Solved

Cisco 877 blocking some websites

Posted on 2009-04-13
4
775 Views
Last Modified: 2012-05-06
I have a Cisco 877W which I have setup and connects to the internet and the wireless seems to work fine. BUT some web sites are blocked for instance experts-exchange.com and some web sites only parlty load e.g. bbc.co.uk. I am new to Cisco's and I have trawled through loads of web sites looking for simalar problems but to no avail. Anyway I setup the router through SDM and its wizards. So could some one look through my running log and tell me whre I'm going wrong. Many thanks.
Building configuration...
 
Current configuration : 8067 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
! 
!
!
crypto pki trustpoint TP-self-signed-3225135223
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3225135223
 revocation-check none
 rsakeypair TP-self-signed-3225135223
!
!
crypto pki certificate chain TP-self-signed-3225135223
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33323235 31333532 3233301E 170D3032 30333031 30303332 
  32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32323531 
  33353232 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100B707 30C184A8 296F8531 93D03AD3 69DAA216 2B44F664 A1D9E826 43D5BE23 
  00F94D40 161CF269 D7134163 9D373E6D B255A707 D0A4074B C7145F6E 46A7522C 
  5E6CC2C2 78819A90 50A0224A 03CCD5C8 8F49A6B0 E46EEFEF 59882C46 001338F0 
  37CA1931 81956986 607C5578 9C952325 143FABC0 16E6AE46 DBF76206 5840754E 
  A3510203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 14A1AD85 3FB344AF 0ED7D156 BEF0CF5B 3ED62233 
  C1301D06 03551D0E 04160414 A1AD853F B344AF0E D7D156BE F0CF5B3E D62233C1 
  300D0609 2A864886 F70D0101 04050003 81810034 CE42E175 70AB81F2 F413EBA3 
  6FA8E3CF E56EE9C3 586268F4 636C57AC 441118CA 2C80BD70 3F3C51DF 8B82AFC1 
  001FEA10 2314B886 EE3A5BCF EED8637A 717BA1B2 DBDB917C BB076D9F 71E35556 
  13FA399E 61D46525 7815E2DC DB2FF91F AE73B629 30D9A2E9 FB63F095 FCB3247C 
  7531EBC4 7917E09B 86A91079 33EFE789 8E3B76
  	quit
!
dot11 ssid hardware
   vlan 1
   authentication open 
   guest-mode
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.10.1 192.168.10.19
ip dhcp excluded-address 192.168.10.250 192.168.10.254
!
ip dhcp pool sdm-pool
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1 
   dns-server 193.36.79.100 80.10.246.1 
   lease 0 2
!
!
ip domain name yourdomain.com
ip name-server 193.36.79.100
ip name-server 80.10.246.1
ip name-server 198.6.1.2
!
!
!
username Admin privilege 15 secret 5 $1$L/uf$1tv6MWiDHgAvIJslmqVu..
archive
 log config
  hidekeys
!
!
!
class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1
 match access-group name anyall
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-service-sdm-inspect-1
 match protocol http
 match protocol https
class-map type inspect match-any all
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-cls-sdm-permit-1
 match class-map all
 match access-group name all
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  inspect
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class class-default
  pass
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 no snmp trap link-status
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 key 1 size 40bit 0 ******* transmit-key
 encryption vlan 1 mode wep mandatory 
 !
 ssid hardware
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 bridge-group 1
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ********@fs
 ppp chap password 0 *****
 ppp pap sent-username *****@fs password 0 ******
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 0.0.0.0 0.0.0.0 91.109.64.1 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended all
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended anyall
 remark SDM_ACL Category=128
 permit ip any any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device. 
This feature requires the one-time use of the username "cisco" 
with the password "cisco". The default username and password have a privilege level of 15.
 
Please change these publicly known initial credentials using SDM or the IOS CLI. 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use. 
 
For more information about SDM please follow the instructions in the QUICK START 
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
 
!
webvpn cef
end

Open in new window

0
Comment
Question by:itseasysolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 8

Expert Comment

by:Sniper98G
ID: 24130242
My guess is that you have used the SDM firewall wizard and told it to use the high" security level. By default this level will inspect the packets for compliance. If the packet does not meet certain standards of how the router thinks the pack should be formed, it gets droped. Since you say you are not especially familiar with Cisco I would say the easiest way to resolve this would be to use the SDM to clear out you current firewall configuration and rerun the wizard with medium or low security levels. Medium will still inspect the traffic but if there is a problem they will log it instead of dropping it.
0
 

Author Comment

by:itseasysolutions
ID: 24130283
Hi,
I have used the SDM firewall wizard and set the security level to low. I have run the wizard several time and done a factory reset on the router and still have the same problems. Is there a CLI command to allow malformed or fragmented packet through as this feels like the source of the plroblem.
0
 
LVL 10

Accepted Solution

by:
atlas_shuddered earned 500 total points
ID: 24131886
You may want to look at changing the MSS (Maximum Segment Size) as this is a common issue with Cisco equipment leading to site load failures.

ip tcp adjust-mss xxxx - where x is the segment size set 40 bytes lower than the MTU size on the network.
0
 

Author Comment

by:itseasysolutions
ID: 24145690
Sorry I haven't got back sooner, had to go away for a day. I have found out that it is something to do with the wireless being setup. I have reset (factory) the router and reconfigured it with the firewall on set to low and all works fine until I configure the wireless and then the router goes back to blocking some web pages etc. The router does this to both the wireless land and the wired lan. So any ideas on how to setup the wireless lan without it messing up the wired lan?
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question