Thursday, August 30, 2018

Cisco 819 seemingly blocking random services

I have a Cisco 819 with a Verizon Sim card in it and have it setup to be transparent to handoff to a Meraki network. We seem to hav e connection to the site and I am able to vpn in but some web pages are not working, and external services, like slack and socket comms seem to be not working. 

For instance, I can go to bing.com and search and that works, but can't go to some URL's like yahoo.com. I am able to ping yahoo.com, get DNS resolution, and then I tried to use that IP the site still times out. Doesn't appear to be a DNS issue. Wondering if anyone here can help me out and check over my config to see if maybe its something in here doing it? The only thing that changed at this site was moving over to this box instead of using an USB stick modem in the MX.

Thanks

Current configuration : 8936 bytes

!

! Last configuration change at 17:54:40 UTC Thu Aug 30 2018 by admin

!

version 15.6

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service internal

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

ethernet lmi ce

!

crypto pki trustpoint TP-self-signed-1840704989

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1840704989

revocation-check none

rsakeypair TP-self-signed-1840704989

!

!

crypto pki certificate chain TP-self-signed-1840704989

certificate self-signed 01

#####

quit

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

import all

network 10.0.0.0 255.255.255.0

default-router 10.10.10.1

lease 0 2

!

!

!

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip inspect WAAS flush-timeout 10

ip cef

no ipv6 cef

!

!

flow record nbar-appmon

match ipv4 source address

match ipv4 destination address

match application name

collect interface output

collect counter bytes

collect counter packets

collect timestamp absolute first

collect timestamp absolute last

!

!

flow monitor application-mon

cache timeout active 60

record nbar-appmon

!

parameter-map type inspect global

max-incomplete low 18000

max-incomplete high 20000

nbar-classify

!

!

!

!

multilink bundle-name authenticated

!

!

chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"

!

!

!

!

!

license udi pid C819HG-LTE-MNA-K9 sn FTX2137Z05V

!

!

object-group service INTERNAL_UTM_SERVICE

!

object-group network Others_dst_net

any

!

object-group network Others_src_net

any

!

object-group service Others_svc

ip

!

object-group network Web_dst_net

any

!

object-group network Web_src_net

any

!

object-group service Web_svc

ip

!

object-group network local_cws_net

!

object-group network local_lan_subnets

any

!

object-group network vpn_remote_subnets

any

!

username admin privilege 15 secret 5 password

!

redundancy

notification-timer 120000

!

!

!

!

!

controller Cellular 0

lte sim data-profile 1 attach-profile 1 slot 0

lte modem link-recovery rssi onset-threshold -110

lte modem link-recovery monitor-timer 20

lte modem link-recovery wait-timer 10

lte modem link-recovery debounce-count 6

no cdp run

!

!

class-map type inspect match-any INTERNAL_DOMAIN_FILTER

match protocol msnmsgr

match protocol ymsgr

class-map type inspect match-any Others_app

match protocol https

match protocol smtp

match protocol pop3

match protocol imap

match protocol sip

match protocol ftp

match protocol dns

match protocol icmp

class-map type inspect match-any Web_app

match protocol http

class-map type inspect match-all Others

match class-map Others_app

match access-group name Others_acl

class-map type inspect match-all Web

match class-map Web_app

match access-group name Web_acl

!

policy-map type inspect LAN-WAN-POLICY

class type inspect Web

inspect

class type inspect Others

inspect

class type inspect INTERNAL_DOMAIN_FILTER

inspect

class class-default

drop log

!

zone security LAN

zone security WAN

zone security VPN

zone security DMZ

zone-pair security LAN-WAN source LAN destination WAN

service-policy type inspect LAN-WAN-POLICY

!

!

!

!

!

!

!

!

!

!

!

interface Loopback1

description ### always-on interface ###

ip address 1.2.3.9 255.255.255.255

ip nat inside

ip virtual-reassembly in

!

interface Cellular0

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly in

encapsulation slip

load-interval 30

dialer in-band

dialer idle-timeout 0

dialer string lte

dialer string ltescript

dialer watch-group 1

async mode interactive

!

interface Cellular1

no ip address

encapsulation slip

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

description $ETH_LAN$

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source static 10.0.0.2 interface Cellular0

ip route 0.0.0.0 0.0.0.0 Cellular0

!

ip access-list extended NAT

permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended Others_acl

permit object-group Others_svc object-group Others_src_net object-group Others_dst_net

ip access-list extended Web_acl

permit object-group Web_svc object-group Web_src_net object-group Web_dst_net

ip access-list extended nat-list

permit ip object-group local_lan_subnets any

!

dialer watch-list 1 ip 5.6.7.8 0.0.0.0

dialer watch-list 1 delay route-check initial 60

dialer watch-list 1 delay connect 1

dialer-list 1 protocol ip permit

ipv6 ioam timestamp

!

access-list 23 permit 10.10.10.0 0.0.0.127

access-list 23 permit 10.0.0.0 0.0.0.255

!

control-plane

!

!

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

!

!

!

!

!

!

line con 0

login local

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

stopbits 1

line 3

script dialer lte

no exec

rxspeed 100000000

txspeed 50000000

line 8

no exec

rxspeed 100000000

txspeed 50000000

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

!

!

!

!

!

end



No comments:

Post a Comment