Site to Site VPN MTU issue?

Discussion in 'Hardware' started by chary, Aug 27, 2008.

  1. chary

    chary

    Joined:
    Aug 26, 2008
    Messages:
    3
    I am in desperate need of help w/getting my Cisco 1841 router up. Packets are taking forever to reassemble and smtp packets from our other site are dropping or stuck in the queues. Here is an example of my config file. The bolded lines are the ones that I am unsure of. Please someone help!:damnmate: Any help will be greatly appreciated.

    !version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname Router1
    !
    boot-start-marker
    boot-end-marker
    !
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 $1$eBQ7uI.Dd1
    !
    aaa new-model
    !
    !
    aaa authentication login vpnauth group radius
    aaa authentication ppp default group radius local
    aaa authorization network default if-authenticated
    aaa authorization network vpnauth group radius
    !
    aaa session-id common
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    ip domain name work.com
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip ips sdf location flash://128MB.sdf autosave
    ip ips notify SDEE
    ip ips name sdm_ips_rule
    vpdn enable
    vpdn multihop
    vpdn logging
    vpdn logging user
    vpdn logging tunnel-drop
    vpdn search-order multihop-hostname
    !
    vpdn-group PPTPGroup
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 10
    !
    !
    async-bootp subnet-mask 255.255.255.0
    async-bootp dns-server 10.0.1.10 10.4.0.10
    async-bootp nbns-server 10.0.1.10
    !
    crypto pki trustpoint TP-self-signed-741827296
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-741827296
    revocation-check none
    rsakeypair TP-self-signed-741827296
    !
    !
    crypto pki certificate chain TP-self-signed-741827296
    certificate self-signed 01
    3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    DC36E828 43FBAA53 8EA5B7A8 86F92FD0 A0F24368 D12279A1 FF489726 2ECD928D
    D4E3A9F2 D44E84CB 78286F08 E3442FA0 111CAC
    quit
    username user privilege 15 secret 5 $1EySi.khBjKM/I.
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    !
    crypto isakmp policy 11
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key ****** address 64.7.7.71
    crypto isakmp key ****** address 68.34.26.98
    !
    !
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto ipsec transform-set myset3des esp-3des esp-md5-hmac
    !
    crypto map newmap 10 ipsec-isakmp
    set peer 64.7.7.71
    set security-association lifetime seconds 86400
    set transform-set myset
    match address 101
    crypto map newmap 11 ipsec-isakmp
    set peer 68.34.26.98
    set security-association lifetime seconds 86400
    set transform-set myset3des
    match address 102
    !
    !
    !
    interface Loopback23
    ip address 1.1.1.1 255.255.255.252
    no ip proxy-arp
    ip virtual-reassembly max-reassemblies 128 timeout 6
    ip route-cache flow
    !
    interface FastEthernet0/0
    description outside$ETH-LAN$$FW_OUTSIDE$
    ip address 71.92.33.44 255.255.255.248
    ip access-group 103 in
    ip verify unicast reverse-path
    no ip proxy-arp
    ip mtu 1270
    ip nat outside
    ip inspect SDM_LOW out
    ip ips sdm_ips_rule out
    ip virtual-reassembly max-reassemblies 128 timeout 6
    ip route-cache flow
    speed 100
    full-duplex
    no keepalive
    no mop enabled
    crypto map newmap
    !
    interface FastEthernet0/1
    description inside$FW_INSIDE$
    ip address 10.0.1.1 255.255.255.0
    ip access-group 104 in
    no ip proxy-arp
    ip mtu 1270
    ip nat inside
    ip ips sdm_ips_rule in
    ip virtual-reassembly max-reassemblies 128 timeout 6
    ip route-cache flow
    ip policy route-map NO_NAT_ROUTE
    speed 100
    full-duplex
    no mop enabled
    !
    interface Serial0/0/0
    no ip address
    no ip proxy-arp
    ip route-cache flow
    shutdown
    !
    interface Virtual-Template10
    ip unnumbered FastEthernet0/0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly max-reassemblies 128 timeout 6
    ip route-cache flow
    peer default ip address pool ippool
    ppp encrypt mppe 128 passive
    ppp authentication ms-chap ms-chap-v2
    !
    ip local pool ippool 10.3.1.10 10.3.1.150
    ip route 0.0.0.0 0.0.0.0 71.92.33.43
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat pool GLOBALNAT 71.92.33.45 71.92.33.45 netmask 255.255.255.248
    ip nat inside source route-map SDM_RMAP_1 pool GLOBALNAT overload
    ip nat inside source static 10.0.1.12 71.92.33.46
    ip nat inside source static 10.0.1.11 71.92.33.48
    ip nat inside source static tcp 10.0.1.10 25 71.92.33.47 25 extendable
    !
    logging trap debugging
