp server enable
#
ntp-service enable
ntp-service source GigabitEthernet0/1
ntp-service unicast-server 192.168.0.5
ntp-service unicast-server 192.168.0.15
#
acl basic 2000
description Nat-allow-ip-out
rule 0 permit source 192.168.3.0 0.0.0.255
#
acl advanced 3000
description Internet-Inbound
rule 40 permit udp destination-port eq 4500
rule 45 permit udp destination-port eq 500
rule 50 permit udp source-port eq bootps
rule 55 permit udp source-port eq bootpc
rule 60 permit gre
rule 65 permit 50
rule 70 permit 51
rule 75 deny udp
rule 80 deny tcp
rule 85 deny icmp
accelerate
#
acl advanced 3001
description Internet-Outbound
rule 0 permit tcp destination-port eq www
rule 5 permit tcp destination-port eq 443
rule 10 permit tcp destination-port eq dns
rule 15 permit tcp destination-port eq 22
rule 25 permit udp destination-port eq 80
rule 30 permit udp destination-port eq 443
rule 35 permit udp destination-port eq dns
rule 45 permit udp destination-port eq 9987
rule 50 permit tcp destination-port eq 9987
rule 55 permit tcp destination-port eq 30033
rule 60 permit tcp destination-port eq 993
rule 65 permit tcp destination-port eq 995
rule 70 permit tcp destination-port eq 587
rule 75 permit udp destination-port eq 587
rule 80 permit tcp destination-port eq 465
rule 85 permit tcp destination-port eq 123
rule 90 permit udp destination-port eq ntp
rule 95 permit udp destination-port range 20 21
rule 100 permit tcp destination-port range ftp-data ftp
rule 105 permit udp destination-port eq 1900
rule 110 permit igmp
rule 115 permit udp destination-port eq 5351
rule 120 permit tcp destination-port eq smtp
rule 125 permit udp destination-port eq 25
rule 130 permit udp destination-port eq 22
rule 135 deny tcp
rule 140 deny udp
accelerate
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user xxxxx class manage
password hash $h$6$4K7+GxIhlExaIzK0$HRPv4xuybTYtIQ9tpifofZUH8vAdEhDj58n7olylbPsqgWmO+AxdQC6SjqzuNZPE6gYXjl4aG0iD6Z4A+NT7Aw==
service-type ssh telnet
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
cwmp
cwmp enable
#

I am a HPE Employee
0 Kudos
1 REPLY 1
Paul Kurtz
HPE Pro

‎01-24-2017 10:14 PM - edited ‎01-24-2017 10:17 PM

‎01-24-2017 10:14 PM - edited ‎01-24-2017 10:17 PM

Solution

Re: MSR 2003 - NAT - ADSL - NAT not working

I resolved the issue, 

I had to set the tcp mss size to 1452 on the dialer0 interface.

interface Dialer0
description for_Verizon_PPPoE_ADSL
mtu 1492
ppp chap password cipher xxxxxx
ppp chap user xxxxx
ppp ipcp dns admit-any
ppp ipcp dns request
dialer bundle enable
dialer-group 1
dialer timer idle 0
ip address ppp-negotiate
tcp mss 1452
packet-filter 3000 inbound
aspf apply policy 1 outbound
nat outbound 2000

 explained why ping would work and web browsing would work on some sites and others.  I read up on the verizon fourms and pfsense fourms that setting the tcp mss size was a must for DSL connections.

I am a HPE Employee
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.