[rbak-nsp] SE400 + CLIPS + NAT + ? MTU ?? problem
"Kuba" Dawid Chrzan
dawid.chrzan at pszczyna.net.pl
Tue Dec 3 12:37:50 EST 2013
Hi Rafal,
i thought i tried port-block 1 to 15.
It seems that you are right - it looks like that it works.
Thanks :)
> Hello Kuba,
>
> This is because nat start translation from low ports like 1-1024.
> These ports are reserved on some systems.
>
> Try adding:
> ip nat pool ......
>
> address (your public ip) port-block 1 to 15
>
>
>
> Tuesday, December 3, 2013, 4:00:18 PM, you wrote:
>
>> Hi
>
>> I set up clips context on SE400
>> Redback Networks SmartEdge OS Version SEOS-6.2.1.9.46-Release
>
>> and all is running more less ok - except some websites.
>
>> http://www.speedtest.pl/ or http://yahoo.com can not be displayed.
>> I cannot figure out what is wrong. It looks like MTU problem - but how
>> can it MTU problem in clips ?
>
>> When i switch user to external ip addres - not using nat - everything
>> works PERFECT.
>
>
>> I had the same problem in PPPOE context but was solved using
>> interface LAN_PPPOE multibind
>> ip address 10.192.255.254/16
>> ip mtu 1460
>> ip clear-df
>> ip tcp mss replace 1420
>
>
>
>
>> Anyone any ideas - please ?
>
>
>> context CLIPS
>> !
>> no ip domain-lookup
>> !
>> ip nat pool NAT_POOL napt multibind
>> address 199.189.55.161/32 port-block 0 to 15
>> !
>> ip nat pool NAT_POOL_2 napt multibind
>> address 199.189.55.162/32 port-block 0 to 15
>
>
>
>> nat policy nat-policy
>> ! Default class
>> ignore
>> endpoint-independent filtering udp
>> ! Named classes
>> access-group ACL_NAT
>> class ACL_NAT10
>> pool NAT_POOL CLIPS
>> timeout tcp 3600
>> timeout udp 60
>> timeout fin-reset 60
>> timeout icmp 30
>> timeout syn 60
>> admission-control tcp
>> admission-control udp
>> admission-control icmp
>> endpoint-independent filtering udp
>> class NO_NAT
>> ignore
>> class DNAT_53
>> pool NAT_POOL CLIPS
>> destination 8.8.8.8
>> class ACL_NAT20
>> pool NAT_POOL_2 CLIPS
>> timeout tcp 3600
>> timeout udp 60
>> timeout fin-reset 60
>> timeout icmp 30
>> timeout syn 60
>> admission-control tcp
>> admission-control udp
>> admission-control icmp
>> endpoint-independent filtering udp
>
>
>> interface LAN multibind
>> description CLIPS LAN
>> ip address 10.99.255.254/16
>> dhcp server interface
>> ip arp proxy-arp
>
>> interface EXT-LAN multibind
>> description CLIPS EXTERNAL ADDRESSES
>> ip address 194.183.55.185/29
>> dhcp server interface
>> ip clear-df
>
>
>> interface loopCLIPS loopback
>> ip address 199.189.55.132/32
>> ip source-address radius
>> no logging console
>> !
>
>
>
>> policy access-list ACL_NAT
>> seq 1 permit ip 10.99.0.0 0.0.255.255 host 66.66.66.66 class NO_NAT
>> seq 10 permit ip 10.99.0.0 0.0.0.255 any class ACL_NAT10
>> seq 20 permit ip 10.99.1.0 0.0.0.255 any class ACL_NAT20
>
>
>
>> subscriber default
>> port-limit 1
>> qos policy policing PPPoE_upload
>> qos policy metering PPPoE_download
>> nat policy-name nat-policy
>> dhcp max-addrs 1
>> dns primary 8.8.8.8
>> dns secondary 8.8.4.4
>> session-limit agent-remote-id 1
>
>
>> ip route 0.0.0.0/0 context BGP
>> service telnet client
>> !
>
>
>> dhcp server policy
>> nak-on-subnet-deletion
>> offer-lease-time 300
>> default-lease-time 180
>> maximum-lease-time 180
>> subnet 10.99.0.0/16
>> range 10.99.0.100 10.99.255.100
>> option subnet-mask 255.255.0.0
>> option router 10.99.255.254
>> option domain-name-server 8.8.8.8
>
>> subnet 199.189.55.184/29
>> range 1 199.189.55.186 194.183.55.190
>> option subnet-mask 255.255.255.248
>> option router 199.189.55.185
>> option domain-name-server 8.8.8.8
>
>
>
--
Pozdrawiam
"Kuba" Dawid Chrzan
More information about the redback-nsp
mailing list