    logging 10.0.0.10
    access-list 1 permit 10.0.0.0 0.0.255.255
    access-list 101 permit ip 10.0.0.0 0.0.255.255 10.2.0.0 0.0.255.255
    access-list 102 remark SDM_ACL Category=20
    access-list 102 permit ip 10.0.0.0 0.0.255.255 10.4.0.0 0.0.255.255
    access-list 103 remark auto generated by SDM firewall configuration
    access-list 103 remark SDM_ACL Category=1
    access-list 103 permit tcp any host 71.92.33.45 eq smtp
    access-list 103 permit tcp any host 71.92.33.45 eq 443
    access-list 103 permit tcp any host 71.92.33.45 eq www
    access-list 103 permit tcp any host 71.92.33.47 eq www
    access-list 103 permit tcp any host 71.92.33.47 eq 443
    access-list 103 permit tcp any host 71.92.33.47 eq smtp
    access-list 103 permit tcp any host 71.92.33.48 eq ftp
    access-list 103 permit tcp any host 71.92.33.48 eq ftp-data
    access-list 103 permit tcp any host 71.92.33.48 eq 3389
    access-list 103 permit tcp any host 71.92.33.48 eq www
    access-list 103 permit tcp any host 71.92.33.48 eq 443
    access-list 103 permit tcp any host 71.92.33.46 eq www
    access-list 103 permit ahp host 64.7.7.71 host 71.92.33.44
    access-list 103 permit esp host 64.7.7.71 host 71.92.33.44
    access-list 103 permit udp host 64.7.7.71 host 71.92.33.44 eq isakmp
    access-list 103 permit udp host 64.7.7.71 host 71.92.33.44 eq non500-isakmp
    access-list 103 permit ahp host 68.34.26.98 host 71.92.33.44
    access-list 103 permit esp host 68.34.26.98 host 71.92.33.44
    access-list 103 permit udp host 68.34.26.98 host 71.92.33.44 eq isakmp
    access-list 103 permit ip 69.44.232.0 0.0.0.255 host 71.92.33.45
    access-list 103 permit udp host 68.34.26.98 host 71.92.33.44 eq non500-isakmp
    access-list 103 permit ip 10.4.0.0 0.0.255.255 10.0.0.0 0.0.255.255
    access-list 103 permit ip 10.2.0.0 0.0.255.255 10.0.0.0 0.0.255.255
    access-list 103 permit ip 10.3.0.0 0.0.255.255 10.0.0.0 0.0.255.255
    access-list 103 permit icmp any host 71.92.33.44 echo-reply
    access-list 103 permit icmp any host 71.92.33.44 time-exceeded
    access-list 103 permit icmp any host 71.92.33.44 unreachable
    access-list 103 permit tcp any host 71.92.33.44 eq 138
    access-list 103 permit tcp any host 71.92.33.44 eq 1723
    access-list 103 permit gre any host 71.92.33.44
    access-list 103 deny ip 10.0.0.0 0.255.255.255 any
    access-list 103 deny ip 172.16.0.0 0.15.255.255 any
    access-list 103 deny ip 192.168.0.0 0.0.255.255 any
    access-list 103 deny ip 127.0.0.0 0.255.255.255 any
    access-list 103 deny ip host 255.255.255.255 any
    access-list 103 deny ip host 0.0.0.0 any
    access-list 103 deny ip any any log
    access-list 104 remark auto generated by SDM firewall configuration
    access-list 104 remark SDM_ACL Category=1
    access-list 104 deny ip 71.92.33.42 0.0.0.7 any
    access-list 104 deny ip host 255.255.255.255 any
    access-list 104 deny ip 127.0.0.0 0.255.255.255 any
    access-list 104 permit ip any any
    access-list 130 remark SDM_ACL Category=18
    access-list 130 deny ip 10.0.0.0 0.0.255.255 10.2.0.0 0.0.255.255
    access-list 130 deny ip 10.0.0.0 0.0.255.255 10.4.0.0 0.0.255.255
    access-list 130 deny ip 10.0.0.0 0.0.255.255 10.3.0.0 0.0.255.255
    access-list 130 permit ip 10.0.0.0 0.0.255.255 any
    access-list 131 permit ip 10.0.0.0 0.0.255.255 10.2.0.0 0.0.255.255
    access-list 131 permit ip 10.0.0.0 0.0.255.255 10.3.0.0 0.0.255.255
    access-list 131 permit ip 10.0.0.0 0.0.255.255 10.4.0.0 0.0.255.255
    no cdp run
    !
    route-map NO_NAT_ROUTE permit 1
    match ip address 131
    set ip next-hop 1.1.1.2
    !
    route-map SDM_RMAP_1 permit 1
    match ip address 130
    !
    !
    !
    radius-server host 10.0.1.10 auth-port 1645 acct-port 1646 key 7 1511021F07251B051B0064
    radius-server authorization default Framed-Protocol ppp
    radius-server vsa send accounting
    radius-server vsa send authentication
    !
     
    chary, Aug 27, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill B.
    Replies:
    7
    Views:
    4,224
    Captain
    May 13, 2004
  2. V. Evans

    ip mtu / interface mtu

    V. Evans, Aug 19, 2005, in forum: Cisco
    Replies:
    1
    Views:
    21,230
    www.BradReese.Com
    Aug 19, 2005
  3. xaeniac

    Gre tunnel mtu size issue

    xaeniac, May 4, 2007, in forum: Cisco
    Replies:
    0
    Views:
    1,416
    xaeniac
    May 4, 2007
  4. The Other Mike

    MTU with Site to Site VPN

    The Other Mike, Dec 13, 2007, in forum: Cisco
    Replies:
    0
    Views:
    659
    The Other Mike
    Dec 13, 2007
  5. pasatealinux
    Replies:
    1
    Views:
    2,123
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